IFF OrgSec Village – Day 3

Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

Sessions on Day 3 continued to explore examples of OrgSec in Practice. Highlights from Day 3 of the OrgSec village included:

A collective discussion around what we mean as a community when we say OrgSec Crisis Response, and how we can provide comprehensive crisis response support.
An informal session sharing practitioners’ experiences conducting Remote Organizational Assessments, Remote Tech Assistance, and other remote interventions.

A case study of one organization’s experience launching a Website with Digital Security Instructions and the unexpected ways audiences used it.

A presentation on the RAWRR (Risk Assessment Workflow Recommendation Roadmap) tool for documenting security assessments, risk modelling, recommendation development and implementation monitoring.

A review of Security Governance in CSOs exploring ways to scale policy development approaches to different sizes, capacities, and complexities of organisations and communities. 

Key takeaways from the discussions included:

  • Remote interventions do work, but require more time and preparation than face-to-face support.  Remote interventions can save time and money spent on travel, and can be the right format for rapid response or consultations (especially when trust is already established) as well as for facilitated online learning. However, they require significant time investment, and present numerous additional challenges. For example, remote trust building is tricky, and many people are uncomfortable enabling remote device access. Technical barriers like poor internet connectivity or lack of tech skills among staff may emerge. Finally, it is impossible to provide full technical support if something goes wrong that can’t be fixed remotely.
  • Web-based digital security guides are not dead (but keep them simple)! Websites with complicated interactive guides addressing specific threat models don’t get sustained engagement and are difficult and expensive to maintain long-term. In contrast, sites with a set of searchable, specific, and updated instructions for different tools and cases can be a useful resource for post-audit and training communications and remote support and incident response. In addition, they are easier to keep up-to-date.
  • It’s crucial to tailor security audit reports to the audience in mind. Whether the report is for management or IT staff with technical know-how will dictate the specificity and structure of the report. There was community consensus that risk should be the focus of audit reports. Shorter reports focusing on action steps may be useful for organizations with limited bandwidth and interest in holistic security; in-depth reports detailing the process and connecting recommendations to risk are a more useful resource for organizations wishing to replicate the process down the line or build their own internal digital security expertise.
  • When developing organizational security policies, don’t start from scratch! There are many existing policy frameworks for practitioners to draw upon when assisting civil society organizations. Start with SOAP, SDA, and resources from Access Now and the OrgSec Wiki.