For many years now, organizations that defend human rights and emerging media have faced a myriad of threats and potential threats, whether from authoritarian states, business interests, extremist organizations or affected groups, among many others. Taking this into account, a need for security in operations of this type of organizations has only grown, increasing exponentially in the last decade when integration of different technological solutions available to operations of organizations becomes more widespread. Meanwhile, from the private industry and regulatory bodies, they began to develop specifications, frameworks and methodologies to generate security policies and protocols that would adequately protect data and resources of companies and enforce them with the law. However, the frameworks developed were extremely complex, long and expensive to implement for most civil society organizations that frequently manage tight budgets and inconstant funding cycles, which led to implementation of formal security policies that were exclusive and distant for most civil society organizations.
To attack this problem, many initiatives emerged that sought to increase the knowledge on information security towards civil society, organizations and activists, helping to generate criteria for tools selection and process design, implementing measures to safeguard information and other means. Some of these initiatives went further and generated methodologies to assess the organizations’ security level, adapt content to specific groups or offer tools to the actual growing community of facilitators and coaches serving organizations that most need to implement security in their operations. Although the appearance of these initiatives meant a crucial improvement for the security of the beneficiary organizations, there are still gaps where the scope of the security strategies can be optimized, above all so that they last over time.
This manual pretends to fill some of these gaps by adapting and simplifying methodologies available under private industry standards, mixing them along with other existing materials in the security area designed for civil society organizations and also with experience of several information security instructors in field with human rights defenders, organizations and independent media in Latin America for almost five years in a row at the time of publication of this manual. More specifically, this manual deliberately excludes certain processes and policies widely addressed in materials aimed at private industry in order to reduce to the essential the amount of activities and time that must be spent on its execution, understanding that the target organizations usually lack of time, resources or personnel to develop a security strategy as rigorous as proposed by standards such as NIST, COBIT or ISO among others. In the event that any organization wishes to deepen the development of security policies and strategies beyond this manual, in the references section, links or contents are made available in order to develop frameworks and methodologies to build documentation on security for organizations.
Who is this guide for?
This is a practical manual written to be used by information security facilitators who wish to complement their training and/or accompaniment work in civil society organizations (especially human rights defenders and independent media). However, it can be applied by people within this type of organizations, external facilitators, not directly related to information security but yet interested in the subject and any person that feels comfortable in following the instructions of these activities.
The content of this manual can also be adapted to any other type of organization that handles sensitive information, desires to increase security in the managing of it, and wishes to document security policies that last over time.
Objectives of this manual’s application
- Establishing security policies and protocols for civil society organizations adapted to their operations, and respond to the needs of their changing contexts and future projection.
- Increasing the understanding of the security context within the members of civil society organizations at risk.
- Introducing civil society organizations (especially organizations defending human rights and independent media outlets) in the threat model, risk analysis, and any other basic methodologies for surveying and assessing the level of organizational security.
How is the manual structured?
This manual is divided into 3 main sections, which contain a group of activities:
The first section seeks to explore the context of the organization and some of its internal processes, once the information is collected, the bases of the organization’s first security policies are established (Information classification policy and data retention policy).
The second section explains one by one other security policies through facilitated activities, while the third section introduces and guides the construction of concepts for threat models and security protocols, emphasizing the creation of risk matrices, succession plans, communications and protocol sequence.
At the end, a section of references collecting links of projects, bibliographies and initiatives that complement the activities covered will be exposed, as well as the next steps to extend, deepen and polish policies constructed from this material.
In each one of the sections we propose a set of activities that explain the facilitation process that must be followed to generate the proposed products, each activity has the following information:
- Estimated time of completion of the activity, which may vary depending on the size of the group, the skills of the facilitator and the steps considered in each activity to execute.
- Previous planning of the activity in terms of research or data collection of the organization.
- Materials required to execute the activity.
- Instructions of the activity, normally in a sequence of steps, listing actions to be carried out along with descriptive graphics if applied.
- Closure of the activity a summary of what has been achieved, and also what the generated products will serve to.
- References made during the development of the activity.