How we differ
Too many digital security providers push generic technological or policy solutions on civil society organisations because these are easily specified and deliverable in a well-defined period of time. They offer the ‘illusion of security’ but are almost always inappropriate, and sometimes dangerous.
Likewise, there is a common misconception among organisations that there is some objective set of measures that they should take to be ‘secure’.
Our approach differs from the existing generic solutions. It is risk-based and information-centric. We focus on your information assets and the value and potential harms presented by them, rather than auditing device configurations and digital security practices against potentially-arbitrary standards.
A gap analysis and framework
We will complete a simple gap analysis and develop an information security framework with you that is grounded in tried and test information security principles. The framework consists of an agreed policy and a provisional baseline.
The policy is a simple two-page document covering information security governance and implementation. The baseline is made up of:
- Information registry: Your organisation’s information assets, their value and potential harms, and the measures in place to protect them.
- Technology registry: The requirements and implementation of your organisation’s devices and services.
- Document repository: All existing policies, procedures and other relevant documentation, if any.
- Priority queue: A prioritised list of the information security activities and projects that your organisation wants to complete.
To create these elements, we will walk you through the following steps:
- Information security workshop.
- Creating the first version of your baseline.
- Framework gap analysis.
- Agreeing the policy.
At the end of the process, you will have a clear understanding of where the gaps were in your information security framework and have begun to bridge them with the required baseline and policy.
The priority queue will then provide you with the best foundation for deciding what ought to be developed and the optimal ordering of activities to be completed as resources permit going forward. It will also provide senior management with an overview of what is being translated into action and what has stalled. The priority queue will likely include further developing your information registry to include additional measures to protect the assets that present the greatest potential harms. These measures can include:
- Paper: Policies and procedures
- People: Staff responsibilities and practices
- Tech: Technology requirements and implementation
While the ultimate decision on the allocation of resources will rest with you, we will be able to provide you with insight into the risks based on our extensive ‘ethical hacking’ experience and expertise. This offers you a unique perspective from an adversary’s point of view and ensures that our advice is guided by what attackers actually do in practice.
What you will need
You should be mindful that for an information security gap analysis and framework to be effective, it is essential that your organisation has the necessary:
- Staff member(s) with the delegated responsibility, authority and accountability for information security.
- Resources, particularly time, to dedicate to the process and any subsequent work.
- Recognition from senior management that they will need to support and be directly involved in the process for it to be a success.
We can discuss how best to proceed if one of more of these requirements are not currently in place in your organisation.Understand the critical gaps in your organisation's information security governance and implementation, and bridge them!Click To Tweet
We are rooted in civil society
Open Briefing is a member of the technology and security action team of the Vuka! Coalition for Civic Action and the security working group of the Coalition for Human Rights in Development. We are a referral partner for Access Now’s Digital Security Helpline and Cloudflare’s Project Galileo. We are also a member of the International NGO Safety and Security Association, the Charities Security Forum and the CIVICUS Global Civil Society Alliance.
Our information security lead, Richie Tynan, is passionate about using technology to help civil society organisations flourish. He was previously a penetration tester at the Guardian, where he served for a period as the most-senior member of their information security team. Prior to that, he was the head of technology at the charity Privacy International for five years.