Commit 1e37303a authored by Lisa Jervis's avatar Lisa Jervis

formatting cleanup

parent e5defeca
---
document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: Digital Security Readiness Assessment Tool
author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
last modified: 10/26/17
version: "2.0, PEER REVIEWED"
last modified: 11/27/17
version: "2.01, PEER REVIEWED"
---
# Digital Security Readiness Assessment Tool
......@@ -27,18 +27,18 @@ Even if you are at or above the thresholds indicated, be sure to note the places
Score: ____      **Have a culture of training and learning, including strong technology training and follow up as part of new staff orientation procedures.**
*New tools and practices demand end-user training. If your organization doesn't have established practices around training--when new people are hired, when refresher trainings are needed, and when important processes change--implementing improved and possibly complex secure practices is nearly impossible. Beginning with documentation and training for new hires is a wise first step in this area. Following up with new employees at 30-day intervals will ensure they continue to get the support they need to do their work effectively and securely. When a new process is introduced, it is like everyone in your organization is new to it, so initial training with similar follow-up is recommended.*
Score: ____      **Have a common and clearly communicated set of information systems that are administered by the organization and used with defined processes; ensure that all staff follow these processes effectively and are not using other systems for their work.**
Score: ____      **Have a common and clearly communicated set of information systems that are administered by the organization and used with defined processes; ensure that all staff follow these processes effectively and are not using other systems for their work.**
*If your staff are using personal file-sharing, email, task management, or other accounts without knowledge or guidance from the organization, not only will your efficiency suffer but the environment becomes impractical to secure. How can you protect things you have no access to at an administrative level or, worse yet, don't even know are in use? A good place to start figuring this out if by making an inventory, collaboratively with all staff, of all the places that your information is currently stored.*
*An important way this issue shows up in your organization is the use of cloud services. While many organizations use their personal accounts on those systems, official organizational accounts are vastly preferable. If your organization is a registered US 501c3 non-profit, most cloud providers offer licenses for their applications for free or at a discount, providing you significant capacity to centrally manage, back up, and monitor your information at a low cost.*
Score: ____      **Have technology champions at all levels of the organization, especially leadership, and strong supervisory support and participation in systems adoption.**
Score: ____      **Have technology champions at all levels of the organization, especially leadership, and strong supervisory support and participation in systems adoption.**
*Leadership for technology and operations within your organization can and should come from all levels. Junior staff and younger "digital natives" on staff often use or are open to using more technology in their work so can be motivated to participate in the planning and deployment of information systems and promote uptake among peers. Of course, demonstrations of support for and engagement with technology initiatives from management are also powerful motivators for staff. Visible participation by executive leadership in training on and use of official organizational tools is a powerful modeling of preferred behavior and critical to changing organizational habits and culture.*
Score: ____      **Have a complete policy set describing employees' responsibilities and limitations on their facilities, hardware, and information systems use.**
Score: ____      **Have a complete policy set describing employees' responsibilities and limitations on their facilities, hardware, and information systems use.**
*Legal and operating risk due to inconsistent expectations and behavior can hamper even the most well-designed security plan. Managing your risk, employee awareness, and compliance through a strong set of workplace policies around technology but also more generally will set you up for security initiative success.*
Score: ____      **Develop and evaluate baseline non-technical security practices in an ongoing way.**
Score: ____      **Develop and evaluate baseline non-technical security practices in an ongoing way.**
*If you do not control your office space and access to your computers, your other digital security steps can be easily circumvented by walking into your office. Rotate alarm system codes, door codes, wireless network passwords, and other access mechanisms (for example, emergency building access plans) when staff leave the organization. Sophisticated attackers can gain full control of a computer or network with even a short period of physical access to your space or digital access to unsecured systems. More importantly, non-technical security practices help build healthy habits and a culture of security in your organization.*
Subtotal, Cultural Hallmarks: ____
......@@ -61,7 +61,7 @@ Subtotal, Technology Operations: ____
## Digital Security Baseline Capacities
Score: ____      **Have a process for properly onboarding and offboarding staff and volunteers that includes attention to your information systems.**
Score: ____      **Have a process for properly onboarding and offboarding staff and volunteers that includes attention to your information systems.**
*The expansion or contraction of your team is a critical change in your security context, and so is an important moment to institute strong security measures. Your onboarding process should include detailed steps for the creation of accounts and instructions on how to determine and grant the correct and minimum permissions needed for that person's role. When a staff member or volunteer departs, ensure that any of the organization's data that is on their personal or work devices is copied to relevant organizational systems and/or destroyed as necessary. Also at offboarding, all individual accounts belonging to the outgoing person should be deleted and any organizational passwords that they used or accessed in their work should be changed to something new.*
Score: ____      **Make sure the computers and other devices you use, including personal devices that staff may use to access organizational information, are only running only the software expected, and only the most recent version of those programs. Have a plan to detect and remove malware, viruses, or other intrusive software and run update tools regularly.**
......@@ -71,7 +71,7 @@ Score: ____      **Make sure the computers and other de
*Note that there are other ways in which your devices can be compromised at a level underneath the operating system; this cannot be remedied by an OS reinstall. If your computers have been handled by third parties you don't trust or out of your possession in a hostile environment, or if you suspect intrusion by powerful or well-resourced entities, get a new computer and call a security professional.*
Score: ____      **Minimize or eliminate the use of shared accounts where more than one person, especially less-vetted parties like volunteers, can log in to your systems using the same credentials.**
Score: ____      **Minimize or eliminate the use of shared accounts where more than one person, especially less-vetted parties like volunteers, can log in to your systems using the same credentials.**
*While in the short term it seems expedient and can be cheaper to share accounts and login information, the long-term ability to monitor and control access is more important to security outcomes. In addition, the disruption and security concerns caused by changing a broadly used password and sharing it around are potential costs that shouldn't be ignored. Sophisticated systems like G Suite or Office 365 allow for "account delegation," where two people can share an account using their own distinct login credentials; this is a better way to solve these challenges than account sharing.*
Score: ____      **Have a disaster recovery plan that includes making and testing regular backups of organizational data that are stored away from your main office site. Backup drives should at a minimum be stored in a physically secure location like a locking file cabinet or safety deposit box, and ideally encrypted so that only you can access them. Do not rely exclusively on third parties to back up and hold your information.**
......
......@@ -2,8 +2,8 @@
document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: Directions and Legend
author: Jonah Silas Sheridan, Lisa Jervis
last modified: 10/26/17
version: "2.0, PEER REVIEWED"
last modified: 11/27/17
version: "2.01, PEER REVIEWED"
---
# Directions for Use
......
This diff is collapsed.
This diff is collapsed.
......@@ -2,8 +2,8 @@
document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: Wireless Network Safety Checklist
author: Jonah Silas Sheridan, Lisa Jervis
last modified: 10/27/17
version: "2.0, PEER REVIEWED"
last modified: 11/27/17
version: "2.01, PEER REVIEWED"
---
# Wireless Network Safety Checklist
......@@ -20,48 +20,43 @@ This checklist provides a number oF practices that can help protect you and your
:heavy_check_mark: Record actions
:rocket: Implementation management overhead
:wrench: Technical skill level required
:wrench: Technical skill level required
:fire: Work flow disruption for staff
## Wireless Network Safety Tasks
:heavy_check_mark:     **Prefer Firefox or Chrome browsers. Only use Internet Explorer and Safari when required. Keep all web browser software, including extensions, updated to the latest version.**
:rocket::wrench::fire:
:rocket: :wrench: :fire:
*Internet Explorer has had a much higher incidence of vulnerabilities than Chrome and Firefox, while Safari has suffered some recent security concerns. Although nearly all of the latest browsers support “certificate pinning,” which makes it harder to intercept secure connections, [Chrome](https://google.com/chrome) (https://google.com/chrome) and [Firefox](https://getfirefox.com/) (https://getfirefox.com/) have led the development of this important feature.*
:heavy_check_mark:     **Install the HTTPS Everywhere extension on all of the web browsers you use.**
:rocket::wrench::fire:
:rocket: :wrench: :fire:
*The "s" in HTTPS stands for "secure," and when you see "https://" rather than "http://" in your browser's address bar, it means that you are securely connected to the site you are visiting: The information being sent back and forth between your browser and the site's server is encrypted and so cannot be seen by others on the network or the operator of the network itself. The browser extension HTTPS Everywhere, produced by the [Electronic Frontier Foundation](https://eff.org) (https://eff.org) forces your browser to connect using HTTPS instead of HTTP to any site that makes an HTTPS connection available, thus increasing the proportion of your traffic that cannot be viewed or altered by others on your network. You can install that plugin at [https://www.eff.org/HTTPS-EVERYWHERE](https://www.eff.org/HTTPS-EVERYWHERE).*
:heavy_check_mark:     **Install Privacy Badger, a browser add-on that will limit the “cookies”--small persistent chunks of information--set on your computer by websites.**
:rocket::wrench::fire::fire:
:rocket: :wrench: :fire: :fire:
*Privacy Badger (also produced by the [Electronic Frontier Foundation](https://eff.org) (https://eff.org)) is designed to help reduce the privacy breaches and tracking that come with the use of cookies. These cookies can be transferred insecurely and so can, if poorly implemented, expose login credentials or other information in transit. As an extra benefit, using this extension will increase your privacy and reduce the extent to which you are tracked online. Download it at [https://privacybadger.org](https://privacybadger.org).*
*Note that if you are using integrations between different web-based systems in your work (for example, connecting file-sharing systems such as Google or Box to project management systems such as Asana or Basecamp), you will need to tune your Privacy Badger settings for those sites to keep the integrations working properly.*
:heavy_check_mark:     **When you have a choice, pick wireless networks that use a password, ideally a unique one for each person connecting, and those that use WPA or WPA2 encryption rather than WEP encryption.**
:rocket::wrench::fire:
:rocket: :wrench: :fire:
*A password on a wireless network means the information moving across it is less easily captured and decoded by someone nearby. However, in most cases everyone with that password can at least see some parts of your network connections--but if everyone has a unique password this becomes quite hard to do. WPA and WPA2 offer stronger protection than WEP, which is now relatively easily compromised. Most computers offer an easy way to view what encryption is in use on a given network. In OSX, hold down the Option key and click the wireless indicator in the top right corner to reveal extra information about each wireless network. The method for viewing these details is different in each version of Windows, so ask your tech support provider for assistance for the software you use.
Note that some broad attacks on WPA encryption schemes have recently come to light. Consequently this recommendation has only limited utility, and for sensitive operations a VPN or other encrypted connection is necessary to ensure the confidentiality of your information.*
:heavy_check_mark:     **Confirm the network details before you connect.**
:rocket::rocket::wrench::fire:
:rocket: :rocket: :wrench: :fire:
*An attacker can set up an access point with a name similar or identical to a legitimate one, so that you connect to the attacker's network instead of the one you intend. Make sure to ask the proprietor of a public network what the network name and password are, and connect to the network with that name that accepts that password. This doesn't completely guarantee that the network you are connecting to isn't hostile or compromised, but it makes the difficulty of hijacking your connection much higher.*
:heavy_check_mark:     **Ensure that the wireless network is not presenting false certificates, and do not import any certificates you are asked to install.**
:rocket::rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:
:rocket: :rocket: :rocket: :rocket: :wrench: :wrench: :wrench: :fire: :fire: :fire:
*Increasingly, networks are set up to monitor traffic for various reasons such as ad placement or content filtering. However, this potentially compromises all secure connections, as it allows traffic to be monitored via the same mechanism in what is called a man-in-the-middle (MITM) attack. Under these circumstances the network device will ask you to install a certificate that it controls and then will replace the security certificate from the service you are connecting to with the one you installed. Anyone with access to that device can now see any communication between you and that service. Learning to view certificates in your web browser, or installing and learning to use a tool such as [Certificate Patrol](http://patrol.psyced.org/) (http://patrol.psyced.org/), available only for Firefox, will help you identify certificate changes but in normal operation also causes many alert windows to appear as vendors change their certificates.*
*Google has created documentation for [viewing certificate information in Chrome](https://support.google.com/chrome/answer/95617?hl=en) (https://support.google.com/chrome/answer/95617?hl=en). Mozilla has [similar documentation for Firefox](https://support.mozilla.org/en-US/kb/secure-website-certificate) (https://support.mozilla.org/en-US/kb/secure-website-certificate) as well as some [overall instructions on connection security](https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure) (https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure).*
:heavy_check_mark:     
**Use a Virtual Private Network (VPN) to securely tunnel out of wireless networks.**
:rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:
:rocket: :rocket: :rocket: :wrench: :wrench: :wrench: :fire: :fire: :fire:
*A VPN creates a secure connection for your computers and mobile devices to use to access the Internet (or an office network). This connection, or tunnel, can be used to hide all information moving between your computers and the Internet (or office network) from the operator or other users of the wireless network. Use of a VPN severely limits your exposure to the owner and operator of the network you are on and so significantly reduces the amount of trust you have to place in them. These factors make VPNs a very effective way to protect your traffic from observation or interception on untrusted networks.*
*A VPN is implemented via a device you own located in your office or at an offsite facility, or that a third party hosts for you. If hosting your own VPN hardware, make sure you budget for ongoing maintenance, licensing, and software updates; otherwise, the device mediating your connection will become a vulnerability instead of a security improvement. Also recognize that in setting up a device to use for VPN connections inside your office, many offsite staff will be dependent on your office Internet line for their work. If this Internet connection is unstable, undersized, or asymmetric (made for downloading more than uploading, such as DSL or residential cable connections), the VPN will not work well for staff. For this reason, paying to locate your VPN device in a data center is the best way of getting a high trust, high-performance VPN in place.*
......
This diff is collapsed.
This diff is collapsed.
......@@ -50,6 +50,6 @@ These documents could not exist without the support of a large group of readers,
This content is released under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/) and can be remixed, translated, or amended freely as long as the results are shared in turn and the original documents are attributed to Information Ecology.
[Creative Commons Attribution-ShareAlike 4.0 International License Image](https://i.creativecommons.org/l/by-sa/4.0/88x31.png)
![Creative Commons Attribution-ShareAlike 4.0 International License Image](https://i.creativecommons.org/l/by-sa/4.0/88x31.png)
See the [license file](LICENSE) for full license terms.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment