Digital risk assessment
From California Technology Feestival Wiki
There's a continuum when talking about security
- High Security => Lower Function
- Low Security => Faster Response
- Different contexts require different contexts of discussion
- Women have a great intuitive sense of risk assessment
Real security is about processes and people, not tools —Ken
Questions to Ask About Data You Want to Secure?
1. What Am I Trying to Protect
- List of addresses
- social security numbers
- contacts of activists
- Info on my phone
2. Who am I protecting it from?
- Crackers (malicious hackers)
- Commercial entities
- Paid shills/moles
- Koch brothers counter-intelligence
3. What Happens if the Data Leaks?
- CA has notification laws
- What could happen to individuals and businesses? There may be monetory penalties
- Even nonprofits can be sued over data breaches
- Think up best/mid/worst case scenarios
4. What Am I Willing to Do to Protect it?
- Will I encrypt it and what level of encryption is appropriate?
- End to end? General?
Culture of Security
- Fundamental piece of security is open communication with your team
- Keep each other informed about what sensitive stuff is going on
- You can't secure what you don't know
- Depending on the risk level, Ken's org will store different stuff on different servers
- Must assess what you're collecting and decide what must be done with it
- There are laws regarding storage of things like credit card info and medical info
- That's why you should outsource responsibility when needed
- Storing CC info is a lawsuit waiting to happen. Let your payment processor handle it. They're better at it
- If you're involved with confrontational politics, you're going to want to utilize higher security measures
- The government has a long, shameful history of counterintelligence, subversion, surveillence, and illegal action against political bodies
- It's important to understand the big picture of surveillance and understand where exactly we fit into this picture
- Sophos Point Protection
- Data loss protection
- Notifies you of downloads and uploads
- Staff click-through tracking
- LastPass password managment
- Great nonprofit discount if you ask for it
- Two-Factor Authentication
- Must perform second, person specific action to log in
- Federated Login
- Like when you can `Log in with Google` to a service like StackOverflow