Estimated time: 90 min
Justification
The main idea of this activity is to complete the information about the organization, and thus redirect it towards its sensitivity. In the process, the bases that will easily allow the construction of the first security policies for the organization will be established.
Input data
- Stakeholder map.
Products
Direct
- Matrix of possible consequences.
- Map of impact due to associated violations.
Indirect
- Group awareness about the sensitivity of the information handled.
- Criteria to classify information within the organization.
This activity is a variation of a dynamic proposed in several resources such as Holistic Security in its “2.4 Understanding and Cataloging our Information” section of Tactical Technology Collective or SaferJourno of Internews among others.
The idea behind this activity is to map all the data objects that the organization manages, to think about the possible consequences that commitment of these objects would have, to outline these possible consequences in a matrix of impact, and also associate the information objects managed with levels of impact on the matrix built.
Previous planning
- In case of carrying out this activity on digital equipment, it is suggested to have a spreadsheet or other software with all the necessary fields and formats.
Materials
In case of doing the activity on paper:
- Post-its or sticky notes and markers or
- Large pieces of paper to stick on the wall and markers. In case of doing the activity in digital equipment:
- Computer.
- Projector.
- Spreadsheet ready to fill, showing the headings with stakeholder categories.
Instructions
- Brainstorm the pieces of information that the organization manages. It might include complaints from victims, leaked documents, research in process, accounting books, social media publications and/or public reports. No piece of legitimate information is of little relevance to this exercise.
- It is especially relevant to consider information on paper.
- Each idea should be written down on post-its or sticky notes or equivalent and be visible to everyone.
- You can move forward when there is consensus among the participants.
- More items can be added during the rest of the activity.
Pieces of information mapping
- Along with the pieces of information into view, briefly explain the concepts of Availability, Integrity and Confidentiality, which are frequently used in information security to explain the different types of commitment to information. It is suggested to develop concise concepts and review other references to have a broader understanding:
- Availability: It is the ability to always be within reach of those who need it. For example, when a server runs out of power, it threatens the availability of the information contained in it.
- Integrity: Is the ability to be reliable, in the sense that its content has not been manipulated or altered by a third party. For example, for a malicious third party to take a database of victims and modify the information is considered a threat to the integrity.
- Confidentiality: It is the ability to be accessible only to those who correspond by definition. For example, when a third party can read emails that are sent by two people, it is considered a threat to the confidentiality of the information transmitted by mail.
Triad CIA (Confidentiality-Integrity-Availability)
-
Discuss along with participants about the negative consequences the organization can meet in the event of compromising the information handled. Create apart from the brainstorming, a horizontal list based on types of consequences as shown in the figure.
Types of consequences
The point here is to generate a matrix in whose horizontal axis corresponds to this classification of consequences, a complete proposal (or simplified depending on the facilitator and the group) can be found below:
- Digital consequences: That affects the organization’s online presence, e.g., related to social media, servers, mail accounts, services used by the internal team, etc.
- Physical consequences: Are those related to the integrity of people, objects and spaces, e.g., physical aggression, death, destruction of spaces, loss of resources, etc.
- Emotional consequences: Are those related to the psychosocial well-being of people involved with the organization, this not only includes the team, but also providers, beneficiaries, victims, etc. Frequently, some stakeholders are related to situations that create fears, stress, fatigue and traumas.
- Legal consequences: Those that affect the judicial integrity of people associated with the organization. Usually, they are related to arrests, withholdings, legal investigations, trials, etc.
- Administrative consequences: Are those related to the legal status of organizations and people beyond the judicial field. Frequently related to compliance with regulations, taxes, surveillance, loss of legal status, infractions of laws, etc.
- Economic consequences: Are those directly related to the loss of money and assets by the organization and/or its members.
These types of consequences are just hints. In case of requiring simplified this exercise, some of the proposed axes might be explicitly combined or excluded, even if the team considers it pertinent, new types may be added. For example, image or religious consequences (if applicable).
- Once you have a clear understanding of all sorts of consequences, it is suggested to ask the participants to think about possible consequences of the commitment to pieces of information mapped in terms of availability, integrity and confidentiality, take note of these and place them on sticky notes or onto their digital equivalent below the type of consequence to which it belongs (digital, physical, legal, etc.)
- It is often expected that many consequences are repeated, in these cases with the Post-it or equivalent already existing will be enough.
- Thinking about availability, integrity and confidentiality is an aid to facilitate discussion and brainstorming of consequences, however, if the team feels comfortable on it, raising the possible consequences in other terms might work as well without any problem as long as they can be prioritized in the next step.
- It is expected the commitment to a piece of information may have consequences on more than one axis.
- Some examples of consequences can be:
- Loss of legal status of the organization (administrative consequence).
- Death of complainants (physical consequence).
- Assaults on beneficiaries (physical consequence).
- Excessive fine (economic consequence).
- Waiver or dismissal of staff (administrative consequence).
- Loss of the website (digital consequence).
- Search warrant of the headquarters (judicial consequence).
- Drastic increase in levels of stress in team work (emotional consequence).
- Excessive increase in team workload (emotional consequence).
Map of consequences
-
After compiling a number consequences of each type, the idea of grading mapped consequences, according to their level of impact is introduced, then is later suggested to create a vertical axis that represents null, low, medium and high impacts. In the event that the facilitator and the team feels comfortable about it, you can change this scale to any other considered convenient (from 1 to 10, add to the proposed critical impact, etc.). After creating this axis, we proceed to locate the threats mapped into those different categories with the support of the team, as shown in the figure.
Take this into consideration:
- It is possible to end up with some blank spaces, depending on the case it is worthwhile asking the team what consequences are missing in those spaces. In the case of low or null impact it is not mandatory to place direct consequences, this can be explained by the fact that everything that is considered below the consequence with the least impact is irrelevant.
- This part of the activity should own an adequate amount of time since it represents the pillar of the first security policy of the organization (data classification).
Level of impact
-
Once the team is satisfied with the consequence matrix, the pieces of data mapped at the beginning of the activity can be associated with the level of impact of the consequences corresponding to the commitment. This can be done in multiple ways, a proposal is available in the following graph.
Data objects sorted by the level of impact
Closure of the activity
At the end of the activity you can discuss and emphasize what has been achieved:
- Axes of consequences were defined and associated with the data the organization manages.
- The bases of the data classification policy were established, so each time a new piece of information is handled, the level of impact associated with the commitment of this can be easily resolved, also along with the products that will be generated later, will be possible to determine safety measures to be taken.