General guidance for creating security plans and agreements

From TCU Wiki
Revision as of 20:07, 29 May 2024 by Kristin1 (talk | contribs)

Components of a security plan

As far as individual HRDs are concerned, a simple security plan may include the following sections:

  • Objective (or activity, region, area of work, etc)
  • Threats - ideally you will create a security plan for each threat
  • PREPARE: Prevention of threats
    • Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). Examples of prevention tactics might include encrypting a database of contacts so as to reduce the likelihood that it can be accessed by adversaries, or employing a security guard at the office so as to reduce the likelihood that it is broken into.
    • Many of these tactics will reflect strategies of acceptance, deterrence and protection or self-defence. As such, they may include advocacy campaigns or other forms of engagement with the public or civilian and military authorities in order to raise consciousness and acceptance of the legitimacy of our work; strengthening of ties with our allies in order to raise the potential cost of aggressions against us, and any number of tactics which build our own capacities and agility in the face of the threats to our work which we have identified.
    • TOOLS: Devices and information - Devices and information refer to which devices we will depend on in order to carry out our work, and the tactics we will employ in order to ensure that our information and communication can not be accessed by others.
  • RESPOND: Emergency responses
    • Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. They generally have the aim of lessening the impact of the event and reducing the likelihood of further harm in its aftermath. Examples of emergency response tactics might include bringing a First Aid kit with you when travelling, in case of minor injuries, or a mask and goggles to a protest in case tear gas is used.
    • Coordinating a response to an emergency always involves coordinating actions so digital communication is increasingly important. Decide what the most secure and effective means of communicating with each actor is in different scenarios and identify a back-up means too. Be aware that for emergencies, it might be useful to have clear guidelines on: what to communicate, which channels to use, and to whom.
  • TREAT: Well-being considerations
    • Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work

Example of a basic security plan

Below is an example from Holistic Security Manual (see )

  • Objective: Mission to collect testimonies of victims of human rights abuses in a rural area.
  • Threats
    • Harassment or arrest by police.
    • Confiscation of computer, mobile phone.
    • Loss of data as a result.
    • Compromising victims’ anonymity as a result.
  • PREPARE: Prevention of threats
    • Alert colleagues and friendly embassies and international organisations of the mission, its duration and location.
    • Share contact details of local authorities/aggressors with embassies and international organisations.
    • Check-in with colleagues every 12 hours.
    • Testimonies will be saved to encrypted volume immediately after writing.
    • Testimonies will be sent encrypted with GPG to colleagues every evening.
    • Email inbox and sent folder will be cleaned from the device after use.
    • Security indicators and check-ins will be shared over an encrypted messenger.
    • Devices and information
      • Mobile phone with encrypted messenger and call apps.
      • Computer with encrypted volume and encrypting emails with GPG.
  • RESPOND: Emergency responses
    • Prepare an alert message (code) to send in case of surveillance/ being followed.
    • Prepare an alert message (code) to send in case of arrest.
    • Have lawyer’s number on speed-dial
    • Emergency plan
      • In case of arrest, send alert message and call lawyer.
      • On receiving alert message, colleagues will alert friendly embassies and international organisations.
      • Ask for urgent appeals to be sent by international organisations to authorities.
      • Hand over password for encrypted volume if under threat of abuse.
  • TREAT: Well-being considerations
    • Eating in a decent local restaurant, at least twice a day.
    • Switching off mobile phone and all other devices during mealtimes.
    • Calling family over a secure channel to connect every evening

Templates and examples

  • Unified Safety & Security Operating Procedure-Plan /or Agreement (PDF) (or download the .docx version of this document) -- This document is a collection of example security plans. It includes a number of risks, adding examples of mitigation strategies, prevention advice, and emergency procedures for the reader to benefit from as reference. It’s highly important to take into account the importance of modifying these risks in relation to the context area, while assessing the risks and developing strategies and procedures in a way that suits our capabilities and the ease of implementing on the ground.

Further reading

Retrieved from "https://wiki.digitalrights.community/index.php?title=General_guidance_for_creating_security_plans_and_agreements&oldid=50558"