baseline security practices.md

Baseline organizational policies and practices

(that every group working in human rights should consider implementing)

Table of Contents

1. Introduction

2. Access policies

3. Access to where you work

4. Access to physical documents

5. Access to devices

6. Access to accounts

7. Removing access to organizational assets upon departure

8. Data management policies

9. Backing-up data

10. Travelling

11. Deleting data

12. Communications policies

13. Practices

14. Infrastructure

15. Incident response

16. Creating and maintaining an engaged organizational culture

17. Update software on devices

18. Create spaces for learning, assessing, adopting, adapting policies and practices

19. Resources

1. Introduction

Organizations implement policies to help staff adopt practices to improve the effectiveness of the organization's work. This includes making staff feel safer in their work environment, and providing support and awareness for them to more safely work with their communities.

As individuals start to recognize the importance of some practices in the safety of their work, they understand that their own security and safety is based on the practices of their colleagues and their broader network.

By providing baseline resources for the practices of organizations working in human rights, we hope to aid organizations in jumpstarting the continuous process of discussing, assessing, and implementing new organizational practices.

All individuals, groups, and organizations should assess their work, needs, and practices. Some resources for assessing these needs are [listed here](/resources/1. introduction - assessing risks.md). Through such an assessment, one can highlight gaps in need or practice, and prioritize topics for focus and improvement.

This resource seeks to inform the post-assessment stage for a human rights group group -- what are topics to consider for implementation and the baselines practices within those topics to aim for, at minimum.

2. Access policies

2.1 Access to your place of work (such as at an office, at home)

• Set policies to manage entry and exit of visitors and staff
• Lock doors and windows when appropriate (such as when all staff leave)
• Report to other staff members anything strange in or around the place of work

2.2 Access to physical documents

• Staff should manage their workspace to ensure no sensitive physical documents are available to visitors -- locked file cabinets -- paper shredder

2.3 Access to devices

• wifi network

Organization's wifi should be dedicated to active staff of the organization. A guest network from the same router can be created to provide wifi access to visitors and other persons who are not staff #link-to-SAFETAG

Wifi network password should be set up with WPA2 and the password should be a strong passphrase. #link-to-SAFETAG

• computers, phones

All devices should have screenlocks to prevent casual access to information and accounts stored on the devices. #link-to-how-to-enable-screenlock

All devices should have device encryption enabled to prevent more targeted access to information and accounts stored on the devices. #link-to-how-to-enable-device-encryption

Organization-provisioned hardware (computers, routers, phones) should be recorded.

If a device is confiscated

{}

If a device is lost/stolen

{}

2.4 Access to accounts

• organizational accounts (web presence [website, social media])
• password manager
• delegate control (tweetdeck, FB pages)
• two-factor authentication
• secret questions
• Personnel management onboarding/offboarding

2.5 Removing access to organizational assets upon departure

Departing staff must:

• return any keys for physical building access
• return any devices provisioned to them by the organization
• Establish and inform point-of-contacts among other staff upon their departure
• Determine with supervisor what information can/cannot be discussed about their work for future job interviews, etc.

Appropriate org staff must:

• Disable departing staff access to email/social media accounts and any other digital infrastructure (chat server, file server, etc)
• Change passwords and/or access codes this individual may have access to
• Share or discuss interim plans with other staff until there is a new hire

3 Data management policies

3.1 Back-up data

• data the organization depends on should be backed-up in regular intervals.
  #link-to-how-to-backup

3.2 Travel

General staff policies and emergency planning

travelling with data

Your devices and data are always at risk of being lost, stolen, confiscated. When you are travelling across borders, are in unfamiliar regions, etc. the risk of this happening will increase.

There are two strategies for protecting information, both in general and especially while travelling:

• data minimization
• encryption

Data minimization means you reduce the amount of sensitive information you are carrying with you, or your accounts have access to.

Encryption means protecting your device or data with an additional layer of access control.

3.3 Delete data securely

• have a document shredder at your place of work

• when to delete information

• how to delete data securely -- Windows #link-to-SIAB-delete -- Mac #link-to-Mac-Secure-Trash -- wiping computers in general

4. Communications policies

4.1 Practices

• Provide staff with work accounts (email, chat, voice)

• Don't use your work account for personal communication or visa versa

  • this can be difficult if your work is in your community
  • at minimum make sure that you still have personal space online where you do not feel watched, judged, or "branded" by the org you work for

• changing default FB sharing settings for posts and photos, creating groups, requiring consent to be tagged in a post or photo

• agree on more and less sensitive communications methods for staff

• Do not share or open unsolicited attachments or links

• fight the email deluge by agreeing on informative subject lines

• enable HTTPS for your organization's website

  • at minimum, ensure that the log-in page for administrating the website has HTTPS enabled.

4.2 Infrastructure

• know what organizations or companies provide you with your communication needs

• all online communications channels used by staff should at minimum use transport layer security (TLS), whether Jabber/XMPP chat, IMAP/SMTP email or webmail, IRC chat, etc.

• Ensure that staff access email accounts through HTTPS

• Ensure that email provider uses STARTTLS

4.3 Incident response

{paste in policies from helpline}

5 Creating and Maintaining an Engaged Organizational Culture

5.1 Keep software up-to-date

• this includes your devices' operating systems and the software you and your website use -- provide internet access to your staff to download software or operating system updates if necessary -- provide licenses for proprietary software if that software is required and a staff member does not have a license

5.2 Create spaces for learning, assessing, adapting policies and practices

{ space created }

6. Resources

Some existing resources on risk assessment frameworks include:

• the Responsible Data Forum's Organizational Security Atomized Plan
• Internews' SAFETAG
• EISF's Risk Management Toolkit
• the engine room's self-assessment questionnaire
• Security in a Box's resources for assessing risks

• SAFETAG's capacity assessment cheatsheet
• Integrated Security Manual
• Surveillance Self-Defence's intro to threat modeling
• Security First's Umbrella App
• Information Ecology's Security checklists

If you need assistance with assessing your groups needs and practices, feel free to contact:

• any organization listed in the Digital First Aid Kit
• the engine room: [email protected], pgp key
• Confabium
• Access Now's helpline staff: [email protected], pgp key