How-to

Posted 12 September, 2014 by Kristin Antin

New staff joining your organization? Start them off right with a straightforward security checklist

Galaksija-in-use-photo-by-old-computers-via-Ivan-Siric

Credit: Bturn

Over the past year we’ve been wrapping our heads around a big, thorny problem in using data and technology to advocate for change. How can data be used effectively AND responsibly? Is it possible to achieve both? We think so.

We’ve learned a lot from our work with advocacy projects facing responsible data challenges and those who have overcome them. We’ve also tried, when possible, to develop bite-sized resources that could be immediately useful for projects ready to tackle these challenges. This is the story of the collaboratively-developed, bite-sized checklist that we hope you’ll find useful.

But first, how did we come to put it together, and who helped out?

At the end of July, we (Alix and Kristin, the engine room’s new community catalyst) attended the  “People & Tech: Civic Action in Restrictive Spaces” workshop in DC. There, we had the opportunity to brainstorm with a group of practitioners on an approach to a common responsible data challenge: where to start with digital security when you get new staff members. We worked with Jon Camfield from Internews, Valerie Oliphant from FrontlineSMS and others, to plan out the best way to approach the problem and tried to strip it to it’s bare minimum (read: ignore phones, sidestep step-by-step installation instructions, and offer cake at the end). The checklist below is what we came up with. Feel free to use it, adapt it, and/or help make it better by adding your questions, suggestions and ideas in the comments section below!

Imagine this use-case scenario: New employee, brings in personal computer with pirated XP, uses yahoo email and social media. Not a good idea to give them an email address for organizational work until you get a few things ironed out. Where to start:

  1. Operating system: Determine if you have a legal operating system. If not, install a legal operating system (licensed or open source).  Also: discuss backups, other installed programs – before changing the operating system.
  2. Strong passwords: Learn how to (and why it is important to) create a strong password/passphrase. See Front Line Defenders’ & Tactical Tech’s Security in a Box: How to create and maintain secure passwords.
  3. Full disk encryption: Enable full disk encryption to protect data from unauthorized access to the computer. Also: provide clear policy and software choice here for user.
  4. Anti-virus software: Determine if the computer has an anti-virus software running (how to find your Windows anti-virus, Mac and Linux does not come with anti-virus pre-installed). If not, install one recommended by the organization (Consider using Avast, a free open source anti-virus software option). If there is an anti-virus already installed that is different from the one recommended by the organization, uninstall this software and install the recommended one. You should only have one anti-virus running!
  5. Software updates: Ensure that the operating system and the anti-virus software are up-to-date and discuss the process for ongoing updates.
  6. Internal networks: Some organizations have strictly managed internal networks. If yours is one of those (you probably use something like LDAP) be sure to get your new staff member up to speed on how to play by the rules with your internal network.
  7. Install additional software: Install required org software (e.g. office suite, chat, web browser…?)
  8. You’ve made it this far? Congrats! You can get an org email! Take a break and go to step eleven!
  9. Revisit strong passwords: Set up account passwords with best practices, like: using different passwords for each account, maintain passwords with password management tools (such as KeePassX).
  10. Bonus step: Practice with KeePassX by adding at least 3 passwords and use them! (And while you’re at it, disable any browser password management tools)
  11. CAKE – EAT CAKE!!!

Please Advise. This cake is not edible.

Are you struggling with responsible data challenges and/or have found ways to overcome them? Join us in Budapest September 30 and October 1 for the Responsible Data Forum resource sprint to tackle these challenges together and build resources for advocacy groups.

6 thoughts on “New staff joining your organization? Start them off right with a straightforward security checklist”

Anton says:

In passwords, this source also covers the topic quite well. https://ssd.eff.org/en/module/creating-strong-passwords. Do not forgot XKCD – https://xkcd.com/936/

Anton says:

In Antivirus is good to add Free AVG suggestion and add AntiMalware monitoring solution ( Spybot or Malwarebytes)

Anton says:

In updates – s good to suggest a tool to helps user keep all important/sensetive software up to date (Secunia PSI of maybe R-Studio for Win-s e.g.)

Anton says:

Also, i think you need to add a topic about Privilege control ( avoid to work as Group 0 member on Linux, and avoid to use Admin role for username you regular work under)

Anton says:

In addition to passwords, if we can thalk about auth process, especially to externally services – 2FA is strongly required imho. It is,at least, important to have users avared and informed about this.

ali says:

Can’t help but +1 (ditto, or other less gen-x ways to reinforce your mention of ) KeePassX being invaluable for safekeeping passwords (and other prviate stuff).
and it’s crossplatform…

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles