Digital Security For Humans
Revision as of 21:45, 22 November 2016 by Willowbl00 (talk | contribs)
Project: Weathering The Storm
“Security Checklists” on github
Includes:
- Readiness checklist
- Email safety
- Authentication checklist
- Public wireless
Weakness of these checklists: making assumptions about audience's threat models, context, etc accept the common threat-model across our orgs (described below)
Use case profile: Movement building org operating domestic in the US Threat: generalized non targeted attacks (phishing, malware on websites)
READINESS CHECKLIST
It's really important that orgs have some basic pieces in place.Here's a list.
- baseline IT support is a security necessity, and funders need to know this so that can provide some support to these orgs
- How do orgs get the tech support they need? In-house versus an outside org working with them on an ongoing basis.
- there are orgs who provide this kind of support. Is there a list of these kinds of orgs? What are the entry requirements for these resources?
- Palante
- civicactions
- matchmaking can be really helpful in this space
- “tech underground” in the bay area
- list of trusted service providers
- there are orgs who provide this kind of support. Is there a list of these kinds of orgs? What are the entry requirements for these resources?
- Needs regarding basic tech support for orgs in this space:
- questions to ask tech service providers
- list of trusted tech service support providers to ask for help
- Physical security of offices:
- How do you balance openess w/ protecting data?
- One approach is framing security as solidarity – the data we hold represents the people we are working with and for so the reasons we protect our office is because of solidarity with those people.
- How do you balance openess w/ protecting data?
Additional advice regarding readiness:
- Is there trust? Are they ready to communicate about this stuff within the org? (grievances and reporting challenges)
- Have a champion within the org that can help support the process.
- Should challenges go to the internal champion or go to the outside expert?
How do orgs enforce these practices/policies?
- If your team isn't following the practices, that's a sign that the training didn't work. Teams need to commit to their team that they will use these practices.
- Buy-in is super important and takes time.
- Do you worry about security? WE want to help you feel better about ….accessing the internet using wifi so we want to empower you all to use VPN.
- Make it personal – these practices are in-line with their values! You want to protect these the data and people you're working with/for!!
But how do you know if your staff is actually using the tools?
- You could control their comps, but that's kinda icky.