From ade64843f7ff2bdc5a6edf2e957c1c5422d758de Mon Sep 17 00:00:00 2001
From: Jonah Silas Sheridan <jonah@iecology.org>
Date: Mon, 12 Jun 2017 17:15:45 -0700
Subject: [PATCH] 1.1 minor update; new assessment tool
---
1_checklist_introduction.md | 8 +++--
2_readiness_assessment.md | 63 +++++++++++++++++++++++++++++++++++++
2_readiness_checklist.md | 40 -----------------------
README.md | 6 ++--
4 files changed, 72 insertions(+), 45 deletions(-)
create mode 100644 2_readiness_assessment.md
delete mode 100644 2_readiness_checklist.md
diff --git a/1_checklist_introduction.md b/1_checklist_introduction.md
index e668b27..bf13b8c 100644
--- a/1_checklist_introduction.md
+++ b/1_checklist_introduction.md
@@ -2,8 +2,8 @@
document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: Introduction
author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 11/18/2015
-version: "1.0, PEER REVIEWED VERSION FOR PUBLIC USE"
+last modified: 5/12/17
+version: "1.1, INTERNALLY REVIEWED VERSION FOR PUBLIC USE"
---
# Introduction
@@ -11,6 +11,10 @@ version: "1.0, PEER REVIEWED VERSION FOR PUBLIC USE"
This set of documents was made to help small non-profits and NGOs improve their digital security outcomes despite limited resources and technical skill availability. The content was commissioned as part of the [Weathering The Storms]("http://www.roadmapconsulting.org/WTS") initiative of [RoadMap Consulting]("http://www.roadmapconsulting.org/WTS") and fiscally sponsored by [Common Counsel Foundation]("http://commoncounsel.org") of [Oakland, California]("https://localwiki.org/oakland/"). The content was researched and prepared by Jonah Silas Sheridan and Lisa Jervis, Principals of [Information Ecology]("https://iecology.org"), a capacity building consultancy specializing in non-profit and movement technology management, and was peer reviewed by generous members of our community. Many other eyes and hands have helped tune the recommendations to ensure technical accuracy and ease of use. We are grateful to all the members of our community that have helped bring these documents to life.
+## When was this document set created and last updated?
+
+These documents were originally researched and peer reviewed in Fall 2015. Some small edits for clarity have occurred since. A minor 1.1 revision of Spring 2017 updated and improved the [Readiness Assessment Tool](2_readiness_assessment.md) based on field experience. A full review, update and extension of the checklist set is in process as of June 2017 and is expected to be released in Fall 2017. Contact [RoadMap Consulting](https://roadmapconsulting.org) or [Information Ecology](https://iecology.org/contact)
+
**If you have feedback or questions about this document set, its contents or how to use it, please contact Information Ecology using [our secure contact form]("https://iecology.org/contact") or PGP encrypted email to info@iecology.org using [this key]("https://iecology.org/0x3C2BACE5E10F3C7A_pub.txt")**
## About digital security
diff --git a/2_readiness_assessment.md b/2_readiness_assessment.md
new file mode 100644
index 0000000..c45ff36
--- /dev/null
+++ b/2_readiness_assessment.md
@@ -0,0 +1,63 @@
+---
+document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
+title: Digital Security Readiness Assessment Tool
+author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
+last modified: 5/12/2017
+version: "1.1, INTERNALLY REVIEWED VERSION FOR PUBLIC USE"
+---
+
+# Digital Security Readiness Assessment Tool
+## Introduction
+This assessment tool contains a list of baseline, ongoing information systems and technology practices that it is recommended your organization already have in place in order to successfully take on a digital security initiative. If you cannot check off more than 75% of the items in the list below, it is recommended you focus on meeting these baselines before proceeding with other digital security work. Even if at 75% or above, be sure to note the unmarked items and make plans to implement them as soon as possible, as not doing so will likely undermine your security efforts.
+
+## Cultural Hallmarks for Security Success
+:heavy_check_mark: **Have a culture of training and learning, including strong technology training and follow up as part of new staff orientation procedures.**
+*New tools and practices demand end-user training. If your organization doesn't have established practices around training--when new people are hired, when refresher trainings are needed, and when important processes change--implementing improved and possibly complex secure practices is nearly impossible. Beginning with documentation and training for new hires is a wise first step in this area. Following up with new employees at 30-day intervals will ensure they continue to get the support they need to do their work effectively and securely. When a new process is introduced, it is like everyone in your organization is new to it, so initial training with similar follow-up is recommended.*
+
+:heavy_check_mark: **Have a common and clearly communicated set of information systems that are administered by the organization and used with defined processes; ensure that all staff follow these processes effectively and are not using other systems for their work.**
+*If your staff are using personal file-sharing, email, task management, or other accounts without knowledge or guidance from the organization, not only will your efficiency suffer but the environment becomes impractical to secure. How can you protect things you have no access to at an administrative level or, worse yet, don't even know are in use? A good place to start figuring this out if by making an inventory, collaboratively with all staff, of all the places that your information is currently stored.
+
+An important way this issue shows up in your organization is the use of cloud services. While many organizations use their personal accounts on those systems, official organizational accounts are vastly preferable. If your organization is a registered US 501c3 non-profit, most cloud providers provide licenses for their applications for free or reduced cost, providing you significant capacity to centrally manage, back up, and monitor your information at a low cost.*
+
+:heavy_check_mark: **Have technology champions at all levels of the organization, especially leadership, and strong supervisory support and participation in systems adoption.**
+*Leadership for technology and operations within your organization can and should come from all levels. Junior staff and younger "digital natives" on staff often use or are open to using more technology in their work so can be motivated to participate in the planning and deployment of information systems and promote uptake among peers. Of course demonstrations of support for and engagement with technology initiatives from management are also powerful motivators for staff. Visible participation by executive leadership in training on and use of official organizational tools is a powerful modeling of preferred behavior and critical to changing organizational habits and culture.*
+
+
+:heavy_check_mark: **Have a complete policy set describing employees' responsibilities and limitations on their facilities, hardware, and information systems use.**
+*Legal and operating risk due to inconsistent expectations and behavior can hamper even the most well-designed security plan. Managing your risk, employee awareness, and compliance through a strong set of workplace policies around technology but also more generally will set you up for security initiative success.*
+
+:heavy_check_mark: **Develop and evaluate baseline non-technical security practices in an ongoing way**
+*If you do not control your office space and access to your computers, your other digital security steps can be easily circumvented by walking into your office. Rotate alarm system codes, door codes, wireless network passwords, and other access mechanisms (for example, emergency building access plans) when staff leave the organization. Sophisticated attackers can gain full control of a computer or network with even a short period of physical access to your space or digital access to unsecured systems. More importantly, non-technical security practices help build healthy habits and a culture of security in your organization.*
+
+## Information Technology Operations that Support Security Outcomes
+
+:heavy_check_mark: **Have a recurrent line item for technology in your budget**
+*Security is an ongoing process and will require regular investments in computer equipment and software to be effective. Work with your technical support provider to determine an appropriate amount to put into this line item.*
+
+
+:heavy_check_mark: **Have regular and adequate technical support provided either by staff assigned via job description or contracted with outside agencies.**
+*If your existing hardware and software are not well supported, introducing new tools and practices will likely meet with significant barriers, as new technologies and tools often demand significant ongoing technical support for proper setup and functioning. Your tech support providers are central to your ability to identify and protect your systems from attack, work they can't do if they don't exist. There are as many ways to obtain technical support as there are organizations. Talking to peer organizations in your area is a good way to find quality help.*
+
+:heavy_check_mark: **Regardless of technical support solution, have someone on staff assigned via job description to be responsible for technical operations, including managing technical support providers and systems upgrades.**
+*No matter how you get your technical support needs, someone needs to have time and responsibility to manage the flow of ongoing support requests, to act as a point person for vendors and consultants, and to lead projects to improve infrastructure. Although this is critical when sourcing technical support services from outside of staff to ensure your organization is owning its own operations, it is perhaps even more important when assigning technical support responsibilities to someone on staff. If internal tech support doesn't have explicit time to put into systems changes and vendor management and can only spend time fixing broken hardware and software systems, your digital security initiatives will suffer from a lack of attention.*
+
+:heavy_check_mark: **Provide relatively new and adequately powered computers to all staff.**
+*Industry standard best practice is to replace laptops and desktops every 3 to 5 years. Encryption tools use a lot of power and can bring older, inadequately powered computers to a near halt, making some security steps untenable for staff. Money for replacing 1/3 to 1/5 of your computers each year should be part of your recurring technology budgeting.*
+
+## Digital Security Baseline Capacities
+
+:heavy_check_mark: **Have a process for properly onboarding and offboarding staff and volunteers that includes attention to your information systems.**
+*The expansion or contraction of your team is a critical change in your security context, and so is an important moment to institute strong security measures. Your onboarding process should include detailed steps for the creation of accounts and instructions on how to determine and grant the correct and minimum permissions needed for that person's role. When a staff member or volunteer departs, ensure that any of the organization's data that is on their personal or work devices is copied and/or destroyed as necessary. Also at offboarding, all individual accounts belonging to the outgoing person should be deleted and any organizational passwords that they used or accessed in their work should be changed to something new.*
+
+:heavy_check_mark: **Make sure the computers and other devices you use, including personal devices that staff may use to access organizational information, are only running the programs you expect them to by detecting and removing malware, viruses, or other intrusive software.**
+*As a digital security first step, ensure you are running antivirus software on all computers. Antivirus software for Macs and Windows computers is available to non-profits at a discounted rate through [Tech Soup](http://techsoup.org�). If you haven't been running antivirus software or otherwise aren't sure about the status of your devices, you can have the operating system (OS) on them reinstalled to help guarantee the computers are free of malware and viruses. This is one benefit of adopting "cloud"-based tools for your organization's information, in that your data is readily available on a freshly installed system.
+
+When reinstalling, use a copy from the OS provider wherever possible. Computer manufacturers often bundle other software in their installs, which may impact privacy and security but may also contain specific tools for the hardware (especially in laptops).
+
+Note that there are other ways in which your devices can be compromised at a level underneath the operating system; this cannot be remedied by an OS reinstall. If your computers have been handled by third parties you don't trust or out of your possession in a hostile environment, or if you suspect intrusion by powerful or well-resourced entities, get a new computer and call a security professional.*
+
+:heavy_check_mark: **Minimize or eliminate the use of shared accounts where more than one person, especially less-vetted parties like volunteers, can log in to your systems using the same credentials.**
+*While in the short term sharing accounts and login information can be expedient and lower licensing fees, the long-term ability to monitor and control access is more important to security outcomes. In addition, the disruption and security concerns caused by changing a broadly used password and sharing it around are potential costs that shouldn't be ignored. Sophisticated systems like GSuite or Office365 allow for "account delegation," where two people can share an account using their own distinct login credentials; this is a better way to solve these challenges than account sharing.*
+
+:heavy_check_mark: **Have a disaster recovery plan that includes making and testing regular backups of organizational data that are stored away from your main office site. Backup drives should be at a minimum stored in a physically secure location like a locking file cabinet or safety deposit box, and ideally encrypted so that only you can access them. Do not rely exclusively on third parties to back up and hold your information.**
+*This digital security practice is a straightforward way to protect yourself from a whole host of events that could compromise your information's integrity or cause you to lose access to it; it is so critical that it needs to come before any other digital security steps. Talk to your technical support provider about the status of your backups and when restoring data from them they was last tested. Refer to [this guide](http://www.techsoup.org/disaster-planning-and-recovery) and/or [this webinar](http://www.communityit.com/resources/webinar-february-18-2016-backups-and-disaster-recovery-for-nonprofits/) for ideas on how to improve your disaster preparedness.*
diff --git a/2_readiness_checklist.md b/2_readiness_checklist.md
deleted file mode 100644
index f8112ae..0000000
--- a/2_readiness_checklist.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
-title: Digital Security Readiness Checklist
-author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 11/18/2015
-version: "1.0, PEER REVIEWED VERSION FOR PUBLIC USE"
----
-
-# Digital Security Readiness Checklist
-## Introduction
-This checklist contains baseline, ongoing information systems and technology practices that it is recommended your organization already have in place in order to successfully take on a digital security initiative. If you cannot check off more than 75% of the items in the list below, it is recommended you focus on meeting these baselines before proceeding with other digital security work. Even if at 75% or above, be sure to note the unmarked items and make plans to implement them as soon as possible, as not doing so will likely undermine your security efforts.
-
-## Digital Security Readiness Tasks
-
-:heavy_check_mark: **Have regular and adequate technical support provided either by staff assigned via job description or contracted with outside agencies.**
-*If your existing hardware and software are not well supported, introducing new tools and practices will likely meet with significant barriers, as new technologies and tools often demand significant ongoing technical support for proper setup and functioning. There are as many ways to secure technical support as there are organizations. Talking to peer organizations in your area is a good way to find quality help.*
-
-:heavy_check_mark: **Have a culture of training and learning, including strong technology training and follow up as part of new staff orientation procedures.**
-*New tools and practices demand end user training. If your organization doesn't have established practices around training, implementing improved and possibly complex secure practices is nearly impossible. Beginning with documentation and training for new hires is a wise first step in this area. Following up with new employees at 30 day intervals will ensure they continue to get the support they need to do their work effectively and securely.*
-
-:heavy_check_mark: **Have a common and clearly communicated set of information systems that all staff use effectively.**
-*If your staff are using personal file-sharing, email, task management, or other accounts without knowledge or guidance from the organization, not only will your efficiency suffer but the environment becomes impractical to secure. How can you protect things you have no access to at an administrative level or, worse yet, don't even know are in use?*
-
-:heavy_check_mark: **Have a recurrent line item for technology in your budget**
-*Security is an ongoing process and will require ongoing investments in computer equipment and software to be effective. Work with your technical support provider to determine an appropriate amount to put into this line item.*
-
-:heavy_check_mark: **Provide relatively new and adequately powerful computers to all staff**
-*Industry standard best practice is to replace laptops and desktops every 3 to 5 years. Encryption tools use a lot of CPU cycles and can bring older, less-powerful computers to a near halt, making some security steps untenable for staff. Money for replacing 1/3 to 1/5 of your computers each year should be part of your recurring technology budgeting.*
-
-:heavy_check_mark: **Have some baseline non-technical security practices**
-*If you do not control your office space and access to your computers, your other digital security steps can be easily circumvented by walking into your office. Rotate alarm system codes, door codes, wireless network passwords and other sensitive access procedures such as emergency building access when staff leave the organization.*
-
-:heavy_check_mark: **Make sure the computers and other devices you use, including personal devices that staff may use to access organizational information, are not compromised by malware, viruses or other intrusive software.**
-*As a first step, ensure you are running antivirus software on all computers. Antivirus software for Macs and Windows computers is available to non-profits at a discounted rate through [Tech Soup] ("http://techsoup.org�"). If you haven't been running antivirus software or otherwise aren't sure about the status of your devices, you can have the operating system (OS) on it reinstalled to help guarantee
-the computer is free of malware and viruses.*
-
-*If reinstalling, use a copy from the OS provider wherever possible. Computer manufacturer often bundle other software in their installs which may impact privacy and security but may also contain specific tools for the hardware (especially in laptops). There are other ways in which your devices can be compromised at a low level which cannot be remedied by an OS reinstall. If your computers have been handled by third parties you don't trust, out of your possession in a hostile environment or you suspect intrusion by powerful or well resourced entities, get a new computer and call a security professional.*
-
-:heavy_check_mark: **Have a disaster recovery plan that includes making regular backups of organizational data that are stored away from your main offices. Do not rely exclusively on third parties to back up and hold your information.**
-*This actually is a digital security practice itself, but straightforward and critical enough that it needs to come before any other digital security steps. Talk to your technical support provider about the status of your backups. Refer to [this guide] ("http://www.techsoup.org/disaster-planning-and-recovery") for ideas on how to improve your disaster preparedness.*
diff --git a/README.md b/README.md
index b7090d0..867b367 100644
--- a/README.md
+++ b/README.md
@@ -9,8 +9,8 @@ The documents in this repository comprise a set of digital security checklists f
1. [Introduction](1_checklist_introduction.md)
Framing remarks about the purpose, assumptions and limitations of these documents.
-2. [Readiness Checklist](2_readiness_checklist.md)
-A tool for assessing whether an organization has pressing technology challenges that should be resolved before attempting to increase digital security levels.
+2. [Readiness Assessment](2_readiness_assessment.md)
+A tool for assessing whether an organization has pressing technology challenges that should be resolved to establish baseline security controls and practice before attempting to increase digital security levels through other means.
3. [Legend](3_legend.md)
What the symbols in these documents mean.
@@ -28,6 +28,6 @@ A checklist of tasks related to improving security levels when depending on publ
A glossary defining the technical terms used in these documents in as non-technical language as possible
## Finally...
-These documents could not exist without the support of a large group of technical and organizational readers who offered us feedback and review as well as RoadMap Consulting who sponsored the project and is actively using these as a tool to support its clients.
+These documents could not exist without the support of a large group of readers, whose technical and operational review and feedback tuned these document, as well as [RoadMap Consulting](https://roadmapconsulting.org) who sponsored the project and with whom we are actively using these as a tool to support our clients and communities.
**Our gratitude for these humans and organizations working on the front lines of important change making work is immense.**
--
GitLab