Digital Security and Privacy for Human Rights Defenders

3.1 Case Study 1
Creating a Security Policy

When developing a security policy for yourself or your organisation, you must also develop a clear understanding of the risks to the security of your computers and information. The level of risk increases in direct proportion to threats and your vulnerability to them, as shown by this equation:

RISK = THREATS x VULNERABILITIES

Threats represent a possibility that someone will harm the security of your computers, information stored on them and online communications. Making a threat assessment means analysing the likelihood of a particular threat being put into action. Examples of threats include:

  • A virus attack
  • Confiscation of computer equipment
  • A website block

Vulnerability means the degree to which you are susceptible to loss, damage and suffering in the event of an attack (if a threat is realised) that varies with situation and time. Vulnerability is always relative, because all people and groups are vulnerable to some extent. Often, the main vulnerability in the realm of technology is lack of understanding or insufficient training. Another vulnerability comes from over-relying on technology that one does not fully comprehend.

  • Vulnerability can be about location. For example, your computer screen and operations are easily observed when you operate from an Internet café. If you live in a country suffering droughts and electricity shortages, then your vulnerability will be lack of electricity (or electrical surges) and hence inoperable computers and the Internet.
  • Vulnerabilities can also include lack of communication means, like not having access to a phone or to an Internet connection.
  • Vulnerabilities may also be connected with team work and fear: a defender who receives a threat may feel fear, and his/her work will be affected by fear. If s/he has no proper way to deal with this fear (somebody to talk to, a good team of colleagues, etc.) chances are that s/he could make mistakes or poor decisions. This is a non-computer-related threat, but one which could be of great relevance to computer security because it increases an already existing threat.

Capacities are strengths and resources a group or a defender can access to achieve a reasonable degree of security. Examples of capacities could be training in computer or security-related issues. Knowledge of the computer/Internet environment is an essential capacity for dealing with possible insecurities. Access to a trusted computer technician or a network of skilled people is a great resource.

  • security policies within the organisation: efficient file storage, backup and online communications
  • secure office entrance and strong locks on doors and windows
  • copies of all hardware warranties and licences for software (alternatively, using only open source software)

Not knowing enough about your work environment and the technology you operate with is a vulnerability, while having this knowledge is a capacity. The risk, created by threats and vulnerabilities, can be reduced if defenders have enough capacities (the more capacities, the lesser the risk).

Risk = (threats x vulnerability) : capacities

So, for example, the risk of losing your digital documents because of a virus attack equals: the risk of a virus attack, multiplied by the vulnerability of not having a virus cleaner and firewall software installed, and divided by the capacity brought when you obtained the Digital Security Toolkit.
Of course, this is not a mathematical formula, but its main advantage lies in helping you identify the elements that may cause the risk to eventuate, and therefore work to eliminate them.

Drafting a security plan

Components of the plan

A security plan is aimed at reducing your risk. It will therefore have at least three objectives, based on your risk assessment:
  • Reducing the level of threat you are experiencing.
  • Reducing your vulnerabilities.
  • Enhancing your capacities.

It could be useful if your security plan also includes:

  • Preventive plans or protocols to ensure routine work is done within security standards. For example, how to communicate by email on sensitive topics with a group of people
  • Emergency plans for dealing with specific problems, for example, confiscation of office equipment.

Responsibilities and resources for implementing the plan

To ensure that the plan is implemented, security routines must be integrated into daily work activities:
  • Include context assessment and security points routinely in your agendas.
  • Register and analyse security incidents.
  • Allocate responsibilities.
  • Allocate resources, i.e. time and funds, for security.

Drafting the plan – how to begin

If you have done a risk assessment for a defender or an organisation, you might have a long list of vulnerabilities, several kinds of threats and a number of capacities. You can't realistically cover everything at the same time. So where to begin? It's very easy:
  • Select a few threats. Prioritise the threats you have listed, be it actual or potential ones, using one of these criteria: The most serious threat – loss of all computer data, for example; OR the most probable and serious threat: if organisations similar to yours have been attacked, that is a clear potential threat for you; OR the threat which corresponds most to your vulnerabilities – because you are more at risk of that specific threat.
  • List the vulnerabilities you have which correspond to the threats you have listed. These vulnerabilities should be addressed first, but remember that not all vulnerabilities correspond to all threats. For example, if you have no idea whether a backup of all your computer data exists, then this relates directly to the threat of losing your computer data irrecoverably.
  • List the capacities you have which correspond to the threats you have listed. You are now in a position to address the selected threats, vulnerabilities and capacities in your security plan, and can be reasonably sure that you will be able to reduce your risk from the right starting point.

Applying in Practice

The purpose of this plan is to ensure that the information held on our computers is not lost, stolen or damaged irrecoverably in any way.

Threats Vulnerabilities Capacities
Virus attack - Staff open emails without caution
- Nobody knows if virus scanner is on all machines or updated
- no backup of information
 - Just received a copy of ‘Digital Security Toolkit ’ from https://security.ngoinabox.org/en/
Confidcation of computers - Easy access to office
- No backup
- No funds to purchase new equipment
- information is not protected
 - good team of colleagues who know each other and co-operate very well
- good contact with funders
Computers are damaged by weather or other external forces - No Backup
- No knowledge of how to protect network and electrical equipment
 - good contact with funders
- a relative of a staff member is a skilled plumber

Now we begin to work on decreasing our vulnerabilities and hence in- creasing our capacity for dealing with this and other threats that may arise in the future. Your solutions and resources may differ in each case. Notice that lack of information backup is a common vulnerability that would cause great harm should any of the threats be realised. Below is a list of actions you could take to decrease the vulnerabilities (all tools and explanations on how to perform these actions can be found in this manual and the Digital Security Toolkit.

Virus attack

  • ntroduce strict policy on opening mail from unknown sources or replying to spam. In plain words, forbid anyone to do so. People who receive hundreds of viruses and spam should change their email address.
  • Install a free anti-virus (Avast, AntiVir, AVG) on all computers and update the virus definitions from the Internet. Program files and guides can be found in the Digital Security Toolkit. Make sure every computer in the office is operating with a fully functional anti-virus program.
  • When your computer is clean of viruses, make a backup of all important user documents. Keep this on a separate media (CD, USB stick) and away from the office. If you do suffer a virus attack, at least you can recover your files.

Confiscation of computers

  • To prevent theft you have to secure your offices and work premises. Strong doors and bars on windows are essential (especially if you are located on the ground floor), as is an intercom or other form of visitor identification system. Ideally, your office should have a reception desk, where visitors will be greeted before gaining access to the main room.
  • Backup of all information should be made and kept securely in a different location.
  • You should have access to emergency funds to purchase new equipment and to load the backup data onto it.
  • If computers are confiscated, at least the documents on them should be protected from unauthorised access. Use encryption software to protect a part of the hard drive. Likewise, wipe all unnecessary data to prevent its restoration by the confiscators. (See Information Backup, Destruction and Recovery chapter )
  • Be aware of who has keys to the office and how many copies are in existence. If your computers are not protected by encryption or you store sensitive data on paper and computers, then make sure that no one has unaccompanied access to your office, even the cleaning staff.

Computers are damaged by weather or other external forces

  • Ideally, a plumber or an electrician should check your premises regularly to report on their stability, any water damage sustained and the amount of fire insulation. All loose electric cables should be discarded and faulty connections patched. This may be costly but it is necessary, as computers are extremely delicate and cannot survive water or heat damage.
  • Backup of all information should be made and kept securely in a different location.
  • You can purchase an Uninterrupted Power Supply (UPS) battery for your computers to prevent sudden shutdown in case of electricity loss. Power sockets or power boards should have surge protectors, so that they switch off in case of electric spikes. Regions that suffer loss of electricity for months at a time should consider a petrol-powered generator or other
    sources of energy.

It is difficult to introduce security policies without undermining some aspect of productivity in your office. Paying attention to security usually takes time and concentration. Carelessness, deadlines and insufficient manpower are the enemies of good security. It is therefore necessary that the rules are agreed upon and rationalised by all. Their implementation should apply to everyone and directors of the organisation must take the lead in setting an example. Good security also requires you to be pro-active and realise your threats and ways to handle them before they occur.
 

Front Line 2007. Please contact Front Line with any comments or suggestions.