Secure online communications

From APC Writer's Wiki
Revision as of 07:55, 22 May 2015 by Tarryn (talk | contribs)
Jump to navigation Jump to search
Security.jpg

The Association for Progressive Communications (APC) Security Policy governs the use of computer equipment and portable devices by APC staff, and provides cursory guidance on how to maintain privacy and manage sensitive information when handling work-related data.

Below is an overview of some of the DOs, DON'Ts and best practices, “CONSIDERATIONS,” that are covered more in depth beginning on page four. The DOs and DON'Ts are baseline obligations for APC staff, which must be followed in compliance with APC policy.

Executive Summary

DOs

  • Configure your email client to communicate with the server via secure SSL/TSL connection.
  • Have a PGP/GPG key that can be used for encrypting email or other sensitive data stored on your computer. PGP/GPG keys should have a passphrase which is, at minimum, two words long. Encrypt sensitive data on portable devices.
  • Follow APC's staff policy for exchanging email communication and guidelines for encrypting emails. When accessing your email with a web browser (e.g. APC webmail) connect through a secure interface using the protocol https.
  • Follow APC's guidelines for mailing lists and encrypted mailing lists.
  • Use OwnCloud for cloud data storage and data sharing
  • Use OwnCloud calendaring to host shared calendars (replacing Google Calendars)
  • Share documents via OwnCloud (for asynchronous collaboration) or use Etherpads for (synchronous) collaborative document editing.
  • Use Jitsi for messaging/VoIP communication whenever possible. Use Jitsi for all messaging/VoIP communication in APC team.
  • Delete your chat history in Skype as soon as you end a chat that contains compromising information. Consider switching off your chat history altogether so it is never logged.
  • Use and periodically update anti-virus software on your computer.
  • Clearly state what you will do with any sensitive information you are collecting, such as logistics details (passport numbers), and how it will be stored.
  • Install LibreOffice or other office package that supports open format standards1.
  • Employ a passphrase protected screensaver that automatically activates after 10 minutes of inactivity (applies both to computer and portable devices).
  • Create an OpenID account on the apc.org website to use as an authentication mechanism for all APC online spaces.
  • Install and be able to use anonymisation software such as TOR or Orbot for anonymous web browsing on your desktop and portable devices.
  • Follow APC’s policy for work relating to A/V recordings and digital stories.
  • Treat suspicious email communication as potentially hazardous to our equipment and data. Don’t disclose even mildly sensitive information to anyone about whose identity you have a least doubt.
  • Ensure that no unauthorized entity has access to your computing devices or data stored on them, including back up devices.

DON’Ts

  • Use Skype on other people's machines for conversations that contain highly compromising information or conversations that involve participants whose identify must be kept secret.
  • Use Skype for communication within APC team, unless it is absolutely necessary.
  • Collect data that are considered even mildly sensitive without using APC's LimeSurvey online survey tool, encrypted email communication or other secure and encrypted means.
  • Use Microsoft Outlook or other email clients shipped with Windows or with the Microsoft Office package. Additionally, don’t use Microsoft Internet Explorer or other browsers packaged with Windows, unless it is absolutely necessary.
  • Store passphrases for access to APC services, APC online spaces or other APC data in email messages, text files, in your browser's password manager, etc., or on paper sheets or post-it notes. Only store passphrases on your computer in an encrypted format.

CONSIDER

  • Finding out whether or not the use of encryption in internet communication is legal in your country of residence.
  • Educating yourself on issues of privacy related to communication in encrypted lists.
  • Following this guide to increase security when using “the cloud” or an online storage system such as Dropbox.
  • Using an open source password management software such as Keepass if you can not remember all your passphrases.
  • Backing up your data at least once per week, if not more often. Back up media must be stored in a safe place. Additionally, all confidential or sensitive *APC-related back up data should be encrypted.
  • Prioritising free and open source software whenever possible.
  • Connecting to web content via https connection whenever possible.
  • Follow APC's guidelines for establishing a secure connection if you cannot use a wired connection to get online from your office or home.