This sample cybersecurity policy was created by IslamicFamily.ca.
Brief
Maintaining the relationships, trust and integrity we have built with community requires us to treat the data we hold as a sacred trust, plan for continuity of service & reduce the impact of cyber incidents. The purpose of this document is to make it easier to know what practical steps to take to build a more secure organization by identifying assets/risks and preventative and reactive measures organizations can take.
How to adapt this document to your needs…
This work is licensed under a Creative Commons Attribution NonCommercial ShareAlike License. Please copy & adapt it to your needs. If you do, please share credit and provide feedback.
Principles
The principles underlying our approach to cybersecurity are…
1) Technology is an Opportunity: We want to facilitate our teams use of tech in a joyful, optimistic and curious way. Tech provides an opportunity to communicate in new ways, improve workflows and bring delight.
2) Focus on achievement not activities: Security is not about busy work, it must focus on measurable proactive steps with discernible results; e.g. We can’t just focus on awareness, we must track the percentage of devices we have that are running up-to-date software.
3) Prepare/ Prevent
4) Inform & Rectify: Communicate compromises and losses as we learn about them to the people that are impacted by them; clients, team, partners. Second, do our utmost to rectify the damage caused by loss through support (especially for marginalized individuals), connection to resources, revising policy/procedures and apologizing.
5) Paranoia Undermines Prevention – Be Honest
Hostile policies undermine security. We want our teams to feel safe and supported. We do not want them to feel like they are being watched, confined or restricted by policies. Second, we need to be honest and transparent; cybersecurity tools enable surveillance and have the potential to undermine culture and effectiveness. We should adopt an “Honest Security” approach.
Staff Training
All staff must undergo onboarding (& thereafter every two years) training. Training records will be kept in WebHR. Training will include…
1) Creating safe and secure passwords using a password manager (eg Apple’s Keychain, 1Password).
2) Using the internet and social media safely. This should include proactive and positive ways to engage on social media. (See: Creating a Personal Voice Plan).
3) Safely using software and apps on workplace devices.
4) How to identify malicious links and phishing emails.
Staff who’s roles involve “how” we handle client data must also undergo training on…
5) Obtaining consent. Studying the First Nations principles of ownership, control, access, and possession (OCAP), GDPR, & PIPEDA.
6) Storage of data on devices & the cloud.
Staff whose roles involve building/managing digital products and social media must…
7) Complete the Toronto Metropolitan University: Simply Secure e-learning modules.
Assets & Measures
| Digital Asset | Preventative | Reactive | Who’s Responsible |
|---|---|---|---|
| Passwords |
Keep passwords in a secure wallet and limit access to wallet. Rotate passwords after departure of personnel. |
Operations | |
| Client Data & Personal Info | Store client data securely and transmit it via encrypted channels to the extent possible Minimize Seek/document |
Inform any clients that may have been impacted by the breach Offer support |
Innovation Director, Clinical Director, client-facing staff |
| Supporter & Donor Data | Only input payment data via secure methods that do not retain info on the device Limit full access to DRM (Donor Provide partial Use |
Community Relationships Manager, Controller | |
| Access to Subscribers/Followers | Limit access to SM (Social Media), mailing lists, etc., to select staff. | Communications Lead | |
| Internal Communication Systems (e.g., cell access, email, Slack) | Inform staff of our communication fallback plan. E.g., If Slack goes down, then email; if GSuite goes down, then call your manager; if in doubt, come to the office. Maintain a calling tree (WhatsApp/Signal group) with the contact details for staff, board & exec. | Send team updates via calling tree/alternative group chat. | Operations |
| GSuite Accounts (misuse or misappropriated via phishing) | Suspend all account access as a part of staff offboarding. Suspend volunteer/board accounts after 6 months of inactivity. Internally practice Two-factor authentication with any requests (e.g., creating a new account for a volunteer should be verified via Slack & email). | Inform staff of fallback option should their device be compromised. E.g., Visiting office, calling and answering identifying questions. Suspend any accounts acting suspiciously. Remote wipe devices. | Operations |
| Digital Subscriptions | Review all active digital subscriptions monthly via credit card statements and accounts payable. Maintain list of active subscriptions on Notion. | Cancel unwanted subscriptions, inform credit card company of unauthorized payments. | Operations |
| Staff Payroll | Limit access to payroll to Controller. Controller to review payroll provider statements. Auditor to review payroll. | Have two reviewers of payroll: ED & Controller. | Controller, Treasurer, ED |
| Finance Systems: Outgoing Payments |
Authorize outgoing transactions (EFTs/ etransfers) via 2 modes of communication (e.g., email & slack). Require two to authorize any outgoing payments. |
Controller, Treasurer, ED | |
| Finance Systems: Incoming Payments | Review any changes to incoming payments and track expected to actual quarterly. | Controller, Treasurer, ED |
| Digital Asset | Preventative | Reactive | Who’s Responsible |
|---|---|---|---|
| Physical space (Hüb) | Require pledge for accessing our space (door access is not to be shared). Only provide access to staff, pledge takers. Limit access based on need/security authorization. Review access logs. Secure wifi with different access for staff & guests. | Operations | |
| Physical devices | Install and maintain mobile device management (MDM) software. Apply patches within 14 days. SIM lock all phones via carrier to prevent SIM swap attacks. Monitor staff devices for security threats using MDM. Share monthly update on status of staff devices: how many devices need update/patches, how many threats have been avoided. | Wipe any device reported missing. | Operations |
| Internally Developed Apps | Conduct third party audit of app data transmission to verify ETE encryption & security of data. Implement different types of cybersecurity software that focus on: combating cybersecurity attacks, like DNS filtering, malware protection, antivirus software, firewalls, and email security solutions. Regular cadence of system backups and updates. Implement guide to ensure personal data protection, password idleness, suspicious emails/urls, and physical security of devices. | Product Manager |
| External Risks | Impact | Prevention | Reaction | Who’s Responsible |
|---|---|---|---|---|
| Targeted by social media (Doxing, Misinformation, Disinformation) | Overwhelm phones, SMS, email and make communication with clients difficult. | Monitor complaints email & hotline for unusual activity. Maintain accurate information on web & social media. | 1. Report – Attempt to remove problematic content that mentions the organizations through reporting the content. This may need to be coordinated by multiple staff members in order to gain sufficient attention by moderators. 2. Ignore – Do not engage with the content if it may lead to increased attention. 3. Inform – Prepare and post a response to the content. |
Communications Manager |
| Vendor Breach (eg. AWS or Google is involved in a data breach) | Maintain list of systems we are dependent on and monitor them for compromises (e.g., AWS, GSuite, Stripe). Maintain list of systems we use and what systems they are connected to (e.g., Notion is built on AWS). Use 1Password monitoring to stay apprised of system compromises. | Inform any stakeholders when breaches occur with our vendors. |
