Organizational security assessment best practices

From DevSummit
Jump to: navigation, search

Remote Organizational Security Assessment Best Practices (Beatrice / Jonah)

Best Practices

  • use accessible language; ditch the lingo
  • Practical 360• passwords up and down the line
  • Be specific enough to be actionable, general enough for people's experience to be validated
  • Some way to map ALL connections between linked accounts +1+1
  • Have (at least) two types of assessment workflows (and consequently report templates) – a lightweight one, more digestible for the client and also great to build relationship, and a more in-depth one for clients who have time and capacity to go deeper (also, in case they are particularly at risk)(match the process to their desired outcomes)
  • Some way to address obvious personal information on the net (it takes 5 seconds to find virtually anyone)
  • Code review/config review for infrastructure changes
  • Cross-training -- ensure multiple people have knowledge and access to the system, processes +1+1
  • Look at staffing -- even orgs with external service providers need a tech responsible person +1 (either on staff or contractor – still needed!)(and also engage leadership when you can. leaders should be tech responsible at least strategy wise)
  • Use basic practices as a path into important conversations
  • conversations about needs/concerns with variety of org participants+10000000 - not just the tech people!
  • Structure the recommendations in the assessment report in High, Medium, and Low priority+1
  • Give recommendations with person hours, technical skill requirements and budget estimates
  • ideally having roadmap of when and how you will be done with an assessment and how to incorporate iterative/follow ups needed later
  • Propose a lightweight digital security assessment also when we receive a request for training – as a pre-training engagement. Great tool to prioritize focus items for the training (there might be gaps that could be helpfully addressed and the client maybe did not think of)
  • Tracking security flaws across all devices and services (ie all the ways in which your network is accessible and inaccessible, meaning, easy to get to here, but not there, in practical terms) +1000
  • Use visualizations+1 especially around tradeoffs
  • offer fundable language to support fundraising
  • build the security muscle – with the smaller weights (more reachable recommendations)
  • provide templates! visual ones
  • People > Processes > Technology
  • helping with sharing resources, check lists, documentations (e.g. https://communitydocs.accessnow.org/ feedback and edits welcome!)
  • having on git

Challenges

  • Practical Password Management (everyone I have talked to is defaulting to LastPass) +1
  • different types and levels of technical expertises
  • technical debt +1
  • gaps in institutional history
  • resources to actually implement changes needed
  • google google google (many do not know other worlds beyond/without google)
  • security not as political concern
  • finding a scope that has space for intersecting risk areas like physical security but doesn't get us out of our main process/outcomes
  • the collaborative document dillema - how do we recommend *something* that isn't google docs
  • how do we ensure sustained follow-ups to measure follow-through
  • lack of technical capacity internally makes all recommendations die on the vine+1
  • Tracking security flaws across all devices and services (ie all the ways in which your network is accessible and inaccessible, meaning, easy to get to here, but not there, in practical terms)+1
  • How to prioritize areas of assessment and recommendations for resource constrained orgs+1
  • Communicating any of this to anyone without their eyes rolling and heads spinning (the practial bandwidth-to-complexity issue)
  • we are having to track a dynamic situation in a small engagement and distill it. That's a load.
  • How to build the trust when working with an organization remotely?

what's different about in person assessment vs remote org;

  • the social element of security
  • how to track/confront communcations breakdowns and power dynamics in an organization at a distance?
  • infrastructure vs behavior? People-Process-Tech, in that order
  • is there are shared set of systems and practices that the org uses; are there siloed spaces create risks and stagnate ability to move forward
  • people processes technology