policy

Security Policies: Quick Notes

What is a security policy?

A security policy is a formal, detailed and easily understandable document that addresses general beliefs, goals, acceptable procedures and security controls that governs an organization or other entity. It addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls, computer security threats, and how to handle situations when they do occur. A security policy must identify all of a company’s assets as well as all the potential threats to those assets. And lastly, it should be subject to amendment as threats have a dynamic.

Why a security policy?

A security policy should be one of the first documents in place for a corporate organization or entity to function flexibly. It should address all security concerns, the likelihood that they will actually occur, ways forward and speculation clearly so that the employees and employers feel at ease implementing their mandate. So you need a security policy so as to:

  • Establish the rules for user behavior on use of organizational assets. This ensures proper compliance of the staff.
  • To define and authorize consequences of violation of certain guidelines.
  • Establish baseline stance on security to minimize the risk of occurrences in the organization.
  • Builds a sense of carefulness among staff therefore reduces risk of data loss or leak.
  • Protects the organization from external and internal “malicious” users.
  • Guides staff on acceptable and unacceptable behavior.
  • Carries with itself how information is disseminated (private, internal & public information).

A Good Security Policy

A good security policy should be readily available for its intended audience. It shouldn’t be hard to get.

It should be understandable and not confusing. Avoid using words that are beyond the understanding of your audience. It should clearly indicate how violations are handled.

A security policy should be applicable to the organization and only reveal information relevant to the functionality of the organization. It should cover use of organization assets, specify minimum security standards used in protection of assets, prohibitions against malicious actions, home use of organization equipment, use of personal equipment for carrying out official duties, procedures deemed as accepted or best practices, etc.

Work to develop a policy that balances both current practices of the organization and practices the organization wants to see in future. And most importantly make sure to have a policy that protects and organization against multiple types of threats.

And lastly, It should be accepted, put into use and reviewed frequently, at least once a year upcoming concerns should be updated in it. This is because breaches will always keep evolving and therefore new measures have to come in place.

5 steps to compile a good security policy

  • Identify issues
  • Conduct a context analysis on issues identified. (vulnerabilities, fix/ways forward, influence of behavior). Set of rules
  • Make a draft policy covering all the above.
  • Have a review of the document internally and or hire an external entity to review too.
  • Deploy the policy to the rest of the organization.

Document Outline

  • Introduction
  • Purpose
  • Scope
  • Roles and responsibilities
  • Sanctions and violations
  • Review schedule
  • Definition of terms, abbreviations/acronyms

Topics should center around the following

  • Physical Security
  • Security Training
  • Privacy
  • Software Licencing
  • Password
  • Virus protection
  • Acceptable use
  • Account management
  • Special access (Authority)
  • Change management
  • Incident management

checklist

A Checklist for HRDs before field engagement

As Human Rights Defenders, we are exposed to a lot of risks during our public or field engagements and most of these tend to hit us by surprise since we do not adequately prepare to overcome these emergencies.
It could be a kidnap and being stranded in the middle of nowhere, could be an accident, name it.

Field engagement in this case is conducting work in the natural environment other than in office. During field engagements, we tend to be with the general public, known or unknown and new to us because it is our first time to engage with them. Even when the environment is known to us, we can never guarantee the dynamics of people who have been working with and there for, we need to have a number of things ready just in case things happen to go side ways:

  1. Make sure your phone is charged before going out.
  2. Be sure to have some cash on you just in case you might need to use some quickly.
  3. Make your you have an ID on you to easily identify with legal authorities.
  4. Make sure your phone security is something that only you know (Don’t use fingerprint or face ID) when going for vital field work.
  5. Have a contact of someone to call in case of emergencies. You can write such contacts somewhere and carry with you.
Windows-7-end-of-support-1024x673

Windows 7 End of Support

What Human Rights Defenders need to know:

As most of us might not be aware that Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. The 10 years came to an end officially on the 14th of January 2020. If you are still using Windows 7, your PC will still work perfectly, except it will be more vulnerable to security risks and viruses. Your PC will continue to start and run, but will no longer receive software updates, including security updates, from Microsoft.

phishing-image_compressed

Phishing – What You Need To Know

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

SSL Certified/certificate 100% secure transaction with encryption. illustration ssl certificate, ssl secured, ssl shield symbols, protected safe data. with ribbon, gold style & black color

How SSL Works | Choose the Right Certificate Authority

How it Works?

Simplistically speaking, there are three main components in creating a connection;

  1. The Client – This is the computer that is requesting information.
  2. The Server – The computer which holds the information being requested by the Client.
  3. The Connection – The path along which data travels between the client and server.
How SSL works - the difference between HTTP and HTTPS.
HTTP vs HTTPS connection (Source: Sucuri)

To establish a secure connection with SSL, there are a few more terms you need to be aware of.

  • Certificate Signing Request (CSR) – This creates two keys on the server, one private and one public. The two keys work in tandem to help establish the secure connection.
  • Certificate Authority (CA) – This is an issuer of SSL certificates. Sort of like a security company that holds a database of trusted websites.

Once a connection is requested, the server will create the CSR. This action then sends data which includes the public key to the CA. The CA then creates a data structure which matches the private key.

The most critical part of the SSL Certificate is that it is digitally signed by the CA. This is vital because browsers only trust SSL Certificates signed by a very specific list of CAs such as VeriSign or DigiCert. The list of CAs are stringently vetted and must comply with security and authentication standards set by the browsers.

Types of SSL Certificates

Browsers identify SSL Certificates (EV Certificate is shown in this image) and activate the browser interface security enhancements.

Although all SSL certificates are designed for the same purpose, not all are equal. Think of it like buying a phone. All phones are basically designed to do the same thing, but there are different companies that manufacture them and produce many different models at varying price points.

To simplify the matters, we break down the SSL Certificate types by level of trust.

1- Domain Validated (DV) Certificate 

Among SSL Certificates, the Domain Validated Certificate is the most basic and simply assures users that the site is safe. There is not much detail except for that simple fact and many security organizations do not recommend using Domain Validated Certificates for websites that deal in commercial transactions. The Domain Validated Certificate is the budget smartphone of the SSL world.

2- Organization Validated (OV) Certificate

Organizational Certificates holders are more stringently vetted are by CAs than Domain Validated Certificate holders. In fact, the owners of these certificates are authenticated by dedicated staff who validate them against government-run business registries. OV Certificates contain information about the business holding them and are often used on commercial websites and represent the midrange smartphones of the SSL world.

3- Extended Validation (EV) Certificate

Representing the highest level of trust in SSL rankings, EV Certificates are opted for by the best of the best and extremely stringently vetted. By opting to use EV Certificates, these websites are buying deeply into consumer trust. These are the iPhoneX of the SSL world.

The fact that SSL Certification has become so highly recommended today, many fraud websites have also taken to using SSL. After all, there is little difference to the websites, except for the green certification padlock. This is the key reason more reputable organizations are going for SSL Certification that are more highly vetted.

ince any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites. – Wikipedia.

How to Choose the Right Certificate Authority

Certificate Authorities are like private security companies. They are the ones who issue digital certificates that facilitate the SSL establishment process. They also belong to a limited list of businesses that meet detailed criteria to maintain their place on that list. CAs who maintain their place on that list can issue SSL Certificates –  so the list is exclusive.

The process is not quite as simple as it sounds, since before a certificate can be issued, the CA must check the identity of the website applying for it. The level of detail in those checks depend on what type of SSL is being applied for.

The best CA is one who has been in the business for some time and follows best practices in business, not only for itself but also for any partners associated with the business. Ideally, they should also be able to demonstrate proven expertise in the field.

Look for a CA that stays up to current standards, are actively involved in the security industry and has as many resources as possible that support their customers.

A good CA would also;

  • Have reasonably short validation times
  • Be easily accessible to its customers
  • Have great support
FIA-1024x683

Security and Freedom of Association in Uganda and Nigeria

The fight against money laundering and terrorism has come into tension with freedom of association and assembly in a number of countries. A group of OGP countries (including Nigeria, Kenya, Malawi, Nigeria, and South Africa) are currently working on terrorism finance, which affects nonprofit organizations.

1Relocation-Support-1

Relocation Support Report

People who are Lesbian, Gay, Bisexual and Transgender face a lot of persecution in Uganda as a result of their sexual orientation and gender identity. Persecution for LGBT people in Uganda is favored by laws that criminalize same sex relations and these laws are enshrined in Uganda’s Constitution and Penal Code Section 145 where any person who has carnal knowledge of any person against the order of nature or permits a person to commit the offence is liable to life imprisonment. Acts of hate towards LGBT people are also demonstrated by religious groups that preach against homosexuality and cultural institutions that propagate a notion that homosexuality is un-African. <!–more–>

Homophobia in Uganda is manifested in varied ways but commonest of them are, attacking purported homosexuals in public malls and spaces, exposing in media the pictures and addresses of LGBT people, verbal abuses in especially public spaces, beating and scourging, break ins into houses and premises of known and suspected LGBT people, dismissal from jobs, subjection to corrective rape, isolation, arrests and imprisonment without trial, banishment from home, evictions, dismissal from school and a number of other attacks and violations, and hundreds of LGBT people in Uganda young and old have been victims to these attacks and violations.

Following the trend of violations, in 2014, a report dubbed ‘From Torment to Tyranny’ published by Sexual Minorities Uganda highlighted that in a period of four months between 20th December 2013 and May 2014, 162 cases of persecution of LGBT people had been recorded and that the gravity of the violations was increasing. Further, in 2017 Amnesty International in its report highlighting incidences where the rights to freedom of expression, association and assembly were violated in Uganda noted that LGBT people in Uganda continue to be denied acceptance to assemble with police closing up LGBT pride parades and other assemblies.

However, amidst turbulent moments for LGBT people in Uganda, there has been a wave of Human Rights groups and individuals who have come out to support the LGBT movement in Uganda through varied ways especially relocation support for those evicted from houses, banished from homes and facing threats. Since relocation support has been at the center of the many avenues to support LGBT people, it is worthwhile through this report to assess its effectiveness and validity overtime.

waw1-1024x576

Toxicity Online

I am one of those people who usually go online, most specifically, YouTube for content but very many a time, I go there just for the comments.

And over the years I have had a good laugh, but of late, the comment section fills me with dread. Take for example Tati Westbrook, A lifestyle guru who reviews beauty products. She reviewed a particular makeup palette and her view of things didn’t go down well with a section of the YouTube beauty community and the comment section became so vile she had to disable comments for that particular video.

waw-1024x576

Digital Security Tips for Women

An unfortunate number of women are becoming victims of cyber crimes. According to a recent study, more women are known to use the Internet to enrich their relationships compared to men. Young women, those 18-24, experience certain severe types of harassment at disproportionately high levels: 26% of these young women have been stalked online, and 25% were the target of online sexual harassment. The growing reach of the Internet and the rapid spread of information through mobile devices has presented new opportunities that could put some women at risk, so it’s important to be mindful of the dangers.