Home > Consultancy and training > Digital security > Information security frameworks

Information security frameworks

Cyber security audits

How we differ

Too many digital security providers push generic technological solutions on civil society organisations because these are easily specified and deliverable in a well-defined period of time. They offer the ‘illusion of security’ but are almost always inappropriate, and sometimes create further risks.

There is also a common misconception among organisations themselves that there is some objective set of measures that they should take to be ‘secure’.

Our approach differs from the existing generic solutions. It is risk-based and information-centric. We focus on your information assets and the value and potential harms presented by them, rather than auditing your devices and digital security practices against potentially-arbitrary standards. We focus on laying the foundations of a robust information security framework.

A gap analysis and framework

Working closely with an appropriate contact point in your organisation, we will complete a simple gap analysis and develop an information security framework that is grounded in tried and test information security principles. The framework consists of a provisional baseline and an agreed policy

The baseline is made up of:

  • Information registry: Your organisation’s information assets, their value and potential harms, and the measures currently in place to protect them.
  • Technology registry: The requirements and implementation of your organisation’s devices and services.
  • Document repository: All existing policies, procedures and other relevant documentation, if any.
  • Priority queue: A prioritised list of the information security activities and projects that your organisation wants to complete as resources allow.

The policy is a simple two-page document covering information security principles, governance and implementation. It covers the ‘what’ and the ‘why’ of information security but not the ‘how’ (that comes later). You can read our information security policy as an example. Your executive director or board will need to approve the policy.

To create these elements, we will walk you through the following steps:

  1. Information security workshop.
  2. Creating the first version of your baseline.
  3. Framework gap analysis.
  4. Agreeing the policy.

At the end of the process, you will have a clear understanding of where the gaps were in your information security framework and have begun to bridge them with the required baseline and policy.

Next steps

Once the above is completed, the priority queue will provide you with the best foundation for deciding the optimal ordering of information security activities to be completed as resources permit. It will also provide senior management with an overview of what is being translated into action and what has stalled. The priority queue will include developing additional measures to protect your information assets that present the greatest potential harms. These measures can include:

  • Paper: Policies and procedures
  • People: Staff responsibilities and practices
  • Tech: Technology requirements and implementation

While the ultimate decision on the allocation of resources will rest with you, we will be able to provide you with insight into the risks based on our extensive ‘ethical hacking’ experience and expertise. This offers you a unique perspective from an adversary’s point of view and ensures that our advice is guided by what attackers actually do in practice. We will be happy to provide a cost proposal for anything on your priority queue that you would like our support with.

What you will need

You should be mindful that for an information security gap analysis and framework to be effective, it is essential that your organisation has the necessary:

  • Staff member(s) with the delegated responsibility, authority and accountability for information security.
  • Resources, particularly time, to dedicate to the process and any subsequent work.
  • Recognition from senior management that they will need to support and be directly involved in the process for it to be a success.

We can discuss how best to proceed if one of more of these requirements are not currently in place in your organisation.

Understand the critical gaps in your organisation's information security governance and implementation, and bridge them!Click To Tweet

We are rooted in civil society

Open Briefing is a member of the technology and security action team of the Vuka! Coalition for Civic Action and the security working group of the Coalition for Human Rights in Development. We are a referral partner for Access Now’s Digital Security Helpline and Cloudflare’s Project Galileo. We are also a member of the International NGO Safety and Security Association, the Charities Security Forum and the CIVICUS Global Civil Society Alliance.

Our information security lead, Richie Tynan, is passionate about using technology to help civil society organisations flourish. He was previously a penetration tester at the Guardian, where he served for a period as the most-senior member of their information security team. Prior to that, he was the head of technology at the charity Privacy International for five years.

Open Briefing is a certified social enterprise and a member of
the CIVICUS global civil society alliance and the Vuka! coalition