Organizational Security Policy
Basic guide to help organizations create and implement a security policy
Problem
Organizations, especially small ones, often lack written or formal security policies. Because these organizations already exist and do work, they will most likely already have informal practices and policies across the organization. Our aim is to conduct a security assessment in order to better understand their risks and existing work and informal practices, and help them create their own security policies to capture these practices.
Solution
First schedule a call with the client and perform a light-weight security assessment with the organization following Article #200.
Once you have conducted the assessment and noted the biggest concerns with the organization, together with the point person of the organization use the following templates to create a draft policy adapted to their priorities:
- Templates for organizations:
If the group your working with is not a formal organization, but a grassroots group of volunteers, you might find the template for activists more helpful as a starting point: - Markdown on Gitlab.com - .odt on Gitlab.com
It is important to note that such a big document can be intimidating to the organization, so incident handlers should follow up closely with the client to clear any doubts and concerns. Consider whether sending the full document at once or if it is better to work on one section at a time and only add more when the previous sections are clear.
When the policy document has reached a satisfactory state, schedule a call with the client to review the full document one last time and make sure they understand and have the means to implement the policies.
Comments
Follow the development of SOAP, an organizational security policy generator currently in beta.
Review Safe and Documented for Activism manual (available in English and Spanish), which includes activities to facilitate and generate organizational security policies with organizations.