diff --git a/4_device_security_checklist.md b/4_device_security_checklist.md
index 6522953507b86e71dee3aa6834d80983010e3d02..6f1b808d152bc75b9e2aacd38df9ac5635e65cd9 100644
--- a/4_device_security_checklist.md
+++ b/4_device_security_checklist.md
@@ -1,74 +1,80 @@
---
document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
-title: Endpoint Device Security Checklist
+title: Endpoint Security Checklist
author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
-last modified: 8/7/17
-version: "2.0 DRAFT NOT FOR FOR PUBLIC USE"
+last modified: 9/2/2017
+version: "2.0 DRAFT, NOT PEER REVIEWED"
---
-# Endpoint Device Security Checklist
+# Endpoint Security Checklist
## Introduction
-Securing your computing devices or "endpoints" (meaning that they are one end of all connections you make to a website, online service or another person) are a cornerstone of digital security. Often trainers, security practitioners and the documents and manuals they use assume that your devices are secure from intrusion and not running any programs that you don't expect. This assumption is critical because anyone who can control your endpoints can see and control all the same information you can -- and so any protections of that information as it travels across internal networks or the open Internet are rendered irrelevant.
+Securing your devices or "endpoints" (meaning that they are one end of all connections you make to a website, online service or other person's device) are a cornerstone of digital security. In general, security trainers, practitioners, and the documents and manuals they use operate from an assumption that your devices are secure from intrusion and not running any software that you don't expect or intend. This is important because anyone who can control your endpoints can see and control all the same information you can -- and so any protections of that information as it travels across internal networks or the open Internet become irrelevant.
-Unfortunately, in practice, this assumption does not meet the operating reality of many non-profits and activists. Especially with the increased use of encryption technologies to secure communications and other sensitive information, attacks on the hardware in devices themselves and the software they run on them has become attractive strategy for obtaining or altering data than in the past. Coupled with the fact that many devices are shipped with tracking, advertising or other software that you may not expect or that may expose your device to risks, putting time into securing your devices is a critical task for securing your organization.
+Unfortunately, in practice, it is not a reasonable assumption in the operating reality of many non-profits and activists that our endpoints are not compromised. Especially with the increased use of encryption technologies to secure communications and other sensitive information as it moves over the network, attacks on the hardware in devices themselves and, more commonly the software running on them has become a more attractive strategy for obtaining or altering data than in the past. Coupled with the fact that many devices are shipped with tracking, advertising, or other software that you may not expect or that may expose your device to risks, putting time into securing your devices is a critical task for securing your organization and ensuring further improvements to your security are meaningful.
-This checklist provides a number of practices that can help you protect your devices from being a threat to the confidentiality, availability or integrity of your information. By implementing at a minimum these practices, you can better trust that any other secure systems or services your organization adopts are protecting you as expected. These are meant to be applicable to computers, phones, tablets except where otherwise indicated.
+This checklist provides a number of practices that can help you protect your devices from being a threat to the confidentiality, availability, or integrity of the information on them or on the networks they connect to. By educating your staff about the importance of endpoint protection, training and supporting staff in implementing these practices, and making them part of your organization's onboarding processes and technology policies, you can increase security for individual staff and the organization as a whole. Furthermore, you can better trust that any other secure systems or services your organization adopts are protecting you as expected. These are meant to be applicable to computers, mobile phones, and tablets except where otherwise indicated.
-**These practices do not constitute a complete set of endpoint protection activities and are especially ill suited at protecting you from targeted attacks on by well resourced and persistent organizations or entities. They will not fully protect you from losing physical control of your devices, or a technically capable group having physical access to your device such as may happen at an international border, in an arrest or detention situation or through theft. If your threat model includes these sorts of concerns, contact a digital security professional to help you build systems that will remain resilient to your specific context.**
+**These practices do not constitute a complete set of endpoint protection activities and are especially ill-suited for protecting you from targeted attacks by well-resourced and persistent organizations or entities. They will not fully protect you from the consequences of losing physical control of your device, including situations where a technically capable group has physical access to your device such as may happen at an international border, if you are arrested or detained, or if your device is stolen. If your threat model includes these sorts of concerns, contact a digital security professional to help you build systems that will remain resilient in your specific context.**
## Key
:heavy_check_mark: Record actions
:rocket: Implementation management overhead rating
:wrench: Technical skill level required
-:fire: Work flow disruption for staff## General Endpoint Security Tasks
+:fire: Work flow disruption for staff
+
+## General Endpoint Security Tasks
:heavy_check_mark: **Keep your devices in your control, always.**
:rocket::wrench::fire::fire::fire:
-*The easiest way to attack someone's devices is to gain physical control of them. Consequently the most important practice you can follow to protect them is to keep them in your control at all times. In your control means you know where they are and can ensure that nobody is accessing them without your permission. Note that a hotel room desk drawer or even hotel safe does not meet this standard as both can usually be accessed by hotel staff such as cleaners or management. When working in a public place, don't leave your computer even for a couple of minutes. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in, your computer without you knowing.*
+*The easiest way to attack someone's devices is to gain physical control of them. Consequently, the most important practice you can follow to protect them is to keep them in your control at all times. This means that you know where they are and can ensure that nobody is accessing them without your permission. Note that a hotel room desk drawer or even a hotel safe does not necessarily meet this standard, as both can usually be accessed by hotel staff such as cleaners or management. When working in a public place, don't leave your computer even for a couple of minutes. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in your computer without your knowledge.*
:heavy_check_mark: **Run the updating tool for your operating system and applications regularly and/or set updates to run automatically.**
:rocket::wrench::fire::fire:
-*The operating system of a device is the most basic software it can run and every other program or application depends on it. Operating systems are often tied to specific hardware and major examples include Microsoft Windows, Apple's OSX (for computers) and iOS (for iPhones and iPads), Android, ChromeOS (for Chromebooks) and Linux. Anytime an operating system manufacturer or application creator provides an update that fixes a security vulnerability, you are at increased risk until you install that update since any bad actors have learned about it. Setting updates to run automatically will help, but you should still manually start the update process if you read or hear of a specific security issue with any of your software. Note that if you have specific software requirements or custom software created especially for your organization, automatic updates can cause work disruption and this recommendation must be vetted by your IT team or tech support provider.*
+*The operating system is the most basic software a device can run, and every other program or application depends on it. Operating systems are often tied to specific hardware; major examples include Microsoft Windows, Apple's OSX (for computers) and iOS (for iPhones and iPads), Android, ChromeOS (for Chromebooks) and Linux. Any time an operating system manufacturer or application creator provides an update that fixes a security vulnerability, you are at increased risk until you install that update, because the vulnerability has become public and any bad actors have thus learned about it. Setting updates to run automatically will help, but you should still manually start the update process if learn of a specific security issue with any of your software. Note that you may need to restart your device for many updates to take effect, so responding to any alerts that ask you to restart your device is important to these updates being meaningful.
+If you have specific software requirements or custom software created especially for your organization, automatic updates can cause work disruption, as some OS updates may be incompatible with existing software. Therefore, operationalizing this recommendation must be coordinated with your IT team or tech support provider.*
-:heavy_check_mark: **Use built in full disk encryption on your devices and shut them down when not in use or at risk of loss.**
+:heavy_check_mark: **Use built-in full disk encryption on your devices and shut them down when they are not in use or are at risk of loss.**
:rocket::wrench::fire::fire:
-*Full disk encryption means that the contents of the storage inside your device -- the operating system, programs you have installed and your organizational data -- are scrambled in a way that they cannot be easily accessed when the computer isn't running and the contents unlocked. Without this feature, someone who steals your device, finds your lost device or otherwise accesses your hardware can easily read your files and possibly impersonate you to your systems. Full disk encryption is strongest when your computer is turned off.*
-*Although full disk encryption is increasingly enabled by default on mobile devices, it isn't on all platforms so must be manually setup. This feature is called Bitlocker on Windows, Filevault on OSX and LUKS on Linux. On Android devices you can turn on this feature in the Security section of Settings menu. Chromebooks and iOS devices have encryption enabled by default. This recommendation is best coupled with the following recommendations regarding device authentication and locking to make sure the encryption cannot be easily bypassed.*
-*It is important to know that full disk encryption requires your device to do complex math so turning this feature on will make your device work harder and may make older devices unreasonably slow to use. Full disk encryption will increase the risk of losing access to some of your information as a lost password or pin will generally mean you (as well as anyone else) cannot recover your data. Ensure you use syncing services and/or have regular backups of your data to minimize this risk.*
+*Full disk encryption means that the contents of a disk, usually the storage inside your device -- which contains the operating system, programs you have installed, and your organizational data -- are scrambled so that they cannot be easily accessed when the disk isn't unlocked. For the storage inside a device, unlocking happens anytime the computer is running and logged in. Without this feature, someone who steals your device, finds your lost device, or otherwise accesses your hardware can easily read your files and possibly impersonate you to your systems.
+Although full disk encryption is increasingly enabled by default on mobile devices, this is not true on all platforms and so in many cases must be manually set up. This feature is called Bitlocker on Windows, Filevault on OSX, and LUKS on Linux. On devices running Android 5.0 and later, you can turn on this feature in the Security section of Settings menu. On iOS 7 and earlier, you can turn this on in the Passcode section of the General settings. Chromebooks and devices running iOS 8 or later have full disk encryption enabled by default. For advanced users, an open source encryption tool called VeraCrypt can also provide full disk encryption to Windows, OSX and Linux computers as well as offering other advanced features and can be found at https://www.veracrypt.fr/en/Home.html.* __This recommendation is not effective unless is it coupled with the practices described in the next item, regarding device authentication and locking, to make sure the encryption cannot be easily bypassed when the computer is running.__
+*Full disk encryption is strongest when your computer is turned off or turned on but awaiting a password to start up. Once you have logged in, the computer has the secret key needed for decrypting your data in its memory (so you can work!) and so even with the screen locked and full disk encryption there is some risk to someone obtaining your logged in computer while it is running. However this is a highly technical attack and shouldn't stop you from keeping your computer turned on or logged in when you need to work, but it is also true that a device with full disk encryption in a hostile environment or out of your sight is safest when turned off.*
+*It is important to know that full disk encryption requires your device to do complex math, so turning on this feature will use processing power and may even make older devices unreasonably slow to use. Full disk encryption will also increase the risk of you losing access to some of your information, as a lost password or PIN or failure of the part of the disk where the encryption keys are stored will generally mean you (as well as anyone else) cannot recover your data. Ensure you use syncing services and/or have regular backups of your data to minimize the risk of data loss in this case, but recognize that those copies of your data and the servers you sync also need to be secure. Full disk encryption can also be used on an external hard drive or USB sticks you use for backups using the same built in tools mentioned above or by using VeraCrypt.*
-:heavy_check_mark: **Use a strong password or long pin code on your device, set your device to lock itself after a short period and manually lock the device if walking away from it. Be aware of your surroundings when entering this code or password to ensure someone isn't watching or your movements aren't being recorded on camera.**
+:heavy_check_mark: **Use a strong password or long PIN code on your device, set your device to lock itself after a short period, and manually lock the device if walking away from it. Be aware of your surroundings when entering this code or password to ensure no one is watching and your movements aren't being recorded on camera.**
:rocket::wrench::fire::fire::fire:
-*Always setup a long (8 numbers or more) pin code or complex password to login to your device to ensure that a lost or stolen device remains locked down. Use the screen timeout feature of your device and require your password or pin to wake it back up to ensure that your information and your accounts are protected even if the device is found while turned on. The shorter the screen timeout period, the shorter the amount of time your device is vulnerable so choose as small a time as you can while still being able to do your work. If stepping away from a device, manually lock the screen. Nearly every operating system has a keyboard shortcut or other quick way to lock a device, which you can lookup in its documentation or can ask your technical support provider about. Be aware when entering a pin or password in public spaces to be sure nobody malicious is watching and that your keystrokes are not being recorded on camera. While biometric (fingerprints, facial recognition, etc.) unlocking mechanisms, swipe patterns and other locking mechanisms are becoming more common they can still be bypassed more easily than codes and passwords so are not yet recommended.*
+*Always set up a long (8 numbers or more) PIN code or complex password to log in to your device to ensure that a lost or stolen device is inaccessible through its screen and the hardware remains encrypted. Use the screen timeout feature of your device and require your password or PIN to wake it back up to ensure that your information and your accounts are protected even if the device is found while turned on. The shorter the screen timeout period, the shorter the amount of time your device is vulnerable -- so choose as short a time as you can while still being able to do your work. If stepping away from a device, manually lock the screen. Nearly every operating system has a keyboard shortcut or other quick way to lock a device (look it up in the relevant documentation or ask your technical support provider). Be aware when entering a PIN or password in public spaces to be sure nobody malicious is watching and that your keystrokes are not being recorded on camera. While biometric unlocking mechanisms (for example, fingerprints or facial recognition), swipe patterns, and other locking mechanisms are becoming more common they can still be bypassed more easily than PINs and passwords so are not yet recommended.*
-:heavy_check_mark: **Run antivirus, ad blocking and anti-malware software on your devices.**
+:heavy_check_mark: **Run antivirus, anti-malware, and ad blocking software on your devices.**
:rocket::wrench::wrench::wrench::fire::fire:
-*Antivirus and anti-malware software are programs that run on your computer and scan all files coming in r out for files that are known to infect, steal data from or otherwise abuse your computer or data without your consent. While these tools only work against software already created, identified and added to their lists of what to scan for, a large amount of intrusions rely on these well known threats. However this software by its very nature has to have access to all the files on your computer and so can themselves be a vector of intrusion. For this reason, you are best off with software made by a well known manufacturer and vetted by your technical support provider. Don't trust "free" or "no cost" virus or malware scanning software, especially any that appears in a pop up advertisement in your web browser or on a computer or device, as it often is a cover for a virus itself. TechSoup offers low cost [Symantec](http://www.techsoup.org/symantec-catalog) and [Bitdefender](http://www.techsoup.org/bitdefender) antivirus software to most non-profit organizations. Nothe that this scanning takes power from your device's processor to work, often a fair bit of it,, so if it is already slow this may make your device unusable at times.
-* Ad blocking will keep advertisements from loading on your web browser or device. Because of the complexity of modern ads, they can be vectors of attack, so you are safer blocking them entirely. This is worth running no matter what as removing advertisements should also improve your device performance since it won't use your network connection to load, or use your process to run, all of that often fancy (and insecure) content.*
+*Antivirus and anti-malware software are programs that run on your computer and scan all files coming in or going out for files that are known to infect, steal data from, or otherwise abuse your computer or data without your consent. While these tools work only against software already created, identified, and added to the software's lists of what to scan for, a large proportion of intrusions rely on these well-known threats. However, these types software by their very nature must have access to all the files on your computer and so can themselves be a vector of intrusion. For this reason, you are best off with software made by a well-known manufacturer and vetted by your technical support provider. Never trust "free" or "no-cost" software promising to scan for viruses and malware, especially those that appear in pop-up advertisements in your web browser or on your device, as they often carry viruses themselves. TechSoup offers low-cost [Symantec](http://www.techsoup.org/symantec-catalog) and [Bitdefender](http://www.techsoup.org/bitdefender) antivirus software to most non-profit organizations.
+Note that the work of scanning for viruses and malware takes power from your device's processor, often a significant amount, so if it is already slow this may make your device unusable at times.
+Ad blocking software will keep advertisements from loading on your web browser or device. Because of the complexity of modern ads, they can be vectors of attack, so you are safer blocking them entirely. Furthermore, removing advertisements should also improve your device's performance since it won't use your network connection to load, or use your processor to run, all of that often fancy (and insecure) content. However, ad-blocking software suffers from the same problems as antivirus and there are many actually track you or inject other advertisement. uBlock Origin is a well respected open source ad blocker which is available for Chrome, Firefox (including on Android), Safari and Microsoft Edge and can be downloaded from https://github.com/gorhill/uBlock/* ***Note that there is another ad blocker called just uBlock or μBlock that uses the same logo as uBlock origin but is not recommended.***
-:heavy_check_mark: **Paint any exposed screws on your devices with sparkly nail polish or other paint that cannot be easily removed and replaced without notice. Whenever possible, put tamper revealing tape across places where devices open. Keep photographs accessible from someplace besides that device of how it appeared before leaving it unsecured anywhere.**
+:heavy_check_mark: **Paint any exposed screws on your devices with sparkly nail polish or other paint that cannot be easily removed and replaced without notice. Whenever possible, put tamper-evident tape across places where devices open. Before taking your device anywhere it may be at risk of being out of your control, take photographs of how screws and other openings appeared and store them so that they are accessible from someplace other than that device.**
:rocket::wrench::wrench::fire::fire::fire:
-*Although the idea of painting your computer or device with nail polish or covering it with tape may seem silly, this will allow you to ensure that, if lost or otherwise out of your control, that your device was not tampered with. The reason this is listed as difficult is that you will need to both remember to check these details after your device has been away from you. You will also be better off with a photograph (stored someplace you can get to even without your devices turned on) to help you ensure that nothing has changed about the device when it was out of your control.*
+*Although the idea of painting your computer or device with nail polish or covering it with tape may seem silly, this will allow you to ensure that, if you do lose control of your device temporarily, it has not been physically tampered with. (This is listed as difficult because you will need to both remember to document your device's physical state beforehand and check these details after your device has been returned to you.) Note that this strategy will be most useful with a photograph (stored someplace you can get to even without your devices turned on to help you ensure that nothing has changed about the device when it was out of your control.*
-:heavy_check_mark: **Be exceptionally careful about what software you install on your computers and mobile devices.**
+:heavy_check_mark: **Be exceptionally careful about what software you install on your devices.**
:rocket::rocket::wrench::wrench::fire::fire::fire:
-*The proliferation of mobile apps, browser extensions and other "free" (as in zero cost, not open source) programs has caused numerous security problems. Avoid software that hasn't been created by a company you already have a trust relationship with (such as Google or Slack, if you use their tools internally). Software that appears to have good intentions (like antivirus scanning) or even beneficial features may be masking malicious activities in the background.*
+*The proliferation of mobile apps, browser extensions and other "free" (as in zero-cost, not open source) programs has caused numerous security problems. Avoid software that hasn't been created by a company you already have a trust relationship with (i.e., any company whose tools you are already using internally). Software that appears to have good intentions (like antivirus scanning) or even beneficial features may be masking malicious activities in the background. In most browsers and mobile devices, an application will ask for certain permission -- the information and hardware it can access on your device. These are worth looking at to make sure they at least vaguely reflect what is expected. For example if a flashlight app asks for permissions to your contacts or to make phone calls, you probably don't want to install it.*
## Laptop and Desktop Computer Security Tasks
:heavy_check_mark: **Carefully source your USB and memory card devices, only plugging trusted and personally sourced ones into your computer.**
-:rocket::wrench::fire::fire::fire:
-*Don't plug other people's USB devices and memory cards such as flash drives, hard drives and phones into your computer, or any such devices that came to you in anything besides verifiable original packaging. This recommendation is especially important in regards to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique) but also applies to any other devices, even if you trust the owner, as your trust in the person is not the same as trusting the devices they use. These devices can silently infect your computer in ways that are very hard to detect. Passing through trusted organizational systems, especially those that do virus scanning. Certain cloud services, including Google Drive and Box (but not Dropbox) automatically scan files (under 25MB for Google Drive) for viruses and will alert you if your files are infected. In this case a loss of some privacy to the third party provider may be worth the trade off of passing files through a sanitizing process.*
+:rocket::wrench::wrench::fire::fire::fire:
+*Don't plug other people's USB devices and memory cards such as flash drives, hard drives and phones into your computer, or any such devices that came to you in anything besides verifiable original packaging. This recommendation is especially important with regard to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique), but it also applies devices owned by trusted people, as trusting a person is not the same as trusting all the devices they use, the software they run or the other devices they have plugged their USB device into into. USB and memory card devices can silently infect your computer in ways that are very hard to detect.*
+*While never plugging USB devices into your computer is ideal, it is not always possible to do so. If you have to plug something into a computer, make sure that computer is running antivirus software that is up to date, and consider logging into a guest account that doesn't have access to your files or systems and then passing the files on it through an additional virus scan before opening or using. Certain cloud services, including Google Drive and Box (but not Dropbox) automatically scan uploaded files (under 25MB for Google Drive) for viruses and will alert you if your files are infected so you can use that as an additional layer of protection. However, there is still risk associated with USB devices and after using a USB device you don't trust, be on the look out for odd behavior such as error messages, extra network traffic or rapid battery usage and report any of those things immediately.*
:heavy_check_mark: **Add a privacy filter to your computer's screen.**
:rocket::wrench::fire::fire:
-*One of the easiest ways to accidentally leak information is for someone in a public place to see it on your screen. Purchasing and installing privacy filters (basically a piece of plastic that allows what is on your computer to be seen only by the person sitting right in front of it) on your computers -- especially for people that work frequently in cafes, coworking spaces or airplanes will protect you from this threat. Be aware that if you frequently share information by showing your actual laptop screen to others (as opposed to connecting your laptop to a projector or other display) this may cause you some disruption.*
+*One of the easiest ways to accidentally leak information is for someone in a public place to see it on your screen. Purchasing and installing privacy filters (basically, a piece of plastic that allows what is on your computer to be seen only by the person sitting right in front of it), especially if you work frequently in libraries, cafés, coworking spaces, airports, and/or airplanes, will protect you from this threat. Be aware that if you frequently share information by showing your actual laptop screen to others (as opposed to connecting your laptop to a projector or other display), you will want to ensure that any filter you purchase has an attachment option designed to enable easy temporary removal.*
-## Mobile Phone & Tablet Security Tasks
+## Mobile Phone and Tablet Security Tasks
:heavy_check_mark: **Don't click links sent to you by SMS or other text message, especially from unknown parties.**
:rocket::wrench::fire::fire:
-*There is rarely a reason to send links in this way and yet we continue to see situations where mobile devices are compromised through incoming links sent by text message (which can include not just by SMS text messages but by also messages from any instant messaging application that allows anyone who knows your number to send you a message.) The link may display what looks like a legitimate page, but could be installing malicious software in the background. If you absolutely need to click a link sent in this way, verify with the sender by phone or video call that the link you see is what they sent you.*
+*There is rarely a reason to send links in this way and yet we continue to see situations where mobile devices are compromised through incoming links sent by text message (which can include not just the common SMS text message that works on all cellular networks even without a data connection but by also messages from any instant messaging application as either one allows anyone who knows your number to send you a message.) The link may display what looks like a legitimate page, or often a shortened link, but may have installed malicious software in the background. If you absolutely need to click a link sent in this way, verify with the sender by phone or video call that the link you see is what they sent you. Of course this is broadly true of all links sent to you over other channels that accept messages from anyone, for example email or a comment form on a web page, so you should use caution in clicking those links as well.*
-:heavy_check_mark: **Use either a charge only cable or a "USB condom" between to charge your device from anything other than a wall charger. Carry a backup battery to ensure you never have to charge your device from an untrusted source.**
+:heavy_check_mark: **Use either a charge-only cable or a "USB condom" to charge your device from anything other than a wall charger or a computer that you know to be free of infection. Carry a backup battery to ensure you never have to charge your device from an untrusted source.**
:rocket::wrench::wrench::fire::fire::fire:
-*Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it is a random computer or device, whether a friend's laptop, an internet connected device or a public computer. Unfortunately that computer or device can become a route for virus or other malicious software infection to enter into your device. You can purchase a "USB condom" or charge only USB cable that disconnects the wires that are used for data transfer to be able to safely connect your device to any USB port you come across. Alternatively, and often easier, you can carry a USB enabled backup battery so you can always charge your device on the go. Just be sure to source and manage that battery as well (charging it from the wall or your main computer) so it isn't also a threat to your computer.*
+*Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it a friend's laptop, an internet connected device, or a public computer. Unfortunately that computer or device can become a route for a virus or other malicious software to infect your device. For use in these situations, you can purchase a "USB condom" (which prevents a connection between the data pins in the unknown port and the USB cable and allows only the power pins to connect) or charge-only USB cable (which does not contain the wires that are used for data transfer in the first place). Either option will enable you to safely connect your device to any USB port you come across. Another option, which has the added advantage of being useful even if you can't find a random port, is to purchase and carry a USB-enabled backup battery so you can always charge your device on the go. Although it has been shown to be possible, there have been no reports of backup batteries spreading malware. However if charging from a suspicious charger or one from a stranger,you may wish again to use a USB condom to ensure that any software on the charger cannot affect your device.*
diff --git a/8_gsuite_security_checklist.md b/8_gsuite_security_checklist.md
index 3019e53b2ce8a085ff670cf58d8b8e7d75160c76..42c1cd19468a598daa75afbeedaebd7490a59051 100644
--- a/8_gsuite_security_checklist.md
+++ b/8_gsuite_security_checklist.md
@@ -1,26 +1,24 @@
-
---
document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: GSuite Security Checklist
author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
-last modified: 8/23/17
-version: "2.0 DRAFT, NOT PEER REVIEWED"
-___
+last modified: 9/2/2017
+version: 2.0, DRAFT NOT FOR FOR PUBLIC USE
+---
# GSuite Security Checklist
## Introduction
-As of this document's creation (in 2017) a significant portion of US non-profits rely on Google's free online "cloud" applications (GMail, Google Docs/Sheets GDrive, Google Calendar among them) to do their work. While many groups still depend on personal or other Gmail accounts made for their work (any login that ends with @gmail.com) for access to these services, Google also offers GSuite -- a version of these tools suited for use in organizations. GSuite provides significant advantages over personal accounts including organizational email addresses (which use a custom domain name, the part of an email address after the @ sign, which can match your website address), administrative controls, advanced settings and 24/7 tech support for use of the tools. These features can improve your organization's technology in many areas, including helping you improve your ability to secure your information by providing tighter management, control and monitoring of your systems and how they are used.
+As of this document's creation (in 2017) a significant portion of U.S. non-profits rely on Google's free online "cloud" applications (Gmail, Google Docs/Sheets, GDrive, and Google Calendar among them) to do their work. While many groups still depend on personal or other Gmail accounts made for their work (any login that ends with @gmail.com) for access to these services, Google also offers GSuite: a version of these tools suited for use in organizations. GSuite provides significant advantages over personal accounts, including organizational email addresses using your chosen domain name (the part of an email address after the @ sign), administrative controls, advanced settings, and 24/7 support 24/7 tech support for use of the tools. These features can improve your organization's technology in many areas, including helping you better secure your information by providing tighter management, control, and monitoring of your systems and how they are used.
-Because of these advantages and the fact that Google offers the Basic version of GSuite for free to registered US 501c3 organizations, setting it up for your organization is highly recommended for all US organizations that already rely on Google's cloud based tools.
-While there are definitely risks associated with providing any third party corporation, especially one in the business of data mining, and advertisement targeting, access to all your information and the data about how and where you and your team use it, if you are already accepting this risk by relying on Google's tools, GSuite will at least help you secure that information from others. You can begin the sign up process and read about the offerings at https://www.google.com/nonprofits/products/apps-for-nonprofits.html.
+Because of these advantages, and the fact that Google offers the Basic version of GSuite for free to registered U.S. 501c3 organizations, setting it up for your organization is highly recommended for all U.S. organizations that already rely on Google's web-based tools. While there are definitely risks associated with providing any third-party corporation access to all your information and the metadata about how and where you and your team use it--especially a corporation in the business of data mining and advertisement targeting--if you are already accepting this risk by relying on Google's tools, GSuite will at least help you secure that information from others. You can begin the sign up process and read about the offerings at https://www.google.com/nonprofits/products/apps-for-nonprofits.html.
-***Despite the recommendation above, this document should in no way be read as an explicit endorsement of GSuite or other Google tools for movement building, activist or other non-profit organizations. There are many other tools that can meet the needs that they fill with a range of associated security and operational tradeoffs. If any previous security risk assessment has shown the vulnerabilities and risks associated with these tools to be unacceptable for your organization, or for any reason you a strong trust relationship with a US based corporation is concerning to you, carefully consider the risk tradeoff before implementing GSuite for your non-profit.***
+***Please note that this document should in no way be read as an explicit endorsement of GSuite or other Google tools for movement-building, activist, or other non-profit organizations. There are many other tools--with a range of associated security and operational tradeoffs--that can meet the needs that GSuite fills. If any previous security risk assessment has shown that the vulnerabilities and risks associated with Google's tools are unacceptable for your organization, or for any reason having strong trust relationship with a U.S.-based corporation is concerning to you, this checklist is not relevant to you and it is not a recommendation to rethink your existing decisions.***
-For those that have already adopted GSuite in the non-profit sector, the checklist that follows offers direction on how to setup and use the administrative controls offered by the free GSuite Basic platform to "harden" your setup and improve your overall digital security level. Note that, as indicated in the associated description, many of these tasks are specific implementations of checklist items from elsewhere in this set.
+For those that have already adopted GSuite in the non-profit sector, the checklist that follows offers direction on how to set up and use the administrative controls offered by the free GSuite Basic platform to harden your organizational GSuite account and improve your overall digital security level. (In this context, "harden" means to reduce the points of vulnerability of a system by turning off or disabling functionality that is not needed.) Note that, as indicated in the associated description, many of these tasks are specific implementations of checklist items from elsewhere in this set.
-It is also noted that there are additional controls and security features available using other editions of GSuite, including GSuite for Business and GSuite Enterprise. While neither of these editions are provided for free and the price scales by the number of user accounts and devices in use, the additional functionality provided has value for organizations that have additional needs including but not limited to high compliance requirements for their work, a need to work with highly sensitive data or a wish to deploy tightly controlled mobile devices. You can review edition differences at https://gsuite.google.com/compare-editions/ and, if unsure which is best for your needs, should ask for help from your technical support provider in making the decision of which edition to deploy.
+It is also noted that there are additional controls and security features available using other editions of GSuite, including GSuite for Business and GSuite Enterprise. While neither of these other editions are provided for free (and for a system that is priced by the user, costs can add up quickly), the additional functionality provided has tremendous value for organizations that have additional security needs stemming from items including but not limited to compliance requirements, the presence of highly sensitive data, or a wish to deploy tightly controlled mobile devices. You can review edition differences at https://gsuite.google.com/compare-editions/; if you're unsure which is best for your needs, ask for help from your technical support provider.
## Key
:heavy_check_mark: Record actions
@@ -28,59 +26,67 @@ It is also noted that there are additional controls and security features availa
:wrench: Technical skill level required
:fire: Work flow disruption for staff
-## GSuite Setup Security Tasks
-:heavy_check_mark: **Make a plan, preferably before deploying GSuite, detailing how your information is used by your staff, volunteers and others, to ensure you understand your security needs and can configure the tools correctly.**
-:rocket::rocket:rocket::wrench::fire:
-*GSuite is a powerful platform with a lot of moving parts and a lot of possible configurations. As with all tols, the more time and energy you put into understanding the different users and user types you have and what features they need to use, the more effective your implementation of security controls will be. First read through this checklist to familiarize yourself with some practices you may want to employ in your GSuite setup. Then make a list of all the different groups of people you have in your organizations that will be using your GSuite tools based on the work you expect them to do using those tools (such as volunteers, or part time staff or borad members). Think about and list which of those groups needs to send email, to edit documents, to access your shared contacts list, has calenders and so on. Think about whether anyone should have restricted access or special access to specific tools that nobody else needs, as well as specific shared roles (report intake, billing, etc.) that need to be filled. Google has produced a lot of documentation on how to plan your GSuite deployment which can be found here: https://support.google.com/a/answer/4514329 and can help you understand the applications and settings available to you in your setup process. At a minimum having a well crafted plan will allow you to ask specific questions to GSuite support as you go through the setup process but this planning will also guide you as you step through the administrative tools at https://admin.google.com.*
+## GSuite Configuration Security Tasks
+:heavy_check_mark: **Make a plan, preferably before deploying GSuite, detailing how your information is used by your staff, volunteers, and others, to ensure that you understand your security needs and can configure the tools correctly.**
+:rocket::rocket::rocket::wrench::fire:
+*GSuite is a powerful platform with a lot of moving parts and a lot of possible configurations. As with all tools, the more time and energy you put into understanding the different users and user types you have and what features they need to use, the more effective your implementation of security controls will be. First read through this checklist to familiarize yourself with some practices you may want to employ in your GSuite setup. Then make a list of all the different groups of people you have in your organization that will be using GSuite; a typical lit might be: full-time staff, part-time staff, volunteers, and or board members). Then think about and list how each of those groups will need each of the various tools: e.g., to send email, to edit documents, to access your shared contacts list, to maintain a shared calendar, and so on. Think about whether any group should have special access to specific tools that nobody else needs or whether any group should be restricted from tools that everyone else needs. Also think about any shared roles where multiple people need access to the same identity, email box or set of documents -- such as an email account used to send or receive invoices, or a set of documents used for a volunteer run hotline. Google has produced a lot of documentation on how to plan your GSuite deployment (see https://support.google.com/a/answer/4514329) that can help you understand the applications and settings available to you in your configuration process. At a minimum, having a well-crafted plan will guide you as you step through the administrative tools at https://admin.google.com and also help you formulate specific questions for GSuite support as you go through the setup.*
-:heavy_check_mark: **Create at least one dedicated account with administrative control of GSuite that is not associated with any individual's work email address, and provide a recovery email address or phone number that is controlled by your organization or trusted tech support provider (and not an individual employee).**
-:rocket::wrench::wrench::fire::fire:
-*While convenient, giving everyday user accounts permission to control your GSuite install creates risk. If that person's device is lost or stolen or their password otherwise obtained, all of your organization's information could be at risk. Sign up with or create a unique email address (like gsuite@yourdomain.org, replacing yourdomain.org with your organization's domain name) for this purpose that isn't used for anything else. You should give this "Super Admin" permissions (full control over your Gsuite setup, including access to all calendars and accounts - which it automatically gets if used for setup), remove those permissions from any other accounts and store the password in a safe way like a password manager or safety deposit box, using it only when you need to change settings in GSuite. You will be asked to give recovery email or phone number in case of a lost password. This email or phone should be controlled by your organization or trusted delegate such as a tech support provider or affiliate organization rather than by an individual employee. You can find instructions for giving or taking away Super Admin permissions for a user at https://support.google.com/a/answer/172176. Directions for setting up a recovery phone number or email are at https://support.google.com/accounts/answer/183723.*
-*There are multiple levels of administrative control available in GSuite as well, which you can use to offer limited permissions to other administrative users you create if you have multiple employees, tech support providers or volunteers with specific administrative tasks to perform. You can review the built in administrative groups and find a link on how to make custom roles of your own at https://support.google.com/a/answer/2405986. As an example you might make an account for tech support called helpdesk@yourdomain.org and give it Help Desk Admin permissions which will allow it to reset passwords for people, but not create users or groups. Now you can give control of that account to someone who does tech support without giving them total control of your systems.*
+:heavy_check_mark: **Create a single, dedicated account with full administrative control of GSuite ("Super Admin" permissions) and do not associate it with with any individual's email address; provide a recovery email address or phone number that is controlled by your organization or trusted tech support provider and not an individual employee. Assign other administrative permissions appropriately.**
+:rocket::rocket::wrench::wrench::fire::fire:
+*While convenient, giving everyday user accounts permission to administer your GSuite creates risk. Doing so can mean that the loss or theft of a person's device, or a breach of their password, could put all of your organization's information at risk. Instead, sign up with or create a unique email address (like gsuite@yourdomain.org, replacing yourdomain.org with your organization's domain name) for this purpose that isn't used for anything else. Give this account "Super Admin" permissions (which means full control over your GSuite setup, including access to all calendars and accounts), remove those permissions from any other accounts (note that the account you use to perform your GSuite setup will have Super Admin permissions assigned automatically), and store the password in a safe way such as a well-configured password manager (see authentication checklist for more information) or safety deposit box, using it only when you need to change settings in GSuite. You will be asked to give recovery email or phone number in case of a lost password. This email or phone should be controlled by your organization or trusted delegate such as a tech support provider or affiliate organization rather than by an individual employee. You can find instructions for giving or taking away Super Admin permissions for a user at https://support.google.com/a/answer/172176. Directions for setting up a recovery phone number or email are at https://support.google.com/accounts/answer/183723.*
-:heavy_check_mark: **Use the organizational units functionality in GSuite to make groupings of user accounts or devices and giving them the minimum level of access required to do their work.**
-:rocket::rocket::wrench::wrench:fire::fire:
-*While convenient, giving all users ability to use all the tools in any way they wany in your GSuite setup may present security risk for your organization. For that reason you should use the advanced management features available in the platform to practice the security concept of "least authority" meaning you give all users the minimum set of access required for them to do their work. For example you may want to be able to let volunteers enter information into Google Sheets but not to email on behalf of your organization. GSuite provides a structure called an organizational unit to allow you to separate users or devices you manage into groups, and then assign "policies" to each of those groups. These policies including the ability to access specific tools or "apps" or to apply certain settings to their accounts. You can read an overview of applying policies at https://support.google.com/a/topic/1227584. An article about organizational structures is at https://support.google.com/a/answer/4352075 and instructions for creating them at https://support.google.com/a/answer/182537.*
-*Once you have created these units, you can use them to control access to services as described at https://support.google.com/a/answer/182442 or to apply specific settings about those services as described at https://support.google.com/a/answer/2655363.*
+*Other levels of administrative control can be assigned according to your organizational needs. For example, you could give a tech support provider Help Desk Admin permissions, which will allow them to reset passwords for people but not create users or groups. Now you can give control of that account to someone who does tech support without giving them total control of your systems. You can review the built-in administrative groups and find a link on how to make custom roles of your own at https://support.google.com/a/answer/2405986. Creating new users is the most common administrative task in many organizations and, although it may be tempting to delegate this permission to a normal operating account, gaining the power to create a user and add it to groups effectively gives a malicious actor access to all of your files until the user they create is identified and disabled, so it is best to give this permission only to specialized administrative accounts.
-:heavy_check_mark: **Use Google Groups and Google Drive Team Drive features to provide appropriate access to files to different groups of users, and to ensure that your organization always controls its own information.**
-:rocket::wrench::wrench::fire::fire::fire:
-*Historically one of the challenges of managing your organization's files using Google Drive has been the loss of access to key documents when employees or volunteers leave the team as well as the ability to lock down sensitive information such as that used for human resources policy or reporting, anonymous donor tracking or sensitive program details. By setting up one or more Team Drives (as described at https://support.google.com/a/answer/7212025) you will assure that the Super Admin for your GSuite domain always has access to the files that are stored there. You can also apply permissions (as described in this article https://support.google.com/a/answer/7337635?hl=en) to a Team Drive to allow only the minimum access needed for different individual or groups of users. For example you might have policy documents that only certain staff members should be able to change and that all staff and volunteers need to be able to view or comment on. You can give these permissions by individual email address if your organization is small enough, or for larger groups and ease of management you can create groups in Google Groups (https://support.google.com/a/answer/33329) and give the permission to the group by entering its email address. This way when a new person comes on board or leaves a team or the organization, you only need to take them out of the relevant Google Groups or Team Drives to also remove their account's permissions to files. Note that by locking down your files in this way, your system becomes much less "self service" and someone will need to be in charge of and regularly available to change permissions and group settings as needed. The increased control of your files is well worth this task overhead.*
+:heavy_check_mark: **Enforce password length rules.**
+:rocket::wrench::fire::fire:
+*GSuite allows you to set minimum (and maximum) password lengths. Setting a minimum length of at least 8 but ideally more than 12 characters helps guard against easily guessable passwords. Instructions on getting this up are at https://support.google.com/a/answer/139399?hl=en. Note that helping people to produce long passphrases that are a combination of words that have never appeared together (perhaps with some character substitutions) and that don't include any information about that person will allow you to push this minimum length even higher so that guessing a password becomes virtually impossible.*
-:heavy_check_mark: **Turn on two-factor authentication and after being sure everyone is using it successfully. Help staff use Google Authenticator codes or U2F hardware keys as a second factor rather than text message codes and make sure they report immediately if that factor is lost or stolen.**
-:rocket::rocket::rocket::wrench::wrench:wrench::fire::fire::fire:
-*One of the advantages of GSuite as a platform is its support for two-factor authentication whereby users login with two things that they know or control, one of which is their password and the other of which is a hardware key, code produced by a program running on their computer or phone, a text message code or even a printed code from a list. Unless your organization owns and manages the cell phones receiving a texted code as a second factor, it is highly advised that you help staff select another second factor with which to prove their identity when logging into Google services, especially for any accounts with Super Admin or other administrative rights to your GSuite domain.*
-*Google Authenticator is available in both the Google Play store for Android phones as well as the App Store for Apple devices. The most common U2F hardware key is called a Yubikey and can be ordered at a discount at this link: https://www.yubico.com/gafw/. You will need to log into your GSuite admin account but can order up to 50 keys at half price cost of $9 a piece.*
-*Setup of two factor authentication, as well as links to training materials for staff, is detailed in this document: https://support.google.com/a/answer/175197. Have staff print backup codes (see directions here: https://support.google.com/accounts/answer/1187538) so that they can still get into their account if their phone or hardware key is lost or stolen. Although those backup keys will allow them keep working, it is important to inform users to report a lost second factor or set of backup codes to whomever is responsible for administration of your GSuite domain. Once reported lost or stolen, a security key MUST be revoked (https://support.google.com/a/answer/2537800#seckey), backup codes MUST be regenerated by the user (https://support.google.com/accounts/answer/1187538) or a Google Authenticator app MUST be removed as a second factor to preserve your security levels.*
-*Be aware that separate passwords for applications such as email or calendaring clients that do not support the two factor process will become necessary and you will want to be sure you help staff create those as outlined in this document: https://support.google.com/a/answer/1032419. You can also use the Advanced Security Settings which can be applied to all of your users, or any group of users in an Organizational Unit, to require that two factor authentication is setup within a certain amount of time after their first login. Although this may put a strain on technical support resources, it is highly recommended. Directions to enforce two factor authentication can be found at https://support.google.com/a/answer/2548882.*
-*A more general version of this recommendation can be found in the Authentication Checklist that is part of this document set. Two factor authentication is a best practice for use with any service or tool that supports it, though each will have its own set of options available to you and your staff.*
+:heavy_check_mark: **Use the organizational units functionality in GSuite to make groupings of user accounts or devices, and give them the minimum level of access required to do their work.**
+:rocket::rocket::wrench::wrench::fire::fire:
+*Giving all users ability to use all the GSuite tools in any way they want invites security risk for your organization. Instead, you should practice the security concept of "least authority"--meaning you give users only the minimum access that is required for them to do their work. For example, you may want have volunteers enter information into Google Sheets but not send email from accounts with your domain name. To allow you to control access in this way efficiently rather than on a per-user basis, GSuite provides a structure called an organizational unit. Organizational units allow you to categorize users or devices into groups, and then assign policies to each of those groups. These policies, including the ability to access specific tools or to apply certain settings to their accounts. You can read an overview of applying policies at https://support.google.com/a/topic/1227584. An article about organizational structures is at https://support.google.com/a/answer/4352075 and instructions for creating them at https://support.google.com/a/answer/182537.*
+*Once you have created these units, you can use them to control access to services as described at https://support.google.com/a/answer/182442 or to apply specific settings about those services as described at https://support.google.com/a/answer/2655363.*
-:heavy_check_mark: **Implement controls that make it difficult for anyone to "spoof" email from your email addresses.**
+:heavy_check_mark: **Use Google Groups and Team Drive features to provide appropriate access to files for different groups of users, and to ensure that your organization always controls its own information.**
+:rocket::rocket::wrench::fire::fire::fire:
+*Historically one of the challenges of managing your organization's files using Google Drive has been the risk of loss of access to key documents when employees or volunteers leave the team, as well as the lack of ability to prevent sensitive information from being shared more widely than it should be. By setting up one or more Team Drives (as described at https://support.google.com/a/answer/7212025) you can ensure that the Super Admin for your GSuite domain always has access to the files that are stored there. You can also apply permissions (as described in this article https://support.google.com/a/answer/7337635?hl=en) to a Team Drive to allow only the minimum access needed. For example, you might have organizational policy documents that everyone needs to be able to view and only certain staff members should be able to change. You can give these permissions by individual email address if your organization is small enough, and, for larger groups and easier management, you can create groups in Google Groups (https://support.google.com/a/answer/33329) and give appropriate permissions to the Group's email address. This way when a new person comes on board or leaves a team or the organization, you need only to take them out of the relevant Google Groups or Team Drives to also remove their account's permissions to files. Note that by locking down your files in this way, your system becomes much less widely accessible to staff, and someone will need to be in charge of and regularly available for changes to permissions and group settings as needed. The increased control of your files is well worth this task overhead. (Note also that Team Drive permissioning carries other operational tradeoffs around folder structure: it may limit who can create folders and move files around, which can benefit the clarity with which files are organized and may also run counter to staff expectations and be quite disruptive.)*
+
+:heavy_check_mark: **Turn on two-factor authentication, and, in conjunction with appropriate planning, training, and support, enforce it for all users. Use Google Authenticator codes or universal two-factor (U2F) hardware keys as a second factor rather than text message codes, and make sure staff reports immediately if their second factor is lost or stolen.**
+:rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:
+*One of the advantages of GSuite as a platform is its support for two-factor authentication, whereby users to prove their identity at login with two things that they know or control: 1) a password and 2) a hardware key, code produced by a program running on their computer or phone, a text message code, or even a list or codes they have printed out. Unless your organization owns and manages the cell phones that would be receiving a text message, it is strongly advised that all staff use a non-text-message-based second factor when logging into Google services, especially for any accounts with Super Admin or other administrative rights to your GSuite domain. This is because it can be surprisingly easy for someone to take over control of a cell number via social engineering and/or fraud (see https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief, https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/, and https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/ for more information).*
+*There are several alternatives to text messaging for this purpose. Google Authenticator is available in the Google Play store for Android phones, in the App Store for iOS devices, and as a Chrome extension for use in the browser. The most common U2F hardware key is called a Yubikey and can be ordered at: https://www.yubico.com/gafw/. Using this link and logging into your GSuite admin account will allow you to order up to 50 keys at the half-price cost of $9 each.*
+*Because of the choices available, the impact of this change on staffs' daily work, and the consequences of disrupted access to GSuite accounts, careful planning for the rollout of two-factor authentication is essential. Furthermore, enforcing two-factor authentication for all users requires each staff member to participate in this rollout in very specific ways. Refer to all the information and resources below to understand the scope of necessary planning.*
+*Information about setup, as well as links to training materials for staff, is detailed in this document: https://support.google.com/a/answer/175197. Have staff print backup codes (see directions here: https://support.google.com/accounts/answer/1187538) so that they can still get into their account if their phone or hardware key is lost or stolen. Although those backup keys will allow them keep working, it is important to train users to report a lost second factor or set of backup codes to whomever is responsible for administration of your GSuite domain. Once reported lost or stolen, a security key MUST be revoked (https://support.google.com/a/answer/2537800#seckey), backup codes MUST be regenerated by the user (https://support.google.com/accounts/answer/1187538) or a Google Authenticator app MUST be removed as a second factor to preserve your security levels.*
+*Be aware that separate passwords for applications such as email or calendaring clients that do not support the two-factor process will become necessary, and you will want to be sure you help staff create those as outlined in this document: https://support.google.com/a/answer/1032419.*
+*You can also use the Advanced Security Settings, which can be applied to all of your users, or any group of users in an Organizational Unit, to require that two-factor authentication is set up within a certain amount of time after a user's first login. Although this may put a strain on technical support resources, it is highly recommended. Directions to enforce two-factor authentication can be found at https://support.google.com/a/answer/2548882.*
+*Note: A more general version of this recommendation can be found in the Authentication Checklist that is part of this document set. Two-factor authentication is a best practice for use with any service or tool that supports it, and each will have its own set of options available--and planning steps--for you and your staff to consider.*
+
+:heavy_check_mark: **Implement controls that make it difficult for anyone to spoof email from your domain.**
:rocket::rocket::rocket::wrench::wrench::wrench::wrench::fire::fire:
-*Google has produced a strong set of tools to allow other email systems to verify that email coming from your GSuite domain is in fact yours, preventing "spoofed" emails. Google uses the latest Internet standards called Domainkeys Identified Mail (DKIM), Sender Policy Framework (SPF) records, and the associated Domain-based Message Authentication, Reporting & Conformance (DMARC) to do this, and has a set of documents that will guide you through setup that are available from this link: https://support.google.com/a/topic/4388154.
-*This is a highly technical set of tasks which also involve your Domain Name Servers (DNS) which may not be hosted at Google, but will make it very hard for your email addresses to be abused for phishing or other attacks against others as well as faked internally.*
-*Be aware that SPF records require identifying **all** * *the services that are currently sending email on your behalf (which could be databases, mass mailing tools, email list hosts, fundraising tools and more) and incorrect configurations can cause your email to be incorrectly marked as spam. Determining this list carefully is critical to implementing this recommendation in a way that does not interrupt ongoing operations. Once setup, you will need to maintain this list and make changes any time your organization adopts any other tools that send email from the same domain as your GSuite email addresses but otherwise should be invisible in operation.“Hard fail” settings (records ending in "-all") are preferred for SPF records wherever possible, but be careful as this can cause email bounces if your records are not carefully tuned.*
-*A more general version of this recommendation can be found in the Email Safety Checklist that is part of this document set but is more easily setup in an integrated platform like GSuite than in many other environments so here is rated slightly lower in difficulty and skill required.*
+*Google has produced a strong set of tools to allow other email systems to verify that email coming from your GSuite domain is in fact yours, preventing spoofed emails. (Email spoofing is the creation of email with a forged "from" address, generally sent with the intent to deceive the recipient.) Using them will make it very hard for your email addresses to be abused for phishing or other attacks against others as well as faked internally. These tools use the latest Internet standards called Domainkeys Identified Mail (DKIM), Sender Policy Framework (SPF) records, and the associated Domain-based Message Authentication, Reporting & Conformance (DMARC) to do this. Documentation that will guide you through setting them all up is at https://support.google.com/a/topic/4388154.
+*This is a highly technical set of tasks which also involve your Domain Name Servers (DNS) which may not be hosted at Google and so require a different login and may not have an easy interface to work within.*
+*Correct SPF records require identifying **all** *the services that are currently sending email on your behalf (which could include databases, mass mailing tools, email list hosts, fundraising tools, and more) and incorrect configurations can cause your legitimate email to be marked as spam. For this reason, determining this list carefully is critical to implementing this recommendation in a way that does not interrupt ongoing operations. Once your SPF record is set up, you will need to maintain by making changes any time your organization adopts any new tools that send email from the same domain as your GSuite email addresses. (Other than this maintenance, the tools listed should function in the background and be invisible in their operation.) “Hard fail” settings (records ending in "-all") are preferred for SPF records wherever possible, but be aware that this can cause email bounces if your records are not carefully tuned.*
+*A more general version of this recommendation can be found in the Email Safety Checklist that is part of this document set. It is more easily set up in an integrated platform such as GSuite than in many other environments, so here is rated slightly lower in difficulty and skill required.*
-:heavy_check_mark: **Disable email forwarding for users so that any sensitive internal emails don't end up traveling insecurely to other email accounts or remain in less secured email systems that are vulnerable to attack.**
+:heavy_check_mark: **Disable email forwarding for users so that any sensitive internal emails don't end up traveling insecurely to other email accounts or remain in less-secured email systems that are vulnerable to attack.**
:rocket::wrench::fire:
-*Although it is handy for people to be able to forward their organizational email to personal or other email accounts, your organization has no control over how that email gets there and how secured it is once it gets there. By allowing email forwarding to other systems, you create a point of potential disclosure for internal conversations that would be otherwise locked into Google's secured infrastructure and (assuming you follow this checklist in full) protected by strong passwords and two factor authentication. This is a simple setting that can be applied to all users or a set of users in an Organizational Unit as detailed in this document https://support.google.com/a/answer/2491924.*
+*Although it can be handy for people to be able to forward their organizational email to personal or other email accounts, your organization has no control over how that email travels and how secured it is once it gets there. By allowing email forwarding to other systems, you create a point of potential disclosure for internal conversations that would be otherwise locked into Google's secured infrastructure and (assuming you follow this checklist in full) protected by strong passwords and two-factor authentication. This is a simple setting that can be applied to all users or a set of users in an Organizational Unit as detailed at https://support.google.com/a/answer/2491924.*
:heavy_check_mark: **Educate your staff on file sharing, including the higher security of sharing by email address and risks associated with sharing files by link.**
:rocket::rocket::wrench::fire:
-*All users should be trained on the exact options available to them for sharing files in GSuite both with peers in the organization and others outside. This help document provides a good overview https://support.google.com/drive/answer/2494822. Even if sharing this article, the complexity involved here is high and so in person or webinar training with live practice is always preferable.*
-*Although it is very easy to click the "Get shareable link" on a file or folder and send it to someone for collaboration, there are risks associated with this way of sharing. It is always better to avoid link sharing, as you cannot control that link after it has left your hands. The tightest sharing is by filling out the "People" field with email addresses associated with Google based accounts whether inside your domain or not. However, not everyone has a Google account or a you need to post a to another system and so sometimes a link is necessary. If using link sharing, be sure to watch out for accidentally making a file public, choosing "anyone with the link" instead. You should also teach users set an expiration date, even if far in the future so that the file or folder in question eventually becomes unshared. Last it is important to choose the most limited permissions appropriate -- allowing people with the link to only view or comment on a file if they do not need to change it's contents.*
+*All users should be trained on the exact options available to them for sharing files in GSuite both with peers in the organization and others outside. This help document provides a good overview: https://support.google.com/drive/answer/2494822. Though this article is clear, helpful, and very suitable for end users, document sharing and collaboration workflows can be complex; it is recommended to document some guidelines based on your organization's specific ways of working and then offer in-person or webinar trainings, with live practice, to develop shared understanding and strong usage practices among staff.*
+*Although it is very easy to click the "Get shareable link" on a file or folder and send it to someone for collaboration, there are risks associated with this way of sharing. It is always better to avoid link sharing, as you cannot control that link after it has left your hands. The tightest sharing is by clicking the "Share" button and filling out the "People" field with email addresses associated with Google-based accounts, whether inside your domain or not. If sharing in this way, you can copy the link from your address bar and share it safely. Although it doesn't always transfer the way you expect, the only risk is that the link won't work and not an increased risk of accidental disclosure of data.*
+* Of course, not everyone has a Google account and sometimes you need to post a to another system and so sometimes a shareable link is necessary. If using link sharing, be sure to watch out for accidentally making a file public, choosing "anyone with the link" instead. You should also teach users set an expiration date, even if far in the future so that the file or folder in question eventually becomes unshared. Last it is important to choose the most limited permissions appropriate -- allowing people with the link to only view or comment on a file if they do not need to change it's contents.*
-:heavy_check_mark: **Make sure someone is assigned to regularly monitor what is happening in GSuite, has time to do so and knows how to identify and escalate any security incidents or other concerns about abnormal usage.**
+:heavy_check_mark: **Make sure someone is assigned to regularly monitor what is happening in GSuite, has time to do so, and knows how to identify and escalate any security incidents or other concerns about abnormal usage.**
:rocket::rocket::wrench::wrench::fire:
-*Another advantage of an advanced integrated platform like GSuite is the availability of reporting on what is happening with your organizational tools and information over time. Generally this is an important security practice for all tools, but is much more accessible in GSuite that in other places. You want one individual or a team tasked with this ongoing monitoring, even if an outside tech support person, so that problems are caught quickly. Monitoring should be done on no less than a monthly basis and preferably more often. To make sure that happens, it is important to ensure that the person, team or outside party has time to perform the monitoring by incorporating it into their work plan or scope of work. The goal of this monitoring is to find unexplained account behavior such sudden growth in file sets or email activity so the person with this job should establish a baseline of activity and should look for trends outside of that baseline. Any questionable activity should be investigated with the user(s) involved or escalated to a tech support professional.*
-*Activity Reports are available inside the administrative console including use of two factor authentication, external apps installed, emails sent/received and file activity in Google Drive. An article describing these basic reports is at https://support.google.com/a/answer/4580176. A broader explanation of all the reporting available to you in GSuite can be found at https://support.google.com/a/answer/6000239.*
-*It is important to always regularly review the security settings of your users, especially password strength for any users not enrolled in two factor authentication, as described here: https://support.google.com/a/answer/2537800#password. Google is constantly updating there password strength rating system to check for leaked passwords and other emerging threats so a password that is judged strong one week may not be the next. Of course this is less important for users with two factor authentication as their password is only half of what is needed to hijack their account.*
+*Reporting on what is happening with your organizational tools and information over time this is an important security practice. This is true for all tools, and an advantage of GSuite is that it makes this kind of reporting more accessible than in other tools. You want one individual or a team tasked with this ongoing monitoring, even if it's an external tech support provider, so that problems are caught quickly. Monitoring should be done on a schedule, no less than a monthly and preferably more often. To sustain this practice, it is essential that the person, team, or external provider is assigned this task via their workplan or scope of work. The goal of monitoring is to find unusual behavior such as sudden growth in file sets or email activity, so the responsible party should first establish a baseline of normal activity and then look for trends outside of that baseline. Any questionable activity should be investigated with the users whose accounts are involved, or escalated to a tech support professional.*
+*Activity Reports are available inside the administrative console including use of two-factor authentication, external apps installed, emails sent/received and file activity in Google Drive. An article describing these basic reports is at https://support.google.com/a/answer/4580176. A broader explanation of all the reporting available to you in GSuite can be found at https://support.google.com/a/answer/6000239.*
+*In addition to this activity monitoring, it is important to regularly review the security settings of your users, especially password strength for any users not enrolled in two-factor authentication, as described here: https://support.google.com/a/answer/2537800#password. Google is continually updating their password-strength rating system in response to leaked passwords and other emerging threats, so a password that is judged strong one week may be judged weak the next. (This is less important for users with two-factor authentication, because in those cases as their password is only half of what is needed to access their account.) When you see a weak password in your systems, it should be changed. If you have regular contact with the user in question, walking them through changing to a better password is the best option. If you don't have regular access or they don't use the systems regularly, you can reset the password (using these directions) so the account is protected, get them the new password and then proceed as above, helping them to change that password to something stronger. In the case of an account where you cannot get the user a new password (so reset isn't an option) but that is rarely used you can follow these directions to suspend the account and reenable it as needed: https://support.google.com/a/answer/33312?hl=en.*
-:heavy_check_mark: **Train users not to check the "Don't ask again on this computer" checkbox when using public or other untrusted computers, to logout after using such computers and to untrust computers that are lost, stolen or otherwise compromised**
+:heavy_check_mark: **Train users not to check the "Don't ask again on this computer" checkbox when using public or other untrusted computers, to logout after using such computers, and to untrust computers that are lost, stolen or otherwise compromised.**
:rocket::wrench::fire:
-*This practice will help ensure that all your other efforts to create high barriers to accessing your information are successful. When a user checks the "Don't ask again on this computer" box when logging in with two factor authentication, they are telling Google not to ask for a password or 2nd factor for 30 days. In the case of a poorly managed (i.e. not regularly cleaned or reset) computer in a library, Internet cafe or other public place, this leaves an account wide open to abuse during that period. Though Google will prompt again for password changes and other sensitive actions, that computer retains the ability to access account information, send emails and read and edit documents. Trusted computers can always be reviewed, or the trust revoked, within a user's account settings as detailed here: https://support.google.com/accounts/answer/2544838.
+*This practice will help ensure that all your other efforts to create high barriers to accessing your information are successful. When a user checks the "Don't ask again on this computer" box when logging into GSuite with two-factor authentication, they are telling Google not to ask for a password or second factor for 30 days. In the case of a poorly managed (i.e. not regularly cleaned or reset) computer in a library, Internet cafe, or other public place, this leaves an account wide open to abuse during that period. Though Google will prompt again for password changes and other sensitive actions, that computer retains the ability to access account information, send emails, and read and edit documents. Trusted computers can always be reviewed, or the trust revoked, within a user's account settings as detailed here: https://support.google.com/accounts/answer/2544838.
-:heavy_check_mark: **Install Chrome browser on all staff computers, set as the default and make sure it is regularly updated. Make sure staff know to use Chrome with all of your GSuite tools.**
+:heavy_check_mark: **Install Chrome on all staff computers and set it as the default web browser. Make sure staff know how to keep it updated and that they use Chrome instead of other browsers whenever they are using GSuite tools.**
:rocket::rocket::wrench::wrench::fire:
-*This practice will help you have strong security between your web browser and Google's services. Because they control both things, they have a lot of ways to verify that your connection is well secured, that newer features like two factor authentication work well, and can push out corrected software if they have a security incident in their infrastructure. Generally Chrome will self update, but you should teach your staff how to recognize when an update is available (as described here: https://support.google.com/chrome/answer/95414). Closing and reopening the browser will allow it to update to the latest, and most secure version.*
+*This practice will help you have strong security between your web browser and GSuite. Because Google controls both things, they have a lot of ways to verify that your connection is well-secured and that newer features like two-factor authentication work wely; they can also push out corrected software if they have a security incident in their infrastructure. Generally Chrome will self-update, but you should teach your staff how to recognize when an update is available (as described here: https://support.google.com/chrome/answer/95414). Quitting and reopening the browser will allow it to update to the latest, most secure version.*