In our last post about organizational security, we mentioned that we are producing, refining, and using resources as we work to provide support. We also use resources that other support organizations have put together. This post puts all of that together in one place.
In our work supporting the development of effective organizational security policies, we have found it useful to begin by engaging the staff in a survey. This survey is meant to capture an overview of how staff of an organization use technology.
We find surveys particularly useful in this process because:
- It creates a baseline for how the staff is currently using technology
- It is useful for crafting relevant interviews with staff
- The results help us accurately set a scope of recommendations we make to the organization
- The results can easily be shared with an organization’s management to provide them with information that they likely haven’t collected about what technology their staff are using.
Here is a link to the initial survey we use with organizations; and here is a link to a survey that Equalit.ie uses.
We’ve been collecting, making, and refining a set of checklists we call an atomized security plan for organizations. You can also fork or download all the checklists and spreadsheets from Github as well..
These checklists attempt to list all of the possible information security steps an organization can take to protect itself. It breaks these steps into the smallest atoms of action required to complete them. The goal is to support security trainers to produce an easy-to-use action plan for organizations that is customized and clear.
We use these checklists to clarify what is required for different recommendations, based on the results of the survey and other discussions with staff.
Terms of Reference
To give you a sense of how we have approached the process, we are providing our sample terms of reference for organizational security support. This document helps us set expectations for both organizations.
Guides and Processes
- Front Line Defenders’ and Tactical Technology Collective’s Security in a Box
- Internews’ SAFETAG is a curricula, a methodology, and a framework for security auditors working with advocacy groups.
- Front Line Defenders’ Protection Manual
- Surveillance Self-Defense (SSD) by Electronic Frontier Foundation is a guide to protecting yourself from electronic surveillance.
- If you’re interested in threat modeling, you could take a look at EFF’s Introduction to Threat Modeling in the SSD, and the Threat Exercises described in the Integrated Security Manual by Kvinna till Kvinna
What resources have you found useful as you develop your organizational security policies? Where are the gaps (what resources do you wish existed)? What resources are currently being developed? What challenges and questions have you come across related to organizational security?
Add your experiences, questions, ideas and resources in the comments below!