Buy-in and strategy to implement, enforce, and inform policy
Communication policy
social media
Chat
Mobile
Branding practices and signatures
PGP usage, key storage, publishing keys, subject lines
Access control measures, levels of encryption, personal vs work usage
Data management policy
Where is stored? (cloud, local, etc)
Access control (new hires, employees leaving, different levels of access)
Data retention
Data deletion
Backup
Encryption
Password management
File naming and storage structure
Equipment policy
Personal use
Taking home
Installing software
Pirated software
Anti-Virus
Updates
Disposal of devices
Training
When does training happen?
How often?
Self-learning resources?
Funds for professional development
Employee offboarding
What to exptect when you leave the organization
Email access
Equipment handover
Incident Reporting
Security reports
Lost equipment
Infiltration
Virus/Hacking
Field Documentation and Reporting
by Michael Carbone
This is a draft of a resource that came out of envisioning the next iteration of the Responsible Data Forum's Organizational Security Atomized Plan, and reframing it as a guide towards implementation within a group. In this reframing I have relied heavily on the content of the Organizational Security Atomized Plan itself, Internews' SAFETAG organizational assessment framework, and other resources listed in the resources section.
https://github.com/mfc/baseline-org-policies
by iecology
The documents in this repository comprise a set of digital security checklists for use by US based non-profit organizations with a focus on human practice and organizational management. One checklist is oriented towards assessing an organization's readiness to take on this type of work. Additional documents represent framing information and a glossary.
https://github.com/iecology/security-checklists