Témák

A fizikai biztonság védelme

Fizikai javak védelme

Az információbiztonság lényeges eleme az eszközök fizikai biztonsága. Amellett, hogy a zárolási képernyők és jelszavak használatával, a teljes lemeztitkosítás megvalósításával és a távoli törlési funkciók bekapcsolásával mérsékelheti az ellopott eszközök hatását, azt is meg kell fontolnia, hogyan lehet megakadályozni, hogy ezeket az eszközöket ellopják. A lopás megnehezítése érdekében ügyeljen arra, hogy erős zárakat szereljen fel (és cserélgesse azokat, amikor a személyzet változik) az irodában és/vagy otthon. Fontolja meg laptopszéf vagy zárható szekrény vásárlását is, hogy az eszközöket éjszaka jobban védje. A biztonsági kamerák sokkal olcsóbbak lettek, az otthoni használatra tervezett egyszerű változatok szélesebb körben kaphatók. Az ilyen kamera- vagy mozgásérzékelő rendszerek az épület körül képesek észlelni és remélhetőleg megakadályozni a fizikai betöréseket és lopásokat. Keressen az Ön országában elérhető, amagánélet tiszteletben tartására irányuló lehetőségeket, és mindenképpen olyan megbízható vállalatok által biztosított kamerákat válasszon, melyeknek nem érdeke adatokat és információkat átadni egy potenciális ellenfélnek.

Ha nagy a betörés vagy az irodai razzia kockázata, tartsa távol a szervezet legérzékenyebb adatait az irodától – akár úgy, hogy biztonságosan tárolja őket a felhőben (ahogyan korábban tárgyaltuk), akár úgy, hogy fizikailag kevésbé célzott helyre helyezi át őket. Ha a régi eszközökön még vannak tárolva adatok, de már nem használja őket, fontolja meg azok törlését – ez az útmutató a WireCuttertől nagyszerű forrást nyújt a legtöbb modern eszközhöz. Ha az eszközök törlése nem lehetséges, akkor azokat fizikailag is megsemmisítheti. Ennek legegyszerűbb, ha nem a leginkább környezetkímélő módja, ha kalapáccsal széttöri az eszközöket és merevlemezeket. Néha a legrégebbi megoldások működnek a legjobban!

Még e technikai lépések előtt szánjon egy pillanatot arra, hogy leltárt készít a vállalat összes berendezéséről. Ha nincs listája az összes eszközéről, nehezebb nyomon követni, hogy mi hiányozhat, ha valamit ellopnak.

What do we do with all this paper?

It is likely that your organization has a lot of information that is printed on paper, written in notebooks, or scribbled down on post-it notes. Some of this can be very sensitive: printouts of budgets, lists of participants, sensitive letters from donors, and notes from private meetings. It is essential to think about the security of this information as well. If you absolutely need to keep hard copies of sensitive information, ensure that it is stored safely in a locked cabinet or other safe place. Do not keep any private or sensitive information (including passwords) laying around on a desk or written up on a white board. If you believe your organization to be at high risk of a break-in or raid, keep highly sensitive information in a less targeted location.

To the extent possible, endeavor to dispose of unneeded hard-copy information. Remember: if you do not have it, it cannot be stolen. Set an organizational policy regarding ownership of hard-copy notes, and be sure to collect any paper notes from staff if they decide to leave or are let go from the organization (just like you would collect an organization-issued computer or phone). To get rid of sensitive paper, purchase a quality shredder. A fun end-of-week activity can be taking a 15-minute break with your staff to shred any leftover, sensitive print-outs or notes from the prior week.

The parliamentary office policy

Although for many the realities of “the office” have changed significantly since the beginning of the COVID-19 pandemic, it is still important for your organization to set a clear policy regarding office access. Such a policy should address key questions including who is allowed inside the office (and when), who can access what office resources (like the WiFi network), and what to do about guests.

A simple yet important question to answer is who gets an office key. Only trusted staff should have keys, and locks should be changed when staff leave and/or on a semi-regular basis. During the day, any doors that are left unlocked should be in constant view of someone trusted in the organization. Also consider whether the organization has a trusted relationship with your landlord or cleaning staff. Think about what information or devices such people might have access to and ensure that is protected, particularly if you do not have that trusted relationship. Whoever has access, someone trusted should always be designated to lock up the office and ensure devices are properly secured before leaving at the end of the day.

Are guests allowed inside the office? If so, ensure they do not have access (or at least unattended access) to devices or sensitive hard-copy data. If it is a requirement or expectation that guests have internet access when they visit, you should set up a “guest” network so that such guests do not have the ability to monitor your regular traffic. In general, only trusted personnel should be able to access the network and network devices such as printers. It is also usually a good idea to require guest registration so that you have a log of who has visited. 

As you develop an office policy, the goal should be to allow only trusted people access to sensitive devices, documents, spaces, and systems.

Sensitive Compartmented Information Facilities (SCIFs)

To hold highly sensitive conversations, some parliaments have secured physical rooms called SCIFs in place. These spaces are established so that sensitive information, such as issues related to national security or intelligence, can be viewed by and discussed between MPs and their staff without concern of outside surveillance or spying. In addition to proper physical construction, a proper SCIF necessitates that people leave devices (such as their cell phones) outside the room prior to entering for discussion.

Supporting staff and volunteers

Physical security threats to your organization can impact your staff too. Similar to harassment on social media, these physical security threats often disproportionately impact women and marginalized communities. It is not just about broken windows and stolen laptops. Intimidation, threats or instances of physical or sexual violence, domestic abuse, and fear of attack can have a serious negative impact on the lives of staff. For organizations that work with or support politically active women in particular, NDI’s #Think10 Safety Planning Tool is a useful resource to provide those who might be at increased personal risk as a result of their participation in parliament and politics more generally.

The well-being of staff is obviously an important asset to them as individuals, but it is also a crucial element to a healthy and well-functioning organization. To that end, consider what additional resources you can provide to staff to keep them protected and, in the case of physical or digital attack, help them recover. As mentioned earlier in the Handbook, this means at a bare minimum developing a list of resources that you can connect staff to for legal, medical, mental health, and technical assistance if needed. Once again PEN America’s Online Field Harassment Manual includes ideas for how organizations can support staff during and after crises.

Security while traveling

Traveling - whether to another country or the town down the road - often intensifies physical information security risks. It is generally safe to assume that you and your devices have no privacy rights when crossing borders. As such, it is a good idea to include a parliamentary travel policy within your security plan that includes reminders about key security best practices.

Your parliament’s travel policy should include a lot of the information covered in other sections of the Handbook including using the internet securely and keeping devices and other information sources physically secure and with you at all times when traveling. If possible, leave your sensitive information behind and just use a fresh, cleanly erased computer, access the files you absolutely need from the cloud, and then erase it when getting home again.

Booking Travel Securely for Your Parliament

When putting together a travel policy, keep in mind what information might be exposed when you organize or book travel. This can be particularly important if you are organizing large events or conferences for which you are handling sensitive information from a variety of staff, members, or attendees. Think carefully about how you will securely share and store (if needed) personal information like passport details, travel itineraries, and medical records.

In addition to preparing for travel and minimizing the data shared when you do travel, there are a few essential operational tips that you should think through and include in your parliamentary travel policy.

Consider using travel-specific laptops or phones that have little to no sensitive data stored on them. If most of your parliament’s work is done in the cloud, a relatively inexpensive Chromebook can be a good option for such a device. Factory reset, or “wipe” these devices upon their return before connecting to common Wi-Fi networks at home or the office.

Provide staff with contact information and a plan of action for what they should do if something goes wrong on their trip. This includes information about local hospitals, clinics, or pharmacies should they need medical assistance while traveling.

Staff should also keep all devices on their person while traveling. For example, keep your laptop at your feet (not the overhead compartment or in checked luggage) when on a bus, train, or plane. Do not assume a hotel room – or even the hotel safe – is a “safe place” to keep sensitive devices and items. Do not trust public USB charging ports. USB charging ports in airports, stations, and vehicles are becoming an increasingly common sight, and a very convenient way to power up devices. However, they can be an easy vector for picking up malware. So be sure to either charge devices the traditional way through a plug in the wall, or purchase USB data blockers to allow traveling staff to safely charge up their devices via USB.

Protecting your Physical Security

  • Remind members and staff to keep devices physically protected at all times.
  • Check and secure all the ways people can get onto your premises.
  • Develop a guest and access policy.
  • Use strong locks, ID/badge systems, and rotate/change them when needed.
  • Consider setting up cameras or other on-premises security systems.
  • Have and use paper shredders.
    • Set up dedicated staff time to dispose of hard-copy documents that contain sensitive information.
  • Develop a list of local professionals, organizations, and law enforcement agencies that you can connect members and staff to for legal, medical, and mental health assistance in response to physical attacks or threats.
  • Develop a parliamentary travel policy.
  • Ensure staff know what to do in case of emergency during travel.
  • Be mindful of the additional data that is created and shared when organizing travel or events.