An essential component of information security is the physical security of your devices. In addition to mitigating the impact of a stolen device by using lock screens and passwords, implementing full disk encryption, and turning on remote wipe features, you should also consider how to keep those devices from being stolen in the first place. To make theft more difficult, be sure to install strong locks (and rotate them whenever staff change) at parliamentary premises and/or home. In addition, consider buying a laptop safe or lockable cabinet to keep devices more protected overnight. Security cameras or motion sensor systems around the premises can detect and hopefully deter physical break-ins and theft. Look for a privacy-respecting option available in your country, and be sure to select cameras and security systems provided by trusted companies that do not have an incentive to hand over data and information to a potential adversary.
If old devices have information still stored on them but are no longer in use, consider wiping them - this guide from Wirecutter is a great resource on how to do this for most modern devices. If wiping your devices is not possible, you can physically destroy them too. The easiest, if not most environmentally sensitive, way to do that is to break up the devices and their hard drives with a hammer. Sometimes the oldest solutions still work the best!
Even before these technical steps, take a moment to create an inventory of all the equipment across parliament. If you do not have a list of all your devices, it is harder to keep track of what might be missing if one gets stolen.
What do we do with all this paper?
It is likely that your organization has a lot of information that is printed on paper, written in notebooks, or scribbled down on post-it notes. Some of this can be very sensitive: printouts of budgets, lists of participants, sensitive letters from donors, and notes from private meetings. It is essential to think about the security of this information as well. If you absolutely need to keep hard copies of sensitive information, ensure that it is stored safely in a locked cabinet or other safe place. Do not keep any private or sensitive information (including passwords) laying around on a desk or written up on a white board. If you believe your organization to be at high risk of a break-in or raid, keep highly sensitive information in a less targeted location.
To the extent possible, endeavor to dispose of unneeded hard-copy information. Remember: if you do not have it, it cannot be stolen. Set an organizational policy regarding ownership of hard-copy notes, and be sure to collect any paper notes from staff if they decide to leave or are let go from the organization (just like you would collect an organization-issued computer or phone). To get rid of sensitive paper, purchase a quality shredder. A fun end-of-week activity can be taking a 15-minute break with your staff to shred any leftover, sensitive print-outs or notes from the prior week.
The parliamentary office policy
Although for many the realities of “the office” have changed significantly since the beginning of the COVID-19 pandemic, it is still important for your organization to set a clear policy regarding office access. Such a policy should address key questions including who is allowed inside the office (and when), who can access what office resources (like the WiFi network), and what to do about guests.
A simple yet important question to answer is who gets an office key. Only trusted staff should have keys, and locks should be changed when staff leave and/or on a semi-regular basis. During the day, any doors that are left unlocked should be in constant view of someone trusted in the organization. Also consider whether the organization has a trusted relationship with your landlord or cleaning staff. Think about what information or devices such people might have access to and ensure that is protected, particularly if you do not have that trusted relationship. Whoever has access, someone trusted should always be designated to lock up the office and ensure devices are properly secured before leaving at the end of the day.
Are guests allowed inside the office? If so, ensure they do not have access (or at least unattended access) to devices or sensitive hard-copy data. If it is a requirement or expectation that guests have internet access when they visit, you should set up a “guest” network so that such guests do not have the ability to monitor your regular traffic. In general, only trusted personnel should be able to access the network and network devices such as printers. It is also usually a good idea to require guest registration so that you have a log of who has visited.
As you develop an office policy, the goal should be to allow only trusted people access to sensitive devices, documents, spaces, and systems.
Sensitive Compartmented Information Facilities (SCIFs)
To hold highly sensitive conversations, some parliaments have secured physical rooms called SCIFs in place. These spaces are established so that sensitive information, such as issues related to national security or intelligence, can be viewed by and discussed between MPs and their staff without concern of outside surveillance or spying. In addition to proper physical construction, a proper SCIF necessitates that people leave devices (such as their cell phones) outside the room prior to entering for discussion.
Supporting staff and volunteers
Physical security threats to your organization can impact your staff too. Similar to harassment on social media, these physical security threats often disproportionately impact women and marginalized communities. It is not just about broken windows and stolen laptops. Intimidation, threats or instances of physical or sexual violence, domestic abuse, and fear of attack can have a serious negative impact on the lives of staff. For organizations that work with or support politically active women in particular, NDI’s #Think10 Safety Planning Tool is a useful resource to provide those who might be at increased personal risk as a result of their participation in parliament and politics more generally.
The well-being of staff is obviously an important asset to them as individuals, but it is also a crucial element to a healthy and well-functioning organization. To that end, consider what additional resources you can provide to staff to keep them protected and, in the case of physical or digital attack, help them recover. As mentioned earlier in the Handbook, this means at a bare minimum developing a list of resources that you can connect staff to for legal, medical, mental health, and technical assistance if needed. Once again PEN America’s Online Field Harassment Manual includes ideas for how organizations can support staff during and after crises.
Security while traveling
Traveling - whether to another country or the town down the road - often intensifies physical information security risks. It is generally safe to assume that you and your devices have no privacy rights when crossing borders. As such, it is a good idea to include a parliamentary travel policy within your security plan that includes reminders about key security best practices.
Your parliament’s travel policy should include a lot of the information covered in other sections of the Handbook including using the internet securely and keeping devices and other information sources physically secure and with you at all times when traveling. If possible, leave your sensitive information behind and just use a fresh, cleanly erased computer, access the files you absolutely need from the cloud, and then erase it when getting home again.
Booking Travel Securely for Your Parliament
When putting together a travel policy, keep in mind what information might be exposed when you organize or book travel. This can be particularly important if you are organizing large events or conferences for which you are handling sensitive information from a variety of staff, members, or attendees. Think carefully about how you will securely share and store (if needed) personal information like passport details, travel itineraries, and medical records.
In addition to preparing for travel and minimizing the data shared when you do travel, there are a few essential operational tips that you should think through and include in your parliamentary travel policy.
Consider using travel-specific laptops or phones that have little to no sensitive data stored on them. If most of your parliament’s work is done in the cloud, a relatively inexpensive Chromebook can be a good option for such a device. Factory reset, or “wipe” these devices upon their return before connecting to common Wi-Fi networks at home or the office.
Provide staff with contact information and a plan of action for what they should do if something goes wrong on their trip. This includes information about local hospitals, clinics, or pharmacies should they need medical assistance while traveling.
Staff should also keep all devices on their person while traveling. For example, keep your laptop at your feet (not the overhead compartment or in checked luggage) when on a bus, train, or plane. Do not assume a hotel room – or even the hotel safe – is a “safe place” to keep sensitive devices and items. Do not trust public USB charging ports. USB charging ports in airports, stations, and vehicles are becoming an increasingly common sight, and a very convenient way to power up devices. However, they can be an easy vector for picking up malware. So be sure to either charge devices the traditional way through a plug in the wall, or purchase USB data blockers to allow traveling staff to safely charge up their devices via USB.
- Remind members and staff to keep devices physically protected at all times.
- Check and secure all the ways people can get onto your premises.
- Develop a guest and access policy.
- Use strong locks, ID/badge systems, and rotate/change them when needed.
- Consider setting up cameras or other on-premises security systems.
- Have and use paper shredders.
- Set up dedicated staff time to dispose of hard-copy documents that contain sensitive information.
- Develop a list of local professionals, organizations, and law enforcement agencies that you can connect members and staff to for legal, medical, and mental health assistance in response to physical attacks or threats.
- Develop a parliamentary travel policy.
- Ensure staff know what to do in case of emergency during travel.
- Be mindful of the additional data that is created and shared when organizing travel or events.
