Brief

Maintaining the relationships, trust and integrity we have built with community requires us to treat the data we hold as a sacred trust, plan for continuity of service & reduce the impact of cyber incidents.

The purpose of this document is to make it easier to know what practical steps to take to build a more secure organization by identifying assets/risks and preventative and reactive measures organizations can take.

How to adapt this document to your needs…

This work is licensed under a Creative Commons Attribution NonCommercial ShareAlike License. Please copy & adapt it to your needs. If you do, please share credit and provide feedback.

  1. Identify what digital assets you have (the list below should help). Digital assets include hardware, passwords, subscriptions, information you store (such as client/supporter contact data), social media, etc.
  2. For each asset identify…
    1. Preventative measures you have in place
    2. Steps you need to take
    3. Reactive measures you’d take if the asset were compromised (eg. What would you do if your executive lost all of their sensitive passwords or a staff member’s computer was compromised by a malicious agent?)
    4. Identify who’s responsible: what training might they & the team need?

Principles

The principles underlying our approach to cybersecurity are…

  1. Technology is an Opportunity We want to facilitate our teams use of tech in a joyful, optimistic and curious way. Tech provides an opportunity to communicate in new ways, improve workflows and bring delight.
  2. Focus on achievement not activities Security is not about busy work, it must focus on measurable proactive steps with discernible results; eg We can’t just focus on awareness, we must track the percentage of devices we have that are running up-to-date software.
  3. Prepare/ Prevent
    1. **Zero trust:** Do not assume trust with digital assets, assume people may lose their computer, be hacked etc.
    2. Conduct an annual risk review at the board and management level that includes an internal audit of systems/assets and scenario planning
    3. Minimize the amount of doors that can be opened with one account & minimize the number of people with access to admin accounts. 1 key opens only 1 door.
    4. Review/ monitor systems looking for unusual activity
  4. Inform & Rectify Communicate compromises and losses as we learn about them to the people that are impacted by them; clients, team, partners. Second, do our utmost to rectify the damage caused by loss through support (especially for marginalized individuals), connection to resources, revising policy/procedures and apologizing.
  5. Paranoia Undermines Prevention – Be Honest Hostile policies undermine security. We want our teams to feel safe and supported. We do not want them to feel like they are being watched, confined or restricted by policies. Second, we need to be honest and transparent; cybersecurity tools enable surveillance and have the potential to undermine culture and effectiveness. We should adopt an “Honest Security” approach.
    1. A security program should represent our organization’s values.
    2. A positive relationship between end-users and the security team is critical.
    3. Trust is the foundation of such a relationship and is demonstrated through informed consent and transparency.
    4. Our detection capabilities should anticipate that end-users will use their company issued devices for personal activities.
    5. When educated and honestly motivated, end-users are capable of making rational and informed decisions about security risks.

Staff Training

All staff must undergo onboarding (& thereafter every two years) training. Training records will be kept in WebHR. Training will include…

  1. Creating safe and secure passwords using a password manager (eg Apple’s Keychain, 1Password).
  2. Using the internet and social media safely. This should include proactive and positive ways to engage on social media. (See: Creating a Personal Voice Plan).