7.2 What are human focussed security elements
Now that we have explored passwords, read through the following slides, and then continue to take the small quiz.
Slide 1: What is digital security
“organizational security as a sustained, appropriate level of security in team communication and information management practices” according to the international non-profit organisation Engine Room which supports activists, organisations and social change agents in using technology in a responsible manner.
This includes an organization’s:
- Infrastructure: i.e. servers, wifi routers, and computers
- Software: i.e open sources, licenced software, and updates
- Staff and culture: i.e awareness, skills, choices and interests of staff, teams and management
- Policy; i.e infrastructure integrity, guidelines on staff’s security responsibilities, and process for the retention, archiving and deletion of data
- Management: the interest and buy-in of senior management for digital security measures
Slide 2: Improving your and your organization’s digital security culture
For you as an individual and you as an urban practitioner, the following strategies can help you to secure your privacy and your projects’ responsible data management.
- Minimize data collection, processing and sharing
- Make informed choices on tools and when possible choose alternatives
- Implement data separation
- Strengthen your data environment.
Slide 3: Minimize data collection, processing and sharing
If data is not collected, processed or shared it can also not be misused.
- What is the data that you actually need to make the project a success?
- Think twice before you ask for or give data, especially personal data or sensitive personal data.
- Is there data unknowingly being collected? In any technology testing phase it is important to audit which data is actually collected. An app might collect more metadata then you expect.
- When the project is rolled out, set dates on which the technology will be audited to make sure the system is still secure and only collecting the data you wanted. With updates to your technology project, updates to mobile phones, certain permission might change and make the system more vulnerable.
- If data is collected, how long do you intent to store it for?
- Is there a deletion plan in place
When sharing data with a third party think of the following:
- Is the contractual agreement in compliance with your data management strategy and your countries data protection regulation?
- Does an Non Disclosure Agreement have to be signed?
- minimize the amount of data and the amount of personal data. You never know what a third party will do with this data.
Slide 4: Choosing tools
Choosing tools is a cumbersome process and it might be something that feels very distant to your everyday work live. On top of that, there are many technology products on the market.
So how to choose responsibly?
- Ask the developer or the company to explain why this tool and not another, how data is collected, processed and shared.
- Choose a tool that respects privacy and strives to minimize data collection and processing.
- When in doubt but this technology is the only way forward, think about putting data minimization, data ownership and limited data sharing clauses in the contract.
Slide 5: Implementing data separation
There are different ways to think through data separation. In your private life you might separate your work email from your private email, or your work phone from your private phone.
In your role as an urban practitioner, data separation means thinking through and implementing processes around
- Separating the storing and processing from Personal Identifiable Information from Non-Personally Identifiable Information. Find out more about this on the session about de-identification.
- Implementing access controls, because not everyone in your city or municipality has to have access to all of the data.
- Do not store the backup of the data on the same server, in case of a natural disaster, a fire, or hack, this might increase the chances that the data will not be lost.
- Printing sensitive personal files with a printer not everyone has access to.
Slide 6: Strengthen your data environment
- Use good and strong passwords to protect the data, and ensure that there is a password management process in place to keep the passwords fresh
- Secure databases through passwords and encrypted storage
- Keep your software updated.
- Set clear responsibilities about who is responsible for keeping the databases secure, and the software updated
- Know who to contact in the IT department to enhance security measures on data that is stored on the organizations server.
Slide 7: Data management policy
To embrace a digital security culture and ensure that all staff and future staff understand and implement the same digital security practices it is crucial to encode the organizational digital security choices, best practices and processes in a data management policy. This policy can include agreements and information on:
- Data processing: what data is collected, how is it processed, where is it stored, how is it protected, who has access to it, and who is it shared with.
- Staff digital security practices: the organizations digital security choices, best practices and processes.
- Human resources: digital on- and off boarding, opportunities for responsible data management trainings, and confidentiality clause
- Infrastructure: how the organizations implements, updates, secures and tests IT systems
- Roles and responsibilities: who are responsible for the implementation of the policy.
- Information: Who can staff turn to with their responsible data questions.
- Emergency response: What are the processes and procedures when something has gone wrong.