Estimated time: 15 min

Justification

One of the core aspects of any organization is the manipulation of data given that any carried out process can be abstracted to the generation, processing, storage, and publication of information. In the case of organizations performing activism or documentation in the area of Human Rights, there is an important variety of types of information whose compromise may trigger negative consequences for any organization, its members or related actors. The idea of developing a data protection policy is to establish a series of guidelines that help to treat each piece of information in the most appropriate way possible according to its sensitivity.

Input data

  • Data mapping developed in the section Data mapping and classification
  • Information flow mapping developed in the section Information flow mapping
  • Template 1: Data protection policy open in a device to fill it up during the course of the activity.

Associated Concepts

Sensitivity data levels It is a scale by which is established how much a piece of information is considered delicate and needs to be protected. There are many proposed scales and their application depends on the organization's needs.
Principle of the minimum privilege Proposes that data should be accessible only to those people who need to use it within their usual processes, reducing the attack surface and consequently the risks associated with minimizing the exposure of information. This principle is related to the **principle of need to know**.
Responsible for the information Are those people with direct responsibilities in handling information. In some reference frameworks they are divided depending on who creates the information, who manipulates it, who has custody of it, who destroys it and who is responsible for its compromise, among other schemes. In this manual we try to abstract these differentials to the maximum, thinking of small work groups and the simplification of security policies, however, if the organization believes it is convenient to make this type of differentiation, it is also recommended to adopt the policies described to this need.
Disposing of information Refers to the techniques used to dispose of data once it has reached its end of life or must be destroyed for regulatory or security reasons. Generally, these techniques vary in complexity and dispose of information in more or less secure ways, especially in terms of possible reconstruction.

Policies to be developed

  • Data Protection Policy to be developed in this activity, abstracts existing content in the following policies described in standardized reference frames:
  • Data classification policy: Defines the criteria by which the sensitivity level of the information handled is determined, and the general guidelines for managing this information at the proposed sensitivity levels. It also usually designates those responsible for managing and safeguarding the information handled by the organization.
  • Data retention policy: Defines, among other things, the time the organization can keep certain types of sensitive information, how to dispose of it, when it is removed, in which devices, which security practices should be applied to each type of sensitive information, and how sensitive information is processed according to legal regulations and best practices.
  • Data access policy: Defines the pieces of information that can be accessed and manipulated by the different groups of the organization, in order to diminish the possibilities of its compromise and to make more efficient the information flow within the processes of the organization.

Guiding questions

  1. What is the scope of the proposed policy?
  2. What levels of sensitivity does the information handled by the organization have and how are they described?
    • How can any piece of information be classified at the proposed sensitivity levels?
  3. Who is responsible for the protection of the information?
  4. Who should have access to information and who should not?
  5. What measures should be taken to manipulate information according to their level of sensitivity? (Raise key concepts)
  6. What specific tools, practices and devices should be used to manipulate the information according to their level of sensitivity?
1. Scope of the policy

Basically, the scope associated with this policy covers two aspects:

  • Affected team members: Take, for example, all the members of the team, only some of them (investigative journalism team, people in charge of handling complaints, etc.), even all the members of the organization or any external ally that somewhat collaborates on certain topics.
  • Types of data considered: Having as options only certain types of information handled by the organization or all the pieces of information handled by the group. This exercise is designed to consider the second case, however, it can be handled as best the group judges as long as the activity can be developed fluently.

It is suggested to discuss both aspects and put down the results of the discussion in section (1) of the template.

2. Sensitivity levels of information

What levels of sensitivity does the information handled by the organization have and how are they described? How can any piece of information be classified according to the sensitivity levels proposed?

  1. Check the matrix of consequences of the activity data mapping and classification.
  2. Introduce some types of information in classification schemes commonly used in information security, then propose to keep up with impact levels developed.
    • Public/confidential/secret/internal/regulatory data classifications, among others, are often used, taking into account the damage that may be caused by their compromise. In terms of our methodology, the same levels of impact proposed in previous sections can fill this space and therefore are suggested for reasons of simplicity.
  3. Unify in a single table cell the content of each row by the level of impact developed and empty this information in the section (2) as shown in the graph.

Grafico

Levels of impact on information

3. Responsible for information

Who is responsible for the data protection?

When handling information with different levels of sensitivity, it is important to ensure that security measures are put in place to protect data, so it becomes relevant to know who is responsible for implementing and maintaining the suggested security measures. Although standardized reference frames propose several figures regarding responsibility for information, it is recommended only to use the figure of the custodian of the information. Depending on the needs and dynamics of the organization, there are several approaches to determining who are the custodians of the information. E.g.:

  • People who generate the information objects.
  • Coordinators of departments or areas associated with information objects.
  • People who manipulate the information at every moment.
  • Specific people designated case by case.
  • Other allocation criteria.

The idea is to present these options and discuss which of them best applies to the organization and write it down in section (3) of the template.

4. Restriction basis of access to information

Who should have access to information and who should not?

In the framework of establishing data protection policies, it is important to consider controlling access to information by the team. This is achieved through access control lists or rules that determine who can access each type of information and who cannot. These considerations are usually included in a Data access policy, which is based on the principle of minimum privilege, proposing that only people who need to handle certain information should be able to access it, minimizing the possibilities of compromise.

The first premise that you want to validate with the group is if they would agree to formally follow this principle, it is expected that the agrees, but it is worth exploring any scenario where it might be difficult. In these cases, it must be made clear that the probability of compromising the information can go up considerably. The principle of the minimum privilege is written by default in section (4) of the template.

4a. Access control policies (optional)

In the event that the organization manages very sensitive information, is interested in deepening the control of access to information and the time is available, the first version of an access control matrix can be developed. In the section (4) of the template is an example of a matrix where different departments, areas, or even specific positions are placed as columns depending on the structure and dynamics of the organization, and as rows pieces of information with levels of high sensitivity, and then basically describe what areas or people can access to what pieces.

Grafico

Data access control matrix

5. General data manipulation directives

What measures should be taken to manipulate information according to their level of sensitivity?

Using the matrix developed in the activity information flow, the general criteria described for each level of impact can be collected and depicted in section (5) of the template.

It is important that in this section you avoid naming specific tools or services and instead describe the associated security features. This way, if any of them change, you will have the criteria to select a new one that meets the same or better standards. E.g.: instead of recommending Signal for communications, specify “chat services with end-to-end encryption.”

Grafico

General considerations by level of impact

6. Specific data manipulation directives

What specific tools, practices and devices should be used to manipulate the information according to their level of sensitivity?

In a similar way to the previous step, for each level of impact or sensitivity, devices, other resting places of the information and communication channels that were selected for each level will be collected, and thus placed in the template of section (6) as shown in the table. Space is left to place all necessary considerations that need to be met in each case if applicable.

For simplicity, if the organization and the facilitator consider it convenient, only the highest levels of impact can be considered, since the lower levels may require quite more time and effort to fill in the information requested in the template, in this case, the tables for low and medium levels can be deleted.

Grafico

Security directives by level of impact

Aspects excluded in the policy

  • Information lifetime: where it is specified for how long the organization will retain certain types of information and what kind of processing will need to be done before deletion.
  • Disposition of the information: how the information should be eliminated, according to its type of sensitivity, with the intention of avoiding reconstruction of this information or tracking of data.
  • Detail of risks associated with this policy: where it is elaborated in what kind of risks are being attacked with the fulfillment of this policy.
  • Specific responsibilities: where you can specify responsibilities that escape being the custodian of the information and may be relevant to the organization.
  • Training plan on the concepts, techniques and tools proposed in the policy.

References