Over the past years, one of the topics we see taking over the agenda of the civic space security field is the creation of organizational security policies that will help NGOs, media outlets, collectives, and other groups to design and institutionalize their security controls and protocols, as well as help sustain these efforts in a better way. Given challenges like high staff turnaround that is usual globally, the security interventions and their quality can be better justified, and their effects can be longer-lasting, maximizing the impact of the activities we conduct in projects like our very GIF project.
Specifically for organizational security policies, amazing projects like SOAP, the Cybersecurity Assessment Tool, and the revamped version of Security Planner are very useful tools to start diving into building digital security policies for civil society organizations. That said, we want to highlight that every organization has its nuances that will impact the policy-building process, making it hard (and even counterproductive) to apply a one-size-fits-all approach by recommending the same policies to every group we run into. Considering this, we prefer to use tools like the ones described above as starting points to look into the right things to shape tailored policies that will offer a good balance between the organization’s security and the successful implementation of their unique processes, which proves to be more relevant and actionable for them than settling with more general templates and checklists.
Discussing this topic on our GIF digital security monthly call, where we invite our current and former partners, we decided to brainstorm on those aspects that we always look at when supporting organizations building digital security policies so we can have the list at hand to double-check or complement with existing resources to streamline the process a bit more. In this discussion, many GIF representatives participated in the brainstorming session, including Musa Sani from Co-creation Hub (Our Regional Partner for West and Central Africa), Prapasiri “Nan” Suttisome from EngageMedia (Our Regional Partner for South and Southeast Asia), Sanjina Kshetri from Digital Rights Nepal, Anton Muhajir from SAFEnet (Indonesia), Zia Kandler and Pilar Sáenz from Fundación Karisma (Colombia), Guillermo Movia from Fundación InternetBolivia, Robert Todoroski from North Macedonia, and Carlos Guerra, Caroline Thee, and Natalie Lumumba from Internews, among others.
For this exercise, we proposed some scenarios we can cover in organizational security policies. For each scenario, we brainstormed which aspects should be considered or frequently encountered by the participants. Please look at the following list as a series of questions you might ask yourself if they apply to your case. Remember that each organization is unique, and you might see a different landscape than the participants of this activity for your specific country, community, cultural context, etc.
Protecting physical spaces
- Day-to-day operation in offices
- Does/should the office have an alarm?
- Are there good locks?
- When leaving the office, are doors and windows always closed?
- Are there agreements around day-to-day security routines for the staff to follow?
- Are sensitive documents securely destroyed when they are no longer needed? (This might be included in a data retention policy, even when this is covering physical information)
- If the organization has physical servers, are there clear policies regarding who has physical access to the server room or the space containing the server?
- Day-to-day operations working from home
- For specific people, is it necessary to put the router in a safe place/room? (this might apply to those at very high risk and with little control over the physical space access where they connect from)
- Are there benefits from hosting a storage solution on a centralized server to avoid keeping work files on devices at home?
- Are there benefits from using VPNs to access work-related assets?
- Are there policies covering locking devices when unattended?
- In case of operating in places with high criminality
- Is there an agreement on not working in certain places after a specific hour?
- Do the physical offices have a Closed-circuit TV (CCTV) camera system? This point is controversial in the community, so regardless of your position, please never suggest surveillance camera use in a way that can harm the rights of the staff and visitors, like recording workstations and private spaces or not getting consent to run this kind of system.
- Are there agreements or guidance on secure displacement tips line changing routes to/from the office/beneficiary locations to avoid being targeted?
- Are there controlled spaces to have open and honest conversations around risks/fears and agreements for specific risk situations? This touches on psychosocial aspects of security, but especially in risky environments, a holistic approach is unavoidable and encouraged.
- Are there existing relationships with trusted local partners who know the context and can be a sound alert and support network?
- Is a thorough risk assessment available, or should it be developed ideally before the actual policies?
- In case there is a chance of police raids and criminalization
- Does the organization have the contacts of lawyers at hand in case of potential raids?
- Is there an understanding of laws and regulations around police raids in your country? What are the time frames in which they could occur? What can law enforcement take? Can they block entrances/exits? Does the legislation consider not allowing law enforcement entrance once a lawyer is present? Are there other circumstances that make this dangerous to ensure?
- Is there a protocol for having sensitive information separated and at hand for destruction in less than one minute? Does the local legislation allow this?
- Are clear roles and responsibilities for staff described for this case?
- Is there a partner support network established to inform partner organizations (including those outside the country) in case support is needed for future action
- Regarding ground transportation
- Are transportation vendors and routes used by the organization trusted?
- Are there benefits from installing privacy screen protectors on devices or other physical protections?
- Are there up-to-date transport times, emergency contact information, and clear follow-up processes if problems occur?
Managing institutional presence
- Emails
- Is there Multi-Factor Authentication (MFA) enabled for all accounts?
- Is there a need to use encrypted email services or protocols to send mail with sensitive information?
- Is there guidance for handling links and files that staff receives?
- Social media accounts
- Are social media accounts accessed with one password that many people know?
- Does the organization use a password manager to share strong passwords?
- Is there Multi-Factor Authentication (MFA) enabled for all accounts?
- Are the recovery emails associated with the accounts, not personal accounts? (so the organization can have access after any person leaves the organization)
- Are there existing policies enforcing password changes after staff leaves the organization?
- Website
- Are there agreements or policies requiring recurrent updates to the organizational website’s plugins and Content Management Systems (CMS)?
- Does the list of users of the websites consider different profile permissions for different users?
- Are there any protections against DDoS attacks?
- Are there tools or policies to back up the websites regularly?
- Is there a valid HTTPS certificate for all websites? (including subdomains)
- Are there agreements or policies around the use of administrative accounts on websites? (For instance, keeping the Admin accounts only for emergencies, changing the names so there are no accounts called “Admin,” etc.)
- Messaging services
- Are there agreements or policies around hiding status, profile pictures, or online information from unknown numbers?
- Is the organization using platforms that are not associated with mobile phone numbers?
- Is auto-delete chat configured and beneficial for the organization?
- Are there benefits from using aliases for specific communications instead of clear identities?
- Cloud services
- Are there benefits from using encrypted cloud services?
- Is there Multi-Factor Authentication (MFA) enabled for all accounts?
Managing devices
- Computers
- Is full disk encryption enabled on those computers storing sensitive information?
- Are there agreements or policies around screen lock passwords?
- Are there tools or policies to back up computer files regularly?
- Are there agreements or policies around the use of antivirus/malware tools?
- Are there agreements or policies around maintaining Operating Systems and software up to date?
- Are there agreements or policies around using privacy screens and webcam covers?
- Are there agreements or policies around using only free or licensed software?
- For work-issued computers: Are there agreements or policies around using work-issued devices for uses different to work? (This might include using the device only for work or creating isolated profiles for personal use)
- Cellphones
- Are there agreements or policies around using privacy/protector screens, camera covers, or protective cases?
- Are there agreements or policies around enabling biometrics for device authentication? (The approach to this might vary greatly depending on the jurisdiction).
- Are there agreements or policies around disabling location or other features/permissions when using the device in specific places or performing specific tasks?
- For personal phones: Is there a need and guidance to hide work applications or limit their use?
- For work-issued phones: Are there agreements or policies regarding using work-issued devices for purposes other than work? (This might include using the device only for work or creating isolated profiles for personal use).
- For work-issued phones: Are there agreements or policies around using privacy-focused Android distributions (This applies to very specific threat models).
- Others
- For external devices like cameras or audio recorders: Are there agreements or policies regarding wiping memory cards after downloading data to computers?
- Are there agreements or policies regarding separating tasks performed and data stored in different devices?
Managing sensitive information
- Storing information in cloud services
- Is there a need to encrypt specific files before uploading them to cloud services?
- Is there a process to choose secure and reliable cloud services?
- Are there conventions around temporary permissions to access documents while they are being drafted or revised?
- Access to sensitive information
- Is there a process to continuously map internal and external users with access to certain categories of data? (this is related to user roles, if available, and monitoring who doesn’t need access after operating with specific information)
- Are there mechanisms to give extra protection to shared resources? (approvals, additional passwords, access expiration, etc.)
- Deleting unused information
- Are there agreements or policies regarding sensitive information management after it was effectively used? (storing it in encrypted drives, physical destruction of drives, secure file deletion, etc.)
- Are there agreements or policies regarding configuring devices containing sensitive information to be sold or disposed of?
- If case we need to anonymize data
- Are there conventions to define and share codenames with secure keys and/or pseudonyms?
- Are there agreements or policies around removing metadata from pictures and other files? (for instance, EXIF, IPTC, and XMP metadata)
- How to know when certain information is sensitive
- Are there agreements or policies around identifying and labeling what information could be dangerous for the organization and related actors according to the context? (For example, data on victims, financial data, health information, biometric data, etc.)
- Are there agreements or policies around picture management? (Do they show the faces of sensitive individuals, locations, etc., and are they stored securely? Who are they shared with?)
- Are there agreements or policies around using and sharing staff contact information?
Other general considerations
- Is there a list of roles and responsibilities for security policy management and regular operation?
- Are there designated frequent spaces to do context and risk analysis to inform and update the security policies? (This is especially relevant when the context includes dynamic threats like protests, elections, conflicts, etc.)
- Are there safe spaces for the staff to discuss the risks associated with their work?
Some pending aspects
Given that there are a considerable number of aspects we can include as well and that the time we had for our brainstorming activity was limited, we also mapped other entire categories that we didn’t cover during this exercise and should also be considered while building security policies:
- Onboarding and offboarding staff
- Handover of responsibilities during role transitions and extended leaves
- Network administration
- Communications
- Password management
- Work-from-home considerations
- Secure browsing
- Point of contact for security policy promotion and issue resolution
- Website and domain maintenance
- Data redundancy
- Collective care mechanisms
So, what’s next?
Considering the resources we discussed at the beginning, the list that we just provided, and the ever-changing contexts in which our communities operate both in terms of threats and technology adoption, it is clear that building security policies requires a lot of continuous learning effort and understanding of the unique circumstances that every group experiences. However, when this work is done with respect to the organization’s processes, mission, and human component, the results can be very rewarding when we see that organizations respond effectively to the evolving threats they face.