General guidance for creating security plans and agreements

From TCU Wiki
Revision as of 18:47, 18 June 2024 by Kristin1 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Components of a security plan

As far as individual HRDs are concerned, a simple security plan may include the following sections:

  • Objective (or activity, region, area of work, etc)
  • Threats - ideally you will create a security plan for each threat
  • PREPARE: Prevention of threats
    • Most security plans will include tactics which aim to prevent identified threats from taking place (i.e. reducing their likelihood). Examples of prevention tactics might include encrypting a database of contacts so as to reduce the likelihood that it can be accessed by adversaries, or employing a security guard at the office so as to reduce the likelihood that it is broken into.
    • Many of these tactics will reflect strategies of acceptance, deterrence and protection or self-defence. As such, they may include advocacy campaigns or other forms of engagement with the public or civilian and military authorities in order to raise consciousness and acceptance of the legitimacy of our work; strengthening of ties with our allies in order to raise the potential cost of aggressions against us, and any number of tactics which build our own capacities and agility in the face of the threats to our work which we have identified.
    • In this section, consider the following activities:
      • Identify & assess the threats and your vulnerabilities: This involves systematically analyzing your assets (physically, digitally) to understand potential threats and knowing your vulnerabilities that could be exploited.
      • Develop security policies and procedures: Create clear policies outlining acceptable behavior regarding physical and digital security, and incident reporting.
      • Implement preventive measures: based on identified threats, implement safeguards procedures and tools, with considering staff training programs to minimize the potential threats impact.
      • Invest in Security Awareness Programs: regularly educate your staff/colleagues on the founded security plans and measures, this empowers them to identify, respond and report effectively.
      • Conduct Security testing: regularly assess the effectiveness of security measures through penetration testing (simulated attacks) and security drills. This helps identify weaknesses and refine procedures.
    • TOOLS: Devices and information - Devices and information refer to which devices we will depend on in order to carry out our work, and the tactics we will employ in order to ensure that our information and communication can not be accessed by others.
  • RESPOND: Emergency responses
    • Emergency plans, also called contingency plans, are the actions which we take in response to a threat becoming a reality. They generally have the aim of lessening the impact of the event and reducing the likelihood of further harm in its aftermath. Examples of emergency response tactics might include bringing a First Aid kit with you when travelling, in case of minor injuries, or a mask and goggles to a protest in case tear gas is used.
    • Coordinating a response to an emergency always involves coordinating actions so digital communication is increasingly important. Decide what the most secure and effective means of communicating with each actor is in different scenarios and identify a back-up means too. Be aware that for emergencies, it might be useful to have clear guidelines on: what to communicate, which channels to use, and to whom.
    • In this section, consider the following activities:
      • Build Incident Response Plan: develop a clear plan outlining actions to be taken in case of a security threat. This includes identifying the designated responders, notification procedures (internal teams, authorities), and containment strategies to mitigate impact.
      • Communication Strategy: Establish a communication plan for internal and external stakeholders during a security incident. This ensures timely and accurate information is disseminated, minimizing confusion and panic.
      • Business continuity plan: A strategy to ensure critical operations continue with minimal disruption during an incident.
      • Disaster recovery plan (Data Backups and Recovery): establish a specific plan for recovering IT systems and data, maintain robust data backup and recovery procedures to ensure business continuity in case of after a disaster like a fire, flood, or cyberattack.
      • Communication and Collaboration: effective communication and collaboration across teams are crucial for successful incident response and recovery.
      • Train your people: Regularly train staff on security policies, incident reporting procedures, and their roles during a contingency.
  • TREAT: Well-being considerations
    • Actions we take to maintain our physical energy and a mindful approach to our work and our security –it may include such considerations as where and when we will eat, sleep, relax and enjoy ourselves in the course of our work
    • In this section, consider the following activities:
      • Analyze lessons learned: conduct a thorough assessment to understand the cause and scope of the security incidents. This helps identify your vulnerabilities, prevent future occurrences, and establish better prevention plans.
      • Recovery and Remediation: Implement measures to restore affected systems and data. This might involve patching vulnerabilities in software, restoring lost data from backups, and implementing additional security measures to prevent similar incidents.
      • Psychological safety considerations, give priority to those affected by incident, and ensure that appropriate care is provided to them if physically or psychologically injured, and treat with causes of the incident accordingly later.
      • Review and update your security plans and approach: Following an incident, review your security posture and update policies, procedures, and preventative measures based on the lessons learned.

Example of a basic security plan

Below is an example from Holistic Security Manual (see )

  • Objective: Mission to collect testimonies of victims of human rights abuses in a rural area.
  • Threats
    • Harassment or arrest by police.
    • Confiscation of computer, mobile phone.
    • Loss of data as a result.
    • Compromising victims’ anonymity as a result.
  • PREPARE: Prevention of threats
    • Alert colleagues and friendly embassies and international organisations of the mission, its duration and location.
    • Share contact details of local authorities/aggressors with embassies and international organisations.
    • Check-in with colleagues every 12 hours.
    • Testimonies will be saved to encrypted volume immediately after writing.
    • Testimonies will be sent encrypted with GPG to colleagues every evening.
    • Email inbox and sent folder will be cleaned from the device after use.
    • Security indicators and check-ins will be shared over an encrypted messenger.
    • Devices and information
      • Mobile phone with encrypted messenger and call apps.
      • Computer with encrypted volume and encrypting emails with GPG.
  • RESPOND: Emergency responses
    • Prepare an alert message (code) to send in case of surveillance/ being followed.
    • Prepare an alert message (code) to send in case of arrest.
    • Have lawyer’s number on speed-dial
    • Emergency plan
      • In case of arrest, send alert message and call lawyer.
      • On receiving alert message, colleagues will alert friendly embassies and international organisations.
      • Ask for urgent appeals to be sent by international organisations to authorities.
      • Hand over password for encrypted volume if under threat of abuse.
  • TREAT: Well-being considerations
    • Eating in a decent local restaurant, at least twice a day.
    • Switching off mobile phone and all other devices during mealtimes.
    • Calling family over a secure channel to connect every evening

Templates and examples

  • Unified Safety & Security Operating Procedure-Plan /or Agreement (PDF) (or download the .docx version of this document) -- This document is a collection of example security plans. It includes a number of risks, adding examples of mitigation strategies, prevention advice, and emergency procedures for the reader to benefit from as reference. It’s highly important to take into account the importance of modifying these risks in relation to the context area, while assessing the risks and developing strategies and procedures in a way that suits our capabilities and the ease of implementing on the ground.

Further reading

Retrieved from "https://wiki.digitalrights.community/index.php?title=General_guidance_for_creating_security_plans_and_agreements&oldid=50690"