Difference between revisions of "Digital security for organizations"

From DevSummit
Jump to navigation Jump to search
(Created page with "How does an org navigate digital security? The anatomy and roles of that process Why does an org start? - fear - motivation - justice Remember the CIA: - Confidentiality -...")
 
Line 2: Line 2:
  
 
Why does an org start?
 
Why does an org start?
 +
 
- fear
 
- fear
 +
 
- motivation
 
- motivation
 +
 
- justice
 
- justice
  
 
Remember the CIA:
 
Remember the CIA:
 +
 
- Confidentiality - keep the private stuff private
 
- Confidentiality - keep the private stuff private
- Integrity - has it been changed? hacked? corrupted?  
+
 
 +
- Integrity - has it been changed? hacked? corrupted?
 +
 
- Availability - keep it available to people who need it when they need it - stop the DDoSing
 
- Availability - keep it available to people who need it when they need it - stop the DDoSing
  
 
1. Grounding - Before starting, you must foment motivation to create digital security.
 
1. Grounding - Before starting, you must foment motivation to create digital security.
 
- takes the longest period of time
 
- takes the longest period of time
 +
 
- convincing leaders to prioritize security is the hardest and most important thing
 
- convincing leaders to prioritize security is the hardest and most important thing
 +
 
- lead by facilitators; role needs no special training
 
- lead by facilitators; role needs no special training
 +
 
- Why does an org start?
 
- Why does an org start?
 
   - fear
 
   - fear
Line 34: Line 43:
 
     - work with everyone to build awareness and buy-in around why security is important
 
     - work with everyone to build awareness and buy-in around why security is important
 
- facilitators can start and hold process
 
- facilitators can start and hold process
 +
 
- what does safety and security mean to you?
 
- what does safety and security mean to you?
 +
 
- data is at risk, not only from bad actors, but from natural disasters
 
- data is at risk, not only from bad actors, but from natural disasters
 +
 
- frame it as collaborative, rather than brought in by external experts
 
- frame it as collaborative, rather than brought in by external experts
  
 
2a. digital assessment - can happen concurrently with 2b
 
2a. digital assessment - can happen concurrently with 2b
 +
 
- how do you use tech?
 
- how do you use tech?
 
   - email
 
   - email
Line 50: Line 63:
  
 
2b. risk assessment
 
2b. risk assessment
 +
 
- also called threat modelling
 
- also called threat modelling
 +
 
- surveillance
 
- surveillance
 +
 
- doxxing
 
- doxxing
 +
 
- how likely is it that a bad actor will try?
 
- how likely is it that a bad actor will try?
 +
 
- how likely is it that a bad actor will succeed?
 
- how likely is it that a bad actor will succeed?
 +
 
- if a bad actor succeeds, what will the consequences be?
 
- if a bad actor succeeds, what will the consequences be?
  
 
3. analysis and recommendations
 
3. analysis and recommendations
 +
 
- hardening - tighten all the security screws
 
- hardening - tighten all the security screws
 +
 
- anti-doxxing training
 
- anti-doxxing training
 +
 
- remediation plans
 
- remediation plans
  
 
4. implementation and training
 
4. implementation and training
 +
 
- digital security trainings at this step
 
- digital security trainings at this step
  
 
5. and repeat
 
5. and repeat
 +
 
- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.
 
- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.
 +
 
- build towards sustainability
 
- build towards sustainability
 +
 
- think of it as data hygiene
 
- think of it as data hygiene
 +
 
- sometimes security changes, and you have to re-train
 
- sometimes security changes, and you have to re-train
 +
 
- build security and privacy into the culture, so it doesn’t feel like a strain
 
- build security and privacy into the culture, so it doesn’t feel like a strain
 +
 
- gamify
 
- gamify
 +
 
- levelup.cc
 
- levelup.cc
  
 
Practices:
 
Practices:
- https://ecl.gy/sec-check
+
 
 +
- [https://ecl.gy/sec-check]
 +
 
 
- readiness assessment tool
 
- readiness assessment tool
 
   - consistent tech support
 
   - consistent tech support
Line 84: Line 116:
 
   - ethical providers
 
   - ethical providers
 
- wireless safety checklist
 
- wireless safety checklist
 +
 
- password and authentication best practices checklist
 
- password and authentication best practices checklist
 +
 
- endpoint security checklist - devices
 
- endpoint security checklist - devices
 +
 
- GSuite checklist
 
- GSuite checklist
 +
 
- keep yr software and websites up to date
 
- keep yr software and websites up to date
 +
 
- little documentation reminders
 
- little documentation reminders
 +
 
- encourage orgs to allot more general operating funds
 
- encourage orgs to allot more general operating funds
 +
 
- most breaches are human, not technical
 
- most breaches are human, not technical
 
   - like password conventions
 
   - like password conventions
Line 95: Line 134:
 
   - or leaving your passwords written on post-its
 
   - or leaving your passwords written on post-its
 
- Twillio or GVoice to protect private phone numbers
 
- Twillio or GVoice to protect private phone numbers
 +
 
- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen
 
- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen

Revision as of 00:40, 17 November 2017

How does an org navigate digital security? The anatomy and roles of that process

Why does an org start?

- fear

- motivation

- justice

Remember the CIA:

- Confidentiality - keep the private stuff private

- Integrity - has it been changed? hacked? corrupted?

- Availability - keep it available to people who need it when they need it - stop the DDoSing

1. Grounding - Before starting, you must foment motivation to create digital security. - takes the longest period of time

- convincing leaders to prioritize security is the hardest and most important thing

- lead by facilitators; role needs no special training

- Why does an org start?

 - fear
 - motivation
 - justice

- harm reduction - many groups, especially marginalized groups, are already sensitive to this

 - not about eliminating threats, rather, about minimizing risk
 - best practices
 - reduce risk without compromizing values or overcommitting

- holistic security

 - digital security, border crossings, secure communication, protected archives, protection from physical threats
 - cataloguing all threats to a population and thinking about ways to reduce them
 - Holistic Security Manual
 - digital, physical, mental / emotional wellness

- everyone in the community and org are involved

 - when you lack full buy-in,
   - if at leadership level, you are stumped
   - if below leadership level, work with leaders to bring everyone in 
   - work with everyone to build awareness and buy-in around why security is important

- facilitators can start and hold process

- what does safety and security mean to you?

- data is at risk, not only from bad actors, but from natural disasters

- frame it as collaborative, rather than brought in by external experts

2a. digital assessment - can happen concurrently with 2b

- how do you use tech?

 - email
 - dropbox
 - slack
 - where is your data kept?
 - who has access?

- includes data privacy, but is not limited to

 - security is vs an external attack 
 - privacy is a function of internal workflow

2b. risk assessment

- also called threat modelling

- surveillance

- doxxing

- how likely is it that a bad actor will try?

- how likely is it that a bad actor will succeed?

- if a bad actor succeeds, what will the consequences be?

3. analysis and recommendations

- hardening - tighten all the security screws

- anti-doxxing training

- remediation plans

4. implementation and training

- digital security trainings at this step

5. and repeat

- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.

- build towards sustainability

- think of it as data hygiene

- sometimes security changes, and you have to re-train

- build security and privacy into the culture, so it doesn’t feel like a strain

- gamify

- levelup.cc

Practices:

- [1]

- readiness assessment tool

 - consistent tech support
 - build comfort around tech
 - build a culture of training and learning

- email safety checklist

 - encryption
 - ethical providers

- wireless safety checklist

- password and authentication best practices checklist

- endpoint security checklist - devices

- GSuite checklist

- keep yr software and websites up to date

- little documentation reminders

- encourage orgs to allot more general operating funds

- most breaches are human, not technical

 - like password conventions
 - or someone calling up, claiming to be a temp, and asking for a password reminder
 - or leaving your passwords written on post-its

- Twillio or GVoice to protect private phone numbers

- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen