What: The Security Policy allows you to identify and categorize your sensitive data in an inventory, which will help you to prevent and overcome digital security incidents.
Approx. time: Plan a three-hour meeting to categorize all the sensitive data of your organization and develop an appropriate action plan to ensure its confidentiality, integrity, and availability.
Who: This policy concerns the entire team.
The Security Policy prepares you to respond to all types of digital incidents appropriately, whether they are caused by criminal cyberattacks or human error and shortcomings.
Formulating this policy is a twofold process.
The first phase consists of planning, taking inventory of the data, and drawing up a security plan that is in keeping with the reality of your organization.
The second phase involves the development of an action plan to be implemented after a security incident.
The two phases of the policy
Phase 1: Planning (before an incident)
Cybersecurity is preventive by definition. It’s like wearing a bike helmet: we don’t always see the usefulness of it from day to day, but it’s ESSENTIAL in case of an incident.
The best (and probably the only) way to minimize the impact of an incident is to know the risk level associated with all your data and documents. You then need to identify ways of securing them effectively (assuring their availability, confidentiality, and integrity).
Your artists, members, and partners trust you to protect their personal information and confidential documents. The best security practices will protect your organization and, most of all, your credibility with your partners and allies!
A) Take inventory
List all the documents and information that your organization keeps or uses.
For example, this information could include:
- names and email addresses of donors
- receipts for purchases of materials
- SIN of staff members
- banking information of your organization
- PayPal (or other) account of your organization
- annual budget
- content of the website
- archives of previous projects
- professional communication (emails, text messages)
- social media accounts (YouTube, Facebook, etc.)
- projects in development
- grant applications
You can divide this information into categories. This classification will provide you with a more systematic inventory and help you to add documents or information that you might have forgotten.
To help you in this task, we have created a template. As an example, we have filled it with the inventory of documents and information listed above.
B) Assess the risk level of the data
Next you need to assess the sensitivity and risk level of each document and data that you identified.
Refer to step 2 of the template and assess the sensitivity level of the data based on the criteria established in the chapter on sensitive data. In the appropriate box in the table, indicate if the data is:
(Please note that assessing the sensitivity of data is extremely subjective. It depends on your organization’s specific context. The assessment made in the template is a purely fictional example.)
Then, following step 3 in the table, identify the risks (on a scale of 1 to 25) for each event relative to the three pillars of digital security. You can assess the risk level using the matrix of risk assessment. The risk associated with a scenario is the result of multiplying two variables:
The probability that an incident occurs (1 to 5). Depending on your activities, computer literacy, and current security practices, you can assess the probability according to the following scale:
- very weak (1)
- weak (2)
- likely (3)
- very likely (4)
- extremely likely (5)
The impact of the incident on your organization (1 to 5). For this variable, you need to consider what the impact of the theft, modification, or unavailability of certain documents would be. You can ask yourself questions such as: What would happen if this information became public? What would happen if this information was incorrect? What would happen to the organization, partners, or clients if they could no longer access this information? Depending on your answers, you could determine that the impact is:
- insignificant (1)
- minor (2)
- moderate (3)
- major (4)
- critical (5)
You should therefore indicate a score between 1 and 25. The higher the score, the more effort your organization needs to put in securing the data. As we have done in the example, we also recommend that you keep a written record of your reasoning. This could take the form of comments.
C) Identify in what places and on which devices your data is stored
Begin by compiling a list of all the devices and cloud computing services used by the members of your organization (computer, tablet, cell phone, server, hard drive, cloud computing service, etc.).
Make sure to include the devices of people you work with on a temporary basis (freelancers, consultants, etc.). This task may seem daunting, but it is the only way to really assess the state of security.
To help you in this task, see step 4 of the template. In the table, indicate the places where your information and sensitive data is currently stored.
Tip: To help you implement your action plan, use a colour code:
- Red for information that should not be stored in the place where it is currently stored
- Green for a place where the information should be stored
- Grey for documents that are saved in the right place (no change needed)
D) Establish the priorities for action
Having taken inventory of your data, evaluated the risks, and listed the devices on which the data is stored, you can now make an action plan!
Keep in mind that you can’t secure all your data in an equal manner. The template is meant to be a tool to help you prioritize certain courses of action.
This brings us to section 5 of the table. The purpose of this section is to identify the cybersecurity actions you need to take based on your risk assessment. To complete this section, follow these steps:
- Identify all the risks that received a score above 15 (priority 1).
- With the help of the handbook, identify the actions and policies that could be implemented to reduce the risk to a level you deem acceptable.
- Redo these steps for the priority 2 (8 to 14), priority 3 (4 to 7), and priority 4 (1 to 3) risks.
Phase 2: Responding to an incident or attack
- Report and document when an incident is detected (modified content, lost file, etc.). You can also create a “digital incident report” to keep everything in the same file.
- Identify what data has been affected.
- Contact the people responsible for the domain that has been affected (website, archives, cloud computing service, etc.).
- If needed, notify the people concerned (clients, partners, etc.). Consult the Legal Obligations for this purpose.
- Correct, replace the data (see the Backup Policy).
- List the data generated and used by your organization (available on devices and in programs).
- Assess the sensitivity of the data (public, confidential, restricted).
- Assess the risk level associated with each item of data.
- Take inventory of the devices and platforms used by the organization.
- Prioritize the actions to take to reduce the risk to a level that is acceptable for your organization.