Digital security for organizations

From DevSummit
Revision as of 00:36, 17 November 2017 by Josh (talk | contribs) (Created page with "How does an org navigate digital security? The anatomy and roles of that process Why does an org start? - fear - motivation - justice Remember the CIA: - Confidentiality -...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

How does an org navigate digital security? The anatomy and roles of that process

Why does an org start? - fear - motivation - justice

Remember the CIA: - Confidentiality - keep the private stuff private - Integrity - has it been changed? hacked? corrupted? - Availability - keep it available to people who need it when they need it - stop the DDoSing

1. Grounding - Before starting, you must foment motivation to create digital security. - takes the longest period of time - convincing leaders to prioritize security is the hardest and most important thing - lead by facilitators; role needs no special training - Why does an org start?

 - fear
 - motivation
 - justice

- harm reduction - many groups, especially marginalized groups, are already sensitive to this

 - not about eliminating threats, rather, about minimizing risk
 - best practices
 - reduce risk without compromizing values or overcommitting

- holistic security

 - digital security, border crossings, secure communication, protected archives, protection from physical threats
 - cataloguing all threats to a population and thinking about ways to reduce them
 - Holistic Security Manual
 - digital, physical, mental / emotional wellness

- everyone in the community and org are involved

 - when you lack full buy-in,
   - if at leadership level, you are stumped
   - if below leadership level, work with leaders to bring everyone in 
   - work with everyone to build awareness and buy-in around why security is important

- facilitators can start and hold process - what does safety and security mean to you? - data is at risk, not only from bad actors, but from natural disasters - frame it as collaborative, rather than brought in by external experts

2a. digital assessment - can happen concurrently with 2b - how do you use tech?

 - email
 - dropbox
 - slack
 - where is your data kept?
 - who has access?

- includes data privacy, but is not limited to

 - security is vs an external attack 
 - privacy is a function of internal workflow

2b. risk assessment - also called threat modelling - surveillance - doxxing - how likely is it that a bad actor will try? - how likely is it that a bad actor will succeed? - if a bad actor succeeds, what will the consequences be?

3. analysis and recommendations - hardening - tighten all the security screws - anti-doxxing training - remediation plans

4. implementation and training - digital security trainings at this step

5. and repeat - think of how long it takes people to floss consistently. security is not a silver bullet; it’s a practice. - build towards sustainability - think of it as data hygiene - sometimes security changes, and you have to re-train - build security and privacy into the culture, so it doesn’t feel like a strain - gamify -

Practices: - - readiness assessment tool

 - consistent tech support
 - build comfort around tech
 - build a culture of training and learning

- email safety checklist

 - encryption
 - ethical providers

- wireless safety checklist - password and authentication best practices checklist - endpoint security checklist - devices - GSuite checklist - keep yr software and websites up to date - little documentation reminders - encourage orgs to allot more general operating funds - most breaches are human, not technical

 - like password conventions
 - or someone calling up, claiming to be a temp, and asking for a password reminder
 - or leaving your passwords written on post-its

- Twillio or GVoice to protect private phone numbers - just don’t use private phones! you want to own and control all data in your ecosystem, to wipe data from devices if they get lost or stolen