OTF Digital Integrity Fellow Szeming worked over 12 months to improve the digital security practices of two Southeast Asian human rights organizations. In doing so, she not only created a digital security policy for the organizations, but also a checklist for small organizations to begin incorporating digital security best practices into their day-to-day work. Below, Szeming has shared from her experience how to ensure the longevity and sustainability of digital security assistance through the use of a digital security policy. Special thanks to Lobsang Gyatso of Tibet Action Institute for contributing thoughts and advice during the process.
Establishing a digital security policy should be the foundation of every organization’s security plan. No matter the size, mission, or purpose of an organization, it’s important to ensure that computing and telecommunications resources are used in a way that proactively prioritizes responsibility and security when it comes to data and information. Following best practices in this area can help mitigate risks and avoid unforeseen issues in the future.
Here, we’ll provide a high-level overview of why a digital security plan is important, explain how to create one, and offer several small but impactful ways to start improving your own organization’s digital security today.
What is a Digital Security Policy?
A digital security policy can take on many forms, but generally it is a collection of policies and procedures around your information and data security. Some policies encapsulate all organization policies and procedures relating to data, while others work on a high level to give visibility and adhere to regulations. It is important to note that there are different ways to approach and prepare an organization for digital security-related risks and regulatory requirements. Having a digital security policy is crucial because it is not a matter of if, but when, your organization will need a policy in place, such as in reaction to a digital security incident.
5 Steps to Create a Digital Security Plan
- Regulatory Review and Landscape Assessment
All organizations have regulatory requirements, and your organization needs to know what is necessary from this perspective. Requirements can come from international bodies, federal agencies, states, or even industry-specific bodies. In addition, external pressures can come from donors, auditors, and external partners. Conducting a review of your organization’s requirements and obligations in this area is a good place to start when creating a security plan.
2. Governance, Oversight, and Responsibility
Everyone within the organization has a role in digital security, but creating a “Digital Security Response Team” to make sure that all employees follow policy can help ensure that all employees are complying with established policies. This team can assist employees with questions, conduct post-incident investigations, and put together strategies and procedures to protect the organization’s digital assets, for example.
3. Data Classification
Knowing what data is important and what needs to be protected, where the information and data resides, who has access, and how it is stored and transferred will help you write your policies and procedures. For example, data containing individuals’ personally identifying information should be treated differently than other data. By first classifying what you have, you can better understand how to manage and protect it.
4. Perform a Digital Risk Assessment
This will help you understand the digital security risks to the organization’s operations, functions, and assets. This doesn’t have to be overly complex or robust; your organization can start with the basics and evolve as you grow. Good examples can be found from SAFETAG and Front Line Defenders.
5. Training and Testing Employees
Make your employees an asset instead of a threat by training and testing them. Reviewing internal roles and responsibilities within the organization and providing training and testing throughout the year can help create an organizational culture that emphasizes security and its importance to everyone.
Digital Security Improvements
When it comes to managing the organization’s digital security performance and risk, leaders must take a threat-based, outcome-driven approach. They can do so through targeted measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce the risk of a security incident.
There are several principles which make up this model for continuous improvement of digital security, detailed below:
Small Changes Can Yield Significant Improvements
When managing your digital security performance, you need to start with a baseline. Baseline performance metrics are typically the best way to start thinking about how to take a more outcome-based approach to managing your organization’s security program. For many security and risk leaders, creating a risk matrix offers a useful way to assess and visualize existing security threats and establish this baseline..
Manage Who Has Access
First, as an organization, take inventory of what data every employee may or may not have access to. Determine which employees still need access and which do not in an effort to limit the amount of data accessed by employees to as small and manageable a number as possible. In addition, have your administrators determine which type of access each department/employee needs.
Develop a Data Security Plan/Policy
Another good strategy when looking to improve data security is developing a specific data security policy. It’s important to have a plan in place for when hacks and breaches occur. The aforementioned data access plan plays a key role in working to prevent these sorts of incidents from happening in the first place. Thus, these sorts of policies when implemented in tandem can keep information in-line and organized.
This policy should also be open to changes and edits as amendments will need to be made to match the growing technology innovations and new company policies that may arise. By having data access rules that are strictly enforced, you can better protect your data on a day-to-day basis.
Develop Stronger Passwords Throughout Your Organization
Employees need to have stronger and more complicated passwords. Work to help employees develop passwords that combine capital and lowercase letters, numbers, and special characters that will make it much harder for hackers to crack.
A good rule of thumb when creating a new password is to have it be at least 12 characters and to not include a combination of dictionary words. Passwords should be unique to employees and difficult for computers to guess.
Regularly Back Up Data
Lastly, it’s important to back up your data on a regular basis. In addition to hacks, loss of data is a serious issue, and organizations need to be prepared for the unexpected. Get in the habit of either automatically or manually backing up data on a weekly or daily basis.