Difference between revisions of "Digital security for organizations"
(Created page with "How does an org navigate digital security? The anatomy and roles of that process Why does an org start? - fear - motivation - justice Remember the CIA: - Confidentiality -...") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
Why does an org start? | Why does an org start? | ||
| + | |||
- fear | - fear | ||
| + | |||
- motivation | - motivation | ||
| + | |||
- justice | - justice | ||
Remember the CIA: | Remember the CIA: | ||
| + | |||
- Confidentiality - keep the private stuff private | - Confidentiality - keep the private stuff private | ||
| − | - Integrity - has it been changed? hacked? corrupted? | + | |
| + | - Integrity - has it been changed? hacked? corrupted? | ||
| + | |||
- Availability - keep it available to people who need it when they need it - stop the DDoSing | - Availability - keep it available to people who need it when they need it - stop the DDoSing | ||
| − | 1. Grounding - Before starting, you must foment motivation to create digital security. | + | =1. Grounding - Before starting, you must foment motivation to create digital security.= |
- takes the longest period of time | - takes the longest period of time | ||
| + | |||
- convincing leaders to prioritize security is the hardest and most important thing | - convincing leaders to prioritize security is the hardest and most important thing | ||
| + | |||
- lead by facilitators; role needs no special training | - lead by facilitators; role needs no special training | ||
| − | + | ||
| + | ==Why does an org start?== | ||
- fear | - fear | ||
- motivation | - motivation | ||
- justice | - justice | ||
| − | + | ==harm reduction - many groups, especially marginalized groups, are already sensitive to this== | |
- not about eliminating threats, rather, about minimizing risk | - not about eliminating threats, rather, about minimizing risk | ||
- best practices | - best practices | ||
| Line 34: | Line 43: | ||
- work with everyone to build awareness and buy-in around why security is important | - work with everyone to build awareness and buy-in around why security is important | ||
- facilitators can start and hold process | - facilitators can start and hold process | ||
| + | |||
- what does safety and security mean to you? | - what does safety and security mean to you? | ||
| + | |||
- data is at risk, not only from bad actors, but from natural disasters | - data is at risk, not only from bad actors, but from natural disasters | ||
| + | |||
- frame it as collaborative, rather than brought in by external experts | - frame it as collaborative, rather than brought in by external experts | ||
| − | 2a. digital assessment - can happen concurrently with 2b | + | =2a. digital assessment - can happen concurrently with 2b= |
| + | |||
- how do you use tech? | - how do you use tech? | ||
- email | - email | ||
| Line 49: | Line 62: | ||
- privacy is a function of internal workflow | - privacy is a function of internal workflow | ||
| − | 2b. risk assessment | + | =2b. risk assessment= |
| + | |||
- also called threat modelling | - also called threat modelling | ||
| + | |||
- surveillance | - surveillance | ||
| + | |||
- doxxing | - doxxing | ||
| + | |||
- how likely is it that a bad actor will try? | - how likely is it that a bad actor will try? | ||
| + | |||
- how likely is it that a bad actor will succeed? | - how likely is it that a bad actor will succeed? | ||
| + | |||
- if a bad actor succeeds, what will the consequences be? | - if a bad actor succeeds, what will the consequences be? | ||
| − | 3. analysis and recommendations | + | =3. analysis and recommendations= |
| + | |||
- hardening - tighten all the security screws | - hardening - tighten all the security screws | ||
| + | |||
- anti-doxxing training | - anti-doxxing training | ||
| + | |||
- remediation plans | - remediation plans | ||
| − | 4. implementation and training | + | =4. implementation and training= |
| + | |||
- digital security trainings at this step | - digital security trainings at this step | ||
| − | 5. and repeat | + | =5. and repeat= |
| + | |||
- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice. | - think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice. | ||
| + | |||
- build towards sustainability | - build towards sustainability | ||
| + | |||
- think of it as data hygiene | - think of it as data hygiene | ||
| + | |||
- sometimes security changes, and you have to re-train | - sometimes security changes, and you have to re-train | ||
| + | |||
- build security and privacy into the culture, so it doesn’t feel like a strain | - build security and privacy into the culture, so it doesn’t feel like a strain | ||
| + | |||
- gamify | - gamify | ||
| + | |||
- levelup.cc | - levelup.cc | ||
Practices: | Practices: | ||
| − | - https://ecl.gy/sec-check | + | |
| + | - [https://ecl.gy/sec-check] | ||
| + | |||
- readiness assessment tool | - readiness assessment tool | ||
- consistent tech support | - consistent tech support | ||
| Line 84: | Line 116: | ||
- ethical providers | - ethical providers | ||
- wireless safety checklist | - wireless safety checklist | ||
| + | |||
- password and authentication best practices checklist | - password and authentication best practices checklist | ||
| + | |||
- endpoint security checklist - devices | - endpoint security checklist - devices | ||
| + | |||
- GSuite checklist | - GSuite checklist | ||
| + | |||
- keep yr software and websites up to date | - keep yr software and websites up to date | ||
| + | |||
- little documentation reminders | - little documentation reminders | ||
| + | |||
- encourage orgs to allot more general operating funds | - encourage orgs to allot more general operating funds | ||
| + | |||
- most breaches are human, not technical | - most breaches are human, not technical | ||
- like password conventions | - like password conventions | ||
| Line 95: | Line 134: | ||
- or leaving your passwords written on post-its | - or leaving your passwords written on post-its | ||
- Twillio or GVoice to protect private phone numbers | - Twillio or GVoice to protect private phone numbers | ||
| + | |||
- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen | - just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen | ||
Latest revision as of 16:37, 17 November 2017
How does an org navigate digital security? The anatomy and roles of that process
Why does an org start?
- fear
- motivation
- justice
Remember the CIA:
- Confidentiality - keep the private stuff private
- Integrity - has it been changed? hacked? corrupted?
- Availability - keep it available to people who need it when they need it - stop the DDoSing
1. Grounding - Before starting, you must foment motivation to create digital security.
- takes the longest period of time
- convincing leaders to prioritize security is the hardest and most important thing
- lead by facilitators; role needs no special training
Why does an org start?
- fear - motivation - justice
harm reduction - many groups, especially marginalized groups, are already sensitive to this
- not about eliminating threats, rather, about minimizing risk - best practices - reduce risk without compromizing values or overcommitting
- holistic security
- digital security, border crossings, secure communication, protected archives, protection from physical threats - cataloguing all threats to a population and thinking about ways to reduce them - Holistic Security Manual - digital, physical, mental / emotional wellness
- everyone in the community and org are involved
- when you lack full buy-in, - if at leadership level, you are stumped - if below leadership level, work with leaders to bring everyone in - work with everyone to build awareness and buy-in around why security is important
- facilitators can start and hold process
- what does safety and security mean to you?
- data is at risk, not only from bad actors, but from natural disasters
- frame it as collaborative, rather than brought in by external experts
2a. digital assessment - can happen concurrently with 2b
- how do you use tech?
- email - dropbox - slack - where is your data kept? - who has access?
- includes data privacy, but is not limited to
- security is vs an external attack - privacy is a function of internal workflow
2b. risk assessment
- also called threat modelling
- surveillance
- doxxing
- how likely is it that a bad actor will try?
- how likely is it that a bad actor will succeed?
- if a bad actor succeeds, what will the consequences be?
3. analysis and recommendations
- hardening - tighten all the security screws
- anti-doxxing training
- remediation plans
4. implementation and training
- digital security trainings at this step
5. and repeat
- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.
- build towards sustainability
- think of it as data hygiene
- sometimes security changes, and you have to re-train
- build security and privacy into the culture, so it doesn’t feel like a strain
- gamify
- levelup.cc
Practices:
- [1]
- readiness assessment tool
- consistent tech support - build comfort around tech - build a culture of training and learning
- email safety checklist
- encryption - ethical providers
- wireless safety checklist
- password and authentication best practices checklist
- endpoint security checklist - devices
- GSuite checklist
- keep yr software and websites up to date
- little documentation reminders
- encourage orgs to allot more general operating funds
- most breaches are human, not technical
- like password conventions - or someone calling up, claiming to be a temp, and asking for a password reminder - or leaving your passwords written on post-its
- Twillio or GVoice to protect private phone numbers
- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen