Difference between revisions of "Digital security for organizations"

From DevSummit
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 17: Line 17:
 
- Availability - keep it available to people who need it when they need it - stop the DDoSing
 
- Availability - keep it available to people who need it when they need it - stop the DDoSing
  
1. Grounding - Before starting, you must foment motivation to create digital security.
+
=1. Grounding - Before starting, you must foment motivation to create digital security.=
 
- takes the longest period of time
 
- takes the longest period of time
  
Line 24: Line 24:
 
- lead by facilitators; role needs no special training
 
- lead by facilitators; role needs no special training
  
- Why does an org start?
+
==Why does an org start?==
 
   - fear
 
   - fear
 
   - motivation
 
   - motivation
 
   - justice
 
   - justice
- harm reduction - many groups, especially marginalized groups, are already sensitive to this
+
==harm reduction - many groups, especially marginalized groups, are already sensitive to this==
 
   - not about eliminating threats, rather, about minimizing risk
 
   - not about eliminating threats, rather, about minimizing risk
 
   - best practices
 
   - best practices
Line 50: Line 50:
 
- frame it as collaborative, rather than brought in by external experts
 
- frame it as collaborative, rather than brought in by external experts
  
2a. digital assessment - can happen concurrently with 2b
+
=2a. digital assessment - can happen concurrently with 2b=
  
 
- how do you use tech?
 
- how do you use tech?
Line 62: Line 62:
 
   - privacy is a function of internal workflow
 
   - privacy is a function of internal workflow
  
2b. risk assessment
+
=2b. risk assessment=
  
 
- also called threat modelling
 
- also called threat modelling
Line 76: Line 76:
 
- if a bad actor succeeds, what will the consequences be?
 
- if a bad actor succeeds, what will the consequences be?
  
3. analysis and recommendations
+
=3. analysis and recommendations=
  
 
- hardening - tighten all the security screws
 
- hardening - tighten all the security screws
Line 84: Line 84:
 
- remediation plans
 
- remediation plans
  
4. implementation and training
+
=4. implementation and training=
  
 
- digital security trainings at this step
 
- digital security trainings at this step
  
5. and repeat
+
=5. and repeat=
  
 
- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.
 
- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.

Latest revision as of 16:37, 17 November 2017

How does an org navigate digital security? The anatomy and roles of that process

Why does an org start?

- fear

- motivation

- justice

Remember the CIA:

- Confidentiality - keep the private stuff private

- Integrity - has it been changed? hacked? corrupted?

- Availability - keep it available to people who need it when they need it - stop the DDoSing

1. Grounding - Before starting, you must foment motivation to create digital security.

- takes the longest period of time

- convincing leaders to prioritize security is the hardest and most important thing

- lead by facilitators; role needs no special training

Why does an org start?

 - fear
 - motivation
 - justice

harm reduction - many groups, especially marginalized groups, are already sensitive to this

 - not about eliminating threats, rather, about minimizing risk
 - best practices
 - reduce risk without compromizing values or overcommitting

- holistic security

 - digital security, border crossings, secure communication, protected archives, protection from physical threats
 - cataloguing all threats to a population and thinking about ways to reduce them
 - Holistic Security Manual
 - digital, physical, mental / emotional wellness

- everyone in the community and org are involved

 - when you lack full buy-in,
   - if at leadership level, you are stumped
   - if below leadership level, work with leaders to bring everyone in 
   - work with everyone to build awareness and buy-in around why security is important

- facilitators can start and hold process

- what does safety and security mean to you?

- data is at risk, not only from bad actors, but from natural disasters

- frame it as collaborative, rather than brought in by external experts

2a. digital assessment - can happen concurrently with 2b

- how do you use tech?

 - email
 - dropbox
 - slack
 - where is your data kept?
 - who has access?

- includes data privacy, but is not limited to

 - security is vs an external attack 
 - privacy is a function of internal workflow

2b. risk assessment

- also called threat modelling

- surveillance

- doxxing

- how likely is it that a bad actor will try?

- how likely is it that a bad actor will succeed?

- if a bad actor succeeds, what will the consequences be?

3. analysis and recommendations

- hardening - tighten all the security screws

- anti-doxxing training

- remediation plans

4. implementation and training

- digital security trainings at this step

5. and repeat

- think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice.

- build towards sustainability

- think of it as data hygiene

- sometimes security changes, and you have to re-train

- build security and privacy into the culture, so it doesn’t feel like a strain

- gamify

- levelup.cc

Practices:

- [1]

- readiness assessment tool

 - consistent tech support
 - build comfort around tech
 - build a culture of training and learning

- email safety checklist

 - encryption
 - ethical providers

- wireless safety checklist

- password and authentication best practices checklist

- endpoint security checklist - devices

- GSuite checklist

- keep yr software and websites up to date

- little documentation reminders

- encourage orgs to allot more general operating funds

- most breaches are human, not technical

 - like password conventions
 - or someone calling up, claiming to be a temp, and asking for a password reminder
 - or leaving your passwords written on post-its

- Twillio or GVoice to protect private phone numbers

- just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen