Angeles • Have worked as staff for Northeast Valley Health Corporation; Maternal & Child Health Access; Coalition for Humane Immigrant Rights of Los Angeles; Homeless Healthcare Los Angeles. • Am a proud board member of Immigrant Defenders Law Center, & Nonprofit Technology Network (NTEN) • Been doing nonprofit technology for over 17 years • Co-founder of the Stop LAPD Spying Coalition
relate to data security • Why is this topic important to Legal Service organizations • Practical steps to shift towards a technology conscious & data aware organization • Common questions/concerns
fail to adopt, which relate to the collection, retention, security, use, and destruction of data. “Engaging in digital security transformations without a data transformation will leave organizations with a false sense of security” -Seamus Tuohy
attorneys have an ethical obligation to stay abreast of the technology they are using. By extension, the use of this technology, and the work product (nee data) that it produces, are covered under ethical guidelines/strictures.
protecting personally identifiable information. There are statutory considerations which relate to the collection and use of data which extend beyond the ethical considerations previously mentioned. It is foreseeable that more and more nonprofit organizations, including Legal Services organizations, will be the victims of a data breach and, once the breach is discovered, the organization would be subjected to statutory penalties.
restricting our definition of data to personal information we collect. While metadata is an important topic, we are going to focus on the most pervasive data elements (those which are tied to an individual’s identity). When we talk about data, we need to pause and reflect that our obligations to protect data are not solely the purview of the technology department as the technology unit is unlikely to be held liable for a data breach, the executives and board are often held liable.
begin with a litany of tools often leave the audience overwhelmed and confused. Moreover, the best tools will not protect you if you have business practices which undermine the effective use of those tools.
are ultimately economic ones. • What is your technology staff to program staff ratio? • Have you, consultants, or your board identified where your organization is in any version of the Information Technology Maturity Model? • Do you have more communications staff than technology staff? • Is your technology work, in-house or contracted, overseen by someone who has an understanding of the work being performed?
patching • User training • Backup verification • Log analysis • Network device “firmware” updates • Strategic planning • Process integration • Professional development
short shrift to planning activities because most of the work, often by necessity & not design, is reactive. Effective use of technology can be reactive and relevant to programs only after a good baseline practices have been adopted. A consultant (or many technologists) can help you map business process but, when engaging in that process, it’s important to remember that program staff are the ultimate reference, experts, and arbiters of what process involves (not always what it should look like)
element of any security conversation. This analysis is highly iterative and should be done for every device, data system, and practice at your organization. Remember, security is a process, not a product. • What do we want to protect • Who do we want to protect it from • Why do people want to attack it • What are we doing to do to protect it • Will we know when it has been attacked
“power, not paranoia” is helpful…sheer panic or paranoia is unhelpful. Helpful risk assessments should renew our commitment to protecting data, not dissuade or alienate us. If it does, you might be doing it wrong…or looking at the wrong risk vectors/threats.
• Organizations have issues of scalability • Organizations have a need for centralized management • Organizations have liability/risk/exposure that private persons often don’t have • Organizations are better targets • Organizations are generally frugal and lazy when it comes to digital security • Organizational security costs money and often technologists aren’t effective evangelists to the gospel of data stewardship/security
is something you should review every year (aspirationally) or every other year (practically). At the very least, your office needs: • Security at the perimeter (e.g. firewalls, routers, web filtering) • Security at the endpoint (e.g. anti-virus, behavior analysis, locked down workstations) • Security for data (e.g. personal information in databases instead of spreadsheets, data loss prevention software/practices) • Evaluation (e.g. log analysis and event notification)
security awareness is often a greater return on investment than many technologies which can (and will) fail. Studies state that 70% of data breaches are the result of employee actions (intentional and unintentional).
careers of folks who express disdain or fear of technology, our organizational cultures will reflect those values. These times are ripe for nimble organizational responses; your organization can’t be nimble if your infrastructure is calcified or nonexistent. Just like jails, outsourcing and obscuring problems are not a long-term solution. This outsourcing & obfuscation also inhibits addressing root causes.
them non-punitive but enforceable • Take the time to understand why and how users will try to circumvent your policies • If you’re creating policies which are too stringent, expect staff to attempt circumvention • These policies should be developed with staff and, in that process, staff can become both advocates as well as policy designers
• Loop in senior management sooner rather than later • Make sure senior management is holding the ball so they can steer an interdisciplinary response • Have a communications plan to address likely catastrophes (long-term outages; hacks; data breaches; and vandalism) • Create clear delineations about who can say what about what (don’t have your comms folks talk about things they know very little about)
called threat modeling, helps understand the scope of risk • Data stewardship (having a critical approach to data collection, retention, analysis, & destruction) reduces the degree of risk • Good policies reduce organizational risk by establishing that reasonable steps were taken to mitigate data loss • Consistent practices reduce risk because it becomes easier to spot anomalies • Nothing reduces risk like training, support, and a non-punitive approach
Nowadays, by hook, crook, or subterfuge, staff engage in a Bring Your Own Device practice. Trying to stand in its way is both futile and counterproductive. • When possible, use mobile device management • Coach employees to create a separate work profile (maybe demand it) • Provide staff endpoint protection licenses and demand that endpoint is installed on their machines • Create policies directing staff to NOT store client data on personal devices
are some important factors to keep in mind: • If you aren’t using a paid service, you are the product (unless it’s a paid service provided as a donation) • Cloud service providers often have their own security team, something most nonprofits will never have (until they’ve had a breach) or can afford • How do you manage the proliferation of cloud accounts when staff leave? • Are you backing up your cloud services? Do you have a migration plan to leave the cloud?
one-size fits all best practice. Best practice flows from a thoughtful risk assessment. Best practice is engaging in a conversation to identify risks; prioritizing the risks you want to mitigate; finding a mitigation partner; and starting again.
if your IT team is fighting fires, security will often get left by the wayside; if your IT team is on contract and not aware of your internal workflows, liabilities, and practices, there is limited impact they can have without internal guidance. The threat landscape is “polymorphic” which means it takes different shapes to avoid prevention. Two good resources for technology staff are the newsfeeds of your security product vendors. A good general resource is Graham Cluley and the Sophos Naked Security site. Making time to stay up to date is more helpful than listing resources which could expire.
a different slide deck… Governments use surveillance technology to stalk and further marginalize traditionally targeted communities. COINTELPro through the Snowden revelations show the government generally doesn’t obey the law when it comes after folks. That said, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU)(particularly NorCal) have done exceptional legal work on this topic. We should all be concerned about the surveillance state.
about the security culture that fits your organization • Accept that security is a journey and not a destination • Be prepared to spend resources/money • Get the contact information of someone at this session: build a security community of practice • While we only scratched the surface, we accomplished a lot by surfacing more focused questions about security.
freedom. The freedom which rests on the sense of responsibility.” Security culture is an act of responsibility to clients, the broad social justice community, partners, allies, & organizations.
you want it: email (day job): email (non-day job): Contents of this presentation are freely licensed under the GNU AGPLv3. 80% of attribution to Ken Montenegro, [email protected] and 20% to Asian Americans Advancing Justice Los Angeles, http://www.advancingjustice-la.org.