Digital risk assessment

From California Technology Feestival Wiki
Jump to: navigation, search

There's a continuum when talking about security

  • High Security => Lower Function
  • Low Security => Faster Response
  • Different contexts require different contexts of discussion
  • Women have a great intuitive sense of risk assessment
Real security is about processes and people, not tools
—Ken


Questions to Ask About Data You Want to Secure?

1. What Am I Trying to Protect

  • List of addresses
  • social security numbers
  • contacts of activists
  • Info on my phone

2. Who am I protecting it from?

  • Government
  • Crackers (malicious hackers)
  • Commercial entities
    • Paid shills/moles
    • Koch brothers counter-intelligence

3. What Happens if the Data Leaks?

  • CA has notification laws
  • What could happen to individuals and businesses? There may be monetory penalties
  • Even nonprofits can be sued over data breaches
  • Think up best/mid/worst case scenarios

4. What Am I Willing to Do to Protect it?

  • Will I encrypt it and what level of encryption is appropriate?
    • End to end? General?


Culture of Security

  • Fundamental piece of security is open communication with your team
  • Keep each other informed about what sensitive stuff is going on
  • You can't secure what you don't know

Data Containerization

  • Depending on the risk level, Ken's org will store different stuff on different servers
  • Must assess what you're collecting and decide what must be done with it
  • There are laws regarding storage of things like credit card info and medical info
    • That's why you should outsource responsibility when needed
    • Storing CC info is a lawsuit waiting to happen. Let your payment processor handle it. They're better at it

Context Matters

  • If you're involved with confrontational politics, you're going to want to utilize higher security measures
  • The government has a long, shameful history of counterintelligence, subversion, surveillence, and illegal action against political bodies
  • It's important to understand the big picture of surveillance and understand where exactly we fit into this picture


Tools

  • Sophos Point Protection
    • Data loss protection
    • Notifies you of downloads and uploads
    • Staff click-through tracking
  • LastPass password managment
    • Great nonprofit discount if you ask for it
  • Two-Factor Authentication
    • Must perform second, person specific action to log in
  • Federated Login
    • Like when you can `Log in with Google` to a service like StackOverflow