Carolina Flores Hine Fundación Acceso

(with the support and knowledge of colleagues

from social organizations in Central America)

Let’s get to work! Concrete reflections and actions for securing information in our

organizations

Carolina Flores Hine Fundación Acceso

(with the support and knowledge of colleagues from social organizations in

Central America)

Let’s get to work! Concrete reflections

and actions for securing information in our

organizations

2

Flores Hine, Carolina Let’s get to work! Concrete reflections and actions for securing information in our organizations

1st ed. San José, Costa Rica: Fundación Acceso, 2008.

1. Information Security

2. New Technologies

3. Security Policy for Social Organizations

4. Central America 5. Human Rights

6. Free Software

Illustrations: Luis Enrique Gutiérrez Design: Luis Enrique Gutiérrez Translation: Elizabeth Clarke and Beverley Keefe

The contents are licensed under a Creative Commons Attribution Share-Alike 3.0 License. Http://creativecommons.org/licenses/by-sa/3.0/deed.en

This is a translation from Spanish to English of the original work.

Fundación Acceso Tel: +506 2226-0145 Fax: +506 2226-0308 Website: www.acceso.or.cr E-mail: info@acceso.or.cr

3

The contents of this publication were developed with the support of:

Pablo Zavala and Arturo Chub of SEDEM, Markus Erb of SIMAS, Paul Menchú and Gamaliel Folgar of the Fundación Rigoberta Menchú Tum, Brenner Barrios of the Centro de Acción Legal en Derechos Humanos, Giovanni Peruch of the Fundación de Antropología Forense de Guatemala, Byron Sandoval of the Fundación Myrna Mack, Jesús Laynes of Enlace Quiché and Jeffrey Esquivel of ABAX Asesores. As well, integrated within is the invaluable support of social organizations in Costa Rica, Nicaragua, Honduras, El Salvador and Guatemala who participated in the workshop: “Awareness raising and risk evaluation for secure information management” (whom, for reasons of security, are not mentioned here, but to whom we send our thanks). To the Fundación Friedrich Ebert in Guatemala, many thanks for providing us with a space for the technical training. A special thanks to Robert Guerra of Privaterra, Dmitri Vitaliev of Tactical Technology and Raquel Chacón of HIVOS for their collaboration in Central American information security.

4

Index Introduction .................................................................................................5

The last one to leave, please turn on the alarm ..............................7

In times of peace, war of information .................................................9

Some uncomfortable truths ................................................................14

An un-encrypted e-mail is like a postcard .................................14

Making a path as you go (and saving cookies as you

navigate).........................................................................................17

Viruses, spyware, crackers ...

windows and doors wide open.....................................................20

How can we prevent in order not to regret? .............................22

Key aspects for an internal policy on information security .........................................................................28

Levels of information confidentiality ..........................................29

Risk factors for physical events .......................................................32

Risk factors related to information management

by staff ....................................................................................................33

Risk factors for common and political crime .............................35

Conclusions ...............................................................................................37

Recommended tools ..............................................................................39

5

IntroductionHIVOS’ program “Media, Information, and Communication Technologies for Development” promotes the free flow of information and the creation of democratic forums for debate and political participation. Within these democratic spaces, Internet and cell phones have become privileged channels for the flow of information, coordination and calls for participation. In turn, new tools have greatly facilitated the work of archiving and the agile availability of data.

This, however, has also created new requirements for information security: How free is the flow of information? How many organizational resources are vulnerable to interception? Is there really awareness in organizations about the importance of properly managing your information?

These and other concerns led HIVOS to convene the “Central American Workshop for the Expansion of Freedom of Expression: Tools for secure collaboration, communication and information”, held from August 28th to 31st, 2006 in Antigua, Guatemala. Some time later, HIVOS financed the follow-up project to this workshop in order to discover which of the participating organizations were making use of the tools they learned and to motivate their counterpart organizations working in human rights to incorporate information security. Fundación Acceso in Costa Rica coordinated this follow-up, working in partnership with SIMAS (Servicio de Información Mesoamericana sobre Agricultura Sostenible) in Nicaragua and consulting technically with SEDEM (Asociación para el Estudio y la Promoción de la Seguridad en Democracia) from Guatemala.

6

In 2007, contact was renewed with the participating organizations and in 2008 regional workshops were held with counterparts who responded to the call and other invited organizations. All of them received basic training and an evaluation that allowed them to assess their organizational risk with regards to information management.

Subsequently, a group of information technicians was formed from the Central American region. They participated in a training workshop focused on information security, and their efforts contributed greatly to this publication.

As a final phase of the project, this booklet was produced. It aims to open up discussion on information security within our areas of work, and better prepare the groundwork to reduce risks and enable us to protect our colleagues, as well as the people who have put their information under our care.

The booklet you’re holding is not an instruction manual for using specific software tools. It is designed to be a gateway to the creation of an internal policy on security in social organizations. Many of the software tools necessary for supporting this policy can be found in the compilation NGO in a Box: Security Edition, developed by Tactical Technology and Front Line Defenders1.

1 http://www.security.ngoinabox.org/

7

Those of us who work in Central American social organizations have seen enormous changes in recent decades. Most of these changes relate to technological advances, changes in political systems and the globalization of the capitalist system.

In a relatively short time we have gone from storing documents in manila folders, saving them in huge filing cabinets with tabs and dividers, and sending documents by mail or courier, to storing large amounts of information in virtual folders on computers and sending documents by e-mail.

This change has created a new gap between those with access to, and training in, the use of the Internet for communication and interaction and those without. At the same time, it has enabled the creation of broader networks between people who work on common issues, opened up channels of communication between diverse countries and streamlined the internal and external communication of social organizations.

However, upon further inspection, we have gone from a time when we kept our archives locked up in our offices (where the risk of theft, fire or loss was minimized by doors, locks, safes or photocopied duplicates), to today, where computers store large amounts of data, entire folders of work are transported in

And the password is?

The last one to leave, please turn on the

alarm

8

portable memory sticks2, information (the fruit of several years of work) is being sent by e-mail or stored on servers in offices. This raises questions like: What happened to the keys to the cabinets? Where are the locks? How we are securing our private information?

Even in Central American countries where Internet access statistics are significantly low, the use of electronic mail has begun to replace regular mail, reaching surprising levels. For example, in Nicaragua, where Internet penetration is around 2.7%3 (the lowest in Central America), “deliveries of packages and letters through the post office in Nicaragua have registered a sharp reduction since 2000. Reports by the company show that in that year, shipments amounted to 1,441,000 packages, delivered to different parts of the world. However, since 2005, this has dropped to 61%, that means 877,000 fewer shipments”.4

Clearly, we are communicating and sending information by e-mail. This gives greater flexibility, faster response, saves money, allows the creation of broad networks of cooperation and solidarity, and even enhances advocacy mechanisms. However, what are the differences with regular mail? What are the disadvantages? And, above all, how can we reduce the disadvantages and better protect our privacy?

2 Also called a USB (Universal Serial Bus) flash drive.

3 http://www.internetworldstats.com/stats10.htm#spanish

4 http://impreso.elnuevodiario.com.ni/2006/10/19/nacionales/31751

9

In times of peace, war of information

In Central American countries, during times of war, those with valuable information created secret codes or hid pieces of paper divided among several people. This diminished the possibility that others knew their next moves, who made up the groups, and much more. It is understandable that in the absence of armed conflict, awareness of the need to secure certain information has faded, but it is possible that we are now at the other extreme — we may be taking considerable risks sharing private, valuable information.

It is currently assumed that there is a state of peace marked by democracy, political negotiations, reasoning and the use of non-violent resources. However, as the psychologist Ruben Benedict puts it, if you look at manuals and military doctrine “... we will see that the professionals of war have diluted the boundaries between peace and war, civil and military, and operate accordingly ... [so that when] there is a high possibility of attitudes of social opposition against the implementation of measures necessary for population control, such as the control of communications, suspension of individual freedoms, human rights violations, required to conserve the priority: security. This internal opposition will also be considered an enemy to beat”.5

5 Benedicto, R. “Guerra de Información en el Referéndum sobre el Tratado de Libre Comercio en Costa Rica: un Análisis Psicosocial Crítico desde la Observación Electoral”. http://www.liber-accion.org (biblioteca virtual).

10

contradictions of the capitalist system, manage information that is very valuable and strategic for groups with great economic and political power. Think about this: if you were the manager of a mining company and every day you had to deal with social movements in resistance (ecological groups, displaced populations, unions, etc.), it is possible you would want to know who the leaders of these movements are? Wouldn’t it be useful to know where they live and where they meet? Wouldn’t you like to know what actions they are planning? And, would you need to know where they obtain funding for their activities?

As one can see, this is not an exaggeration. Information about the personal lives of those working for the organizations, who they meet, who supports their work, what their position is on political matters, and what are their political action strategies, can be obtained by electronic means or by neglecting the security of e-mails, cellular phones and databases. Even behaviors that may be considered unimportant, such as consumption habits and personal routines, open up spaces for risk.

Changes in U.S. laws (such as the Patriot Act) since September 11th, 2001, have restricted freedoms and opened up possibilities of access to private information and surveillance of citizens at all levels. These changes have also affected various regulatory processes in the Central American region.

Social organizations in the region committed to human rights, civil rights and critical of the

You’re not exaggerating a

little?

11

As reported in 2005, there are private companies in the region that sell personal data to foreign companies. In turn, these companies sell that same information to their governments without any investigation of where the information came from.

As well, the raids and robberies in which “coincidentally” only computers are stolen are becoming more common.

Does privacy exist or not?

Additionally, our daily work is not done in abstract. As well as the information of our personnel, we handle sensitive data and information of other organizations, of the people with whom we develop projects and of all the people who trust us. How much care are we giving to that information? More importantly, are we putting at risk the very people that we support and for whom we exist as organizations?

In Central America, although the cases are not as well known, it is clear that freedom of expression and association has weakened since the resurgence of repression and espionage in the international arena. Electronic communications, if not protected, are the ideal place for information to be intercepted.

12

6 The process of encryption in this case refers to using an ICT tool with which we can protect documents using a secure password. If one has access to the information but not the protection password, the information visible is incomprehensible.

If the information within this equipment was encrypted6 , the “thieves” would not achieve their goal.

There have also been several cases where the strategy for damaging an organization focused on e-mail. Shared or insecure passwords can easily be obtained to access email accounts, and, as well, it is possible to impersonate an institutional e-mail address and send communications affecting relationships with other key actors.

In our countries, in some cases the government spies on social organizations, on the grounds of national security. In 2007, SEDEM (Asociación para el Estudio y la Promoción de la Seguridad en Democracia) sent a warning to the Guatemalan media about government spying activities of political, business and social organizations. As published in CERIGUA (Centro de Reportes Informativos sobre Guatemala, a media organization), “in less than seven days, the [government] Executive pointed out that environmental advocacy organizations are a threat to governance and the groups are linked to organized crime”.7

Information security has become a pressing need for social organizations that fight for human rights, because, at this moment, supporting farmers and peasants, people living with HIV, engaging in researching war crimes and combating

7 http://www.cerigua.org/portal/Article7608.html

13

impunity, coordinating resistance activities against the capitalist, patriarchal society and socio-economic inequity, denouncing and working with the communities whose environment is being destroyed, fighting to vindicate women’s rights -- in summary, defending our rights and resisting the prevailing system is a risky and vulnerable occupation. The choice is not whether to desist, because the same reasons that we put ourselves at risk are those that motivate us to keep doing this work. The preferred option is to improve the way we communicate and share our knowledge, finding more secure ways to work for us, and for the people who rely on our organizations. Discovering and implementing some simple strategies, we can begin this path.

14

8 Translated from Barrera and Montague. Recreando privacidad en el ciberespacio.

Some uncomfortable truths

An unencrypted e-mail is like a postcard

Contrary to popular assumptions, e-mail is nothing like the letters we used to send in paper envelopes. Consider, for example: When writing and sending a hand-written letter, how many copies stayed on our desk?

Then, we went from hand-written or typed (sometimes copying with carbon paper) to writing letters on our computers where we can can save multiple copies. We send these letters by e-mail and a copy remains on our computer – one in our sent box and one in the in-box of the recipient. And, along the way, how many copies are left? From the standpoint of information technology law: “If traditional mail had the same characteristic, from the moment someone places a letter in the mailbox, copies of it would not only be in the hands of the postal service but also in the hands of an infinite number of people around the world”.8

What are you doooooooing?

15

What happens when we send an e-mail? What route does it take?

The e-mail mailboxes are stored in e-mail servers. Sending an e-mail requires an SMTP server (which stands for Simple Protocol Transfer Post) that allows two servers to exchange messages. To receive the messages, a POP (Post Office Protocol) or IMAP (Message Access Protocol Internet) server is needed that allows the individual user access to e-mails received.

From all this, it is important to understand that e-mails are stored on servers and in order to access them, we need an e-mail “client” that we run from our computer (such as Mozilla Thunderbird, Evolution or Microsoft Outlook) or a “client” that we access using the Web (such as Gmail, Hotmail, Yahoo, SquirrelMail, etc.).

It is also important to know that the e-mails pass from one server to another in several directions and that such data in most cases travels openly. That is, they are messages that travel without any protection. This means that if someone intercepts our communications, everything we have sent in this way can be read without a problem.

So how can we protect such important data? The answer is: encrypting and using digital signatures to certify our identity. For example, using a software tool that encrypts and decrypts the information that can only be read by the person it is intended for, and additionally if it is signed digitally, verifies signatures to ensure the sender is who they say they are.

To enable encryption and digital signatures, it is necessary to install an application, and configure it for our use. After that, it is not much more than a matter of getting used to the practice of protecting our information. In addition to allowing us to protect information, this application enables us to store protected files.

16

An unencrypted e-mail is like a postcard:

when it passes from hand to hand (from server to server), whomever has access to the postcard can read what is written on it, even after the message reaches the receiving server (which could be the postal worker or whomever attends us at the counter in the post office).

Let’s go back to the example of the postcard to clarify the matter of protecting e-mails:

Therefore, if we use a no-cost e-mail service, we are using the “post office” of others. If, on the contrary, our organization has an institutional e-mail account, it is likely that we are using our own “post office” (for example, if we are paying for a hosting space or hosting is provided in the server of a service provider). Is it safer to have your own “post office”? Yes and no. The data stored on the servers we rent must be encrypted in order to be truly protected. Otherwise, it would be like if we rented space in a building and put in our own post office but left the doors unlocked.

17

Making a path as you go (and saving cookies as you navigate)

So we have already seen that if we send our e-mails without protection, they can be read. We saw that e-mail mailboxes are stored outside of our computers (in free servers, rented by our organization, etc.) and so if we do not use security tools, this information can be read by anyone who has access to it.

Unfortunately, we don’t have better news about the security of surfing the Internet. Every time you visit a website, information is stored in little files called “cookies” which are files that are stored on our computers and keep a record of our communications, so that when we surf the net and jump from one site to another, our fingerprints are stored and it is possible to completely trace the road we have traveled.

Probably when we think of the websites we visited in the past two days, we don’t think there is any reason to worry...

Beyond someone knowing that we visited Hi-5 during work hours...

18

Confidential Information

Salary

Banking transactions

Debts or credits

Consumption capacity

Consumption habits (restaurants frequented, stores

visited, etc.)

Place where their children study

Passwords

... but since we are talking about Hi-5, think about how much of our personal information can be found on the Internet. By just putting our name in a search engine or having a profile on sites like Hi-5 or Facebook, it is possible to find a lot of information that we consider personal. However, that is only what is visible: banks, insurers, survey businesses, doctors, lawyers, psychologists, priests – all of them handle information that we consider private.

The colleagues of social organizations that participated in the workshop “Awareness raising and risk evaluation for secure information management” (from Honduras, Nicaragua, Costa Rica, El Salvador and Guatemala) agreed on the categorization of their personal information:

19

Some of this information was debated because it was considered sensitive; however, we concluded that whether we like it or not, a lot of our “private” information circulates in the public domain.

And other data in my computer? Can it also

be traced?

Public Information

Our name and those of our family members

Our workplace position

Phone numbers

Address

Identification number

Our consumption of services such as electricity and

telephone, among others

Heritage

Signature

20

Viruses, spyware, crackers – windows and doors wide open

A computer connected to a network (without access to the Internet) is located in a closed area. You can enter it only from a computer that is connected to the same network (for example, within the same office). Therefore, the data is somewhat more protected because, in order to take information from it, someone needs to access it from a different computer, or insert an external storage device (like a USB memory stick) to take the information. This is the case in raids, theft, or assault which lead to the organization losing a laptop. At this point, it is necessary to clarify that a computer not connected to the Internet is less vulnerable to data theft, but it is much more vulnerable to viruses (if the system works with Windows) because it is not constantly updated.

When the computer is connected to the Internet by a cable, the information is automatically exposed to a higher level of risk. Through the Internet, it is possible to access the computer remotely (that is, without someone that is in the office touching it). Folders shared through an on-line conversation program (known as chat or instant messenger) are a good example of a door left wide open.

On the other hand, in operating systems vulnerable to security attacks, such as Windows, viruses and spyware or some types of computer worms are installed and can send all the information from our computer. Usually we call any application that contaminates and affects the operation of our computer a virus, however, there are some recognizable differences. Viruses are executable files that duplicate themselves automatically and spread within the systems.

21

Worms are programs that exploit an error in the code of a program to infiltrate the system. These are the ones that enter through these “doors” we mentioned earlier. Within these worms, exist a specific type called Trojan horse or Trojans, which allow an outsider to access our computer systems.

Spyware programs are usually installed without realizing it and come as a “gift” with no-cost programs that are downloaded from the Internet. Even the same company providing the programs we use can be obtaining private information from our computer through the automatic updates and the error reports that the user sends.

These levels of risk and vulnerability increase further when the computer uses a wireless connection to access Internet. It is virtually impossible to secure communications when using a wireless connection, as the signal can be intercepted many ways.

9 For a list of recommended tools, see the annex at the end of this booklet.

So what then? Do we return to using a mail carrier, paper archives and shipping

methods?

“¡No! Now that we know more about some of the risks of using these tools daily in our work, we are going to learn some basic tips on how to reduce the risks and protect ourselves better.” 9

22

How can we prevent in order not to regret?

So that our e-mails are not like postcards:

We have now learned a little about the encryption of information. We can encrypt and decrypt our e-mails using a tool installed on our computer. It is also possible to install such a system in a USB flash drive, so that even when using other computers, we can protect our e-mails and decrypt those that we receive.

In the case where we have our own “post office” (e-mail server hosted by a service provider), all data stored also needs to be encrypted. The same should take place with all other computers in the organization, creating encrypted units within the hard drive of the computers and portable memories.

When information is left to each user, a good solution is that of internal servers, because it is easier to back-up e-mails and clean up. E-mails enter the server, pass through anti-spam and anti-virus filters before being distributed to each work station. In addition, they are backed up.

To avoid our steps from being traced when we surf the net:

If we don’t want to leave too much personal information when we surf the Internet, there are also possibilities for protection. We can use anonymous navigational tools such as TOR or install some additions to our web browser (if we use Mozilla Firefox for example10).

10 If using the Google search engine with the Firefox web browser, an addition called CustomizeGoogle can be used in order to choose whether to save cookies, whether to use a more secure server, etc. If using the navigator Google Chrome (in a testing phase at the time of publication), it is likely that these privacy tools can’t be used and all traces of navigation will be saved.

23

On the other hand, it is advisable that if we use tools for virtual social networks (sites where we put our profile, photographs of the family, our favorite places), we do so with caution.

To prevent damages from viruses and worms:

There are big differences based on using proprietary operating systems11 (such as Microsoft Windows) or free ones (any system based on GNU / Linux such as Debian, Ubuntu, Slackware and many more).

All operating systems have security vulnerabilities. This means that computer programs may contain errors that somehow leave doors open on our computers. However, the free operating systems (commonly known as “Linux”) have the advantage that the code that makes it up is accessible. Thus, if a door is left open, any programmer can close it and share that solution. The users of private systems like Windows are entirely dependent on the manufacturing company, which does not mention the vulnerabilities of their products on the grounds of protecting operating systems. In reality, this only slows down and hampers the solution to the problem of security.

11 Proprietary software (not free) limits the use, modification and distribu-tion, negatively affecting the freedom of the people that use it. More infor-mation can be found at: http://en.wikipedia.org/wiki/Free_software.

24

As viruses are “programs” that are installed automatically, they cannot act in the GNU/Linux systems (the user would have to give them permission to do so). Those that can

affect are worms but such threats are rare and the response by communities of people developing solutions is so fast that there are

virtually no worries about that: “For every machine attacked by a worm, there are

thousands (perhaps millions) of virus-infected computers.” 12

If using Microsoft Windows, we need to install antivirus software and have it

updated automatically because the system is constantly being attacked by viruses

and worms. It is necessary to have your computer reviewed somewhat frequently (frequency depends on whether your computer is connected to the Internet

and if a lot of people use it). Special attention should be placed on reviewing USB flash drives because

it is common for viruses to be stored on them and to run automatically when

connected to your computer.

If using a free GNU/Linux system, it is not necessary to use an anti-virus. Usually we only check the USB content and e-mails and delete the executable files for Windows that are associated with viruses and worms. This is done as a preventive measure for people who do not use free systems and so as not to propagate viruses that do not affect our computers.

This means that with Linux there are

no virus?

12 http://www.wikilearning.com/tutorial/manual_faq_debian-porque_en_linux_no_hay_virus/6515-8

25

To close access to our network:

There are several Firewall alternatives in order to prevent others from accessing our networks via Internet. One of them requires the purchase of special equipment; another one can be done with old computers by installing software like IPCop (a GNU / Linux distribution that requires two network cards and a dedicated computer).

So far, we have not talked a lot about passwords although we could say that security depends largely on the passwords we use and the handling of them.

They can be guessed easily: these are passwords that include the user’s personal data, like birthdays or anniversaries, names of close relatives, pets or known places.

They are shared among several people (for example, due to the bad use of institutional e-mail or for banking transactions).

The place where the passwords are saved is easily accessible (written notes, data stored on cellular phones, etc.).

They are shared through unencrypted e-mails or phone calls.

And what happens with the passwords?

The first thing we must do is assess the level of security of our passwords. They are unsafe when:

26

Once we know how insecure our passwords are, we can take into account some tricks in order to have a medium level of security. For this, it is necessary to use words mixed with numbers, making an analogy of numbers with letters (for example, 4n4lu1$4 “ana luisa”) or use words in a foreign language not well known. However, this is not really the best recommendation. The best thing is to follow these recommendations or use a tool like Keepass.13

Secure and extremely secure passwords:

Secure passwords have the following characteristics:

They are made up of more than 8 characters.

They contain uppercase and lowercase letters, numbers, signs and special characters like (_\}[¬1⁄2~·@|).

They are changed regularly.

They are not recorded in any accessible place or shared for any reason or by any means (when it is absolutely necessary to share a password, it should be changed as soon as possible after sharing it).

Some possible tricks:

Follow a drawing or form writing on the keyboard (for example, imagine a triangle starting from a specific letter).

Create a sentence without any apparent sense.

Include spelling errors in the sentence.

13 http://keepass.info/

27

For extremely secure passwords, there are very useful tools for storing passwords. If using Keepass, we only need to remember one very secure password that opens the vault where the rest are stored. Within the vault, we can keep passwords that we generated or those generated by the system, those of which will be extremely safe.

What we do when using a tool like this is open the vault, look for the password we need, copy and paste it into the access form of what we need to open. If the system generated the password, it will probably be impossible to remember and that is much safer, as long as we do not forget the master key that opens up the vault.

28

Key Aspects of an Internal Policy for Information Security

There are many options to improve the security of our information. Some of the steps involve people who work in technical support, because they are responsible for installing the correct tools. However, within an organization the security depends on the existence of clear policies; just as there are rules for use of the office or the vehicles, we need rules to protect data.

An organization or institution is made up of people who work guided by a vision, mission and objectives. When someone joins an organization, there is an orientation process where they are informed of – among other things – the policies and regulations that the person must know in order to perform their work in that organization.

Usually that process of induction does not include the issue of information and ignores the fact that this is an institutional good, created within the institution and therefore, must be cared for as any other good. Education and training of staff should not leave out some points, such as what operating system the computers have, what office tools (word processors, spreadsheets, presentations, etc.) are used, and what can and can not be done on the computer.

The design and monitoring of the implementation of a security policy does not only depend on the technical staff.

29

Within organizations there must be one or two people responsible for information security and it is not appropriate to assign these tasks to the technician (at least not completely) because:

When the passwords and systems information is concentrated in one person, there is too much dependence and it makes the institution and the technical support person very vulnerable.

Technical or computer support personnel do not have the hierarchical level required to make strategic decisions nor follow-up. Nor can they take action when someone should be punished for breaching security policies.

The most important part of the solution depends on the attitudes of people, not the technical tools being used.

Below are some important issues that must be taken into account when considering the development of an organizational security policy.

Levels of Information Confidentiality

In order to determine how confidentiality should be handled within an organization it is necessary to:

Identify the type of information handled:

For example: personnel data, accounting information, activists’ or external partners’ information, internal information of other partner organizations, media communications, research and confidential sources.

30

Observe what institutions or people manage that information:

For example: reception, transport, management, press office, technical support, external investigators, consultants, donors and funding agencies.

Determine if the current flows are appropriate for the type of information handled:

On this point, most importantly it is necessary that the information shared most fluidly based on high levels of confidence is that which should be better protected due to the consequences of the loss of such data.

Identify external groups interested in the information:

It should be clarified exactly who are allies and who are not. Similarly, criteria must be created for the handling of research information to be shared with the press or other institutions.

Determine whether to make changes in information management:

For example: if the customer service reception is used for interviewing victims, if the computer network does not have distinct access levels depending on position, and so on.

31

Institutional communications:

Institutional communications deserve a separate section, because often an organization will send communications in editable attached documents. This practice should be supported by a statement published on the website of the organization (it can be a blog14, if the organization does not have an easily edited website) so that the public can verify whether the copy received is equal to the official copy issued by the organization.As an attachment, it is very easy to add or remove paragraphs, signatures, etc. and then send it as a different organization. We should not attach images of our personal signatures as it is possible to cut and attach that image to other documents.

Although addresses have been impersonated (that is, a communique is received from an address apparently the same as a specific organization) and passwords have been stolen (which permits access to the inbox and/or the ability to send e-mail via the address accessed), it is not necessary to go to such trouble in order to send an e-mail imitating another email address. Re-sent e-mails can only be identified by the “fwd” found in the subject space, and with text that can be imitated.

Use of personal e-mails:

In some organizations, a personal e-mail address is used to send and receive institutional communications or work. This creates problems in terms of monitoring and back-up, because if the person leaves the organization, there is no back-up of communications and contacts and as well, they could maintain communications as if they continued working in the institution.

14 A blog is a shared forum hosted on the Internet. There are various free options that are easy to manage and, therefore, can be edited frequently. An open and free option is: www.wordpress.com.

32

Risk factors of physical events:

1. Problems with the flow of current:

To prevent damage to equipment and/or loss of information caused by abrupt interruptions of electricity, nearby lightning strikes, etc., the following must be implemented:

An inverter or multiple Uninterrupted Power System device (known as a UPS).

Special network cables with metal tips.

The protection of telephone/network lines (UPS have sockets for phone lines).

2. Prevention of damage caused by earthquakes:

It is difficult to imagine that in our organizations we would build a special room safe enough to have the server where we store our information. Therefore, it is recommended to perform regular back-ups of the information and store them in a safety deposit box in a bank.

There should be at least two copies of the same disc so that, when we need to take one out of the safe, the other is always protected.

3. Prevention of flood damage:

For locations at risk, it is advised to do wiring (network and electric) at a certain height from the floor.

4. Prevention of damage caused by dust:

Traditionally it was thought that dust can greatly affect equipment; however, although it is important to clean every so often (especially the server), it is not that risky (unless

33

the equipment is used in areas where there is a lot of dust). Nevertheless, it is important to know that filaments (like hair) can be electrical conductors that carry static. Similarly, excess dust can generate overheating in computers and affect the flow of air that lowers the temperature. New processors have protectors for this, shutting them off before damage occurs due to high temperatures, but it is important to clean them every so often.

Static energy can be dangerous. In places where humidity is high, there is not as much of a problem but in other drier countries it is recommended to touch a power source before handling electronic components to avoid potential damage.

5. Protection of wiring:

Chairs, the passage of people, or high heels damage cables that are not properly installed. Sometimes cleaning the floor disconnects the network cables or power. The ideal is structured wiring.

Risk factors associated with information handling by staff:

Measures related to people do not depend on the technical staff. There are no “computer science solutions” there are “information tools” that will generate “more comprehensive solutions.”

Information security depends on processes that we must fulfill. For this, it is essential that organizations have clear rules, which must be institutional and include consequences if violated.

34

Some points to consider for the development of a policy:

The rules must address the issue of permissions, access and responsibilities in a differentiated way.

Everyone should know what type of permission they have, how much access to information they have and what is their responsibility for data access.

It is necessary to classify the levels and flow of information: if we do not know what information is sensitive or involves a high risk, then we do not know when we should care for that information in a special way and who should have access to certain information and who should not. It is also necessary to determine in what areas the public can visit and where no one can enter except those working for the organization.

The organization should be clear about which passwords a person can have. If a password needs to be shared, there must be a person responsible for changing it as soon as possible.

The organization must determine which programs are to be used and which are not, so that staff do not install tools without authorization. Users are accustomed to installing programs and this creates problems of spyware, viruses and illegal software.

All rules should relate to training processes.

Monitoring of policies: the implementation of policies should be enforced by those who take on leadership roles and/or coordination – the technical team may suggest computing tools, but they are not responsible for enforcing the measures. For example, technical support personnel have no authority to ask an area coordinator to show them their portable memory in order to check and see if they are using encryption tools.

35

Technical staff: it is desirable to have two people in technical support, to avoid dependence on any one person. There are many instances in which technological advances will be lost when the person in charge leaves.

Risk factors for common and political crime:

Below are some important points to consider in order to reduce the impact of a criminal incident that affects organizations:

It is not recommended to use laptop computers as work stations: it would be safer to use desktop computers and only use laptops when needed to go some where to make a presentation or to work outside the office. Otherwise, we are carrying extre mely sensitive information in the laptops.

Information should always be encrypted: if the information going into a laptop is encrypted, a loss of the computer does not involve access to third party information. The same applies to USB flash drives and back-up disks.

An adequate back-up of passwords is necessary: in every organization there are key people who have access to passwords; however, it is not safe that only one person handles all the information without the support of other members. If only one person handles a lot of information or has all of the passwords, they become a target for crime.

36

Changing passwords: when a person stops working in the organization, passwords that they handle must be changed immediately. This implies that a back-up of the passwords the person used exists, as well as the new password created, to avoid the person closing access to information and prevents future problems. Periodic backups also prevent loss of information through the departure of staff.

Using passwords for mobile phones: implementing the use of passwords is recommended to make it more difficult (at least slightly) to steal telephone numbers of the organization’s staff or key actors in communities and groups with whom we work.

Staff recruitment policies: it is important that our organizations know who the people are that we hire. We should not only focus on professional skills -- we must also know their history and other details to enable us to establish trust.

When working in the field, the people who leave must give full details of travel, transportation and accommodation, etc., in order to properly monitor their safety.

Back-ups: it is necessary to implement a policy with a fixed periodicity, making it clear when to back-up, how to secure the information and where.

37

ConclusionsAs Central American civil society organizations, we have transformed much of our work patterns based on the technological changes of recent years. This has brought enormous advantages, but also poses challenges in terms of access, use and appropriation of the tools provided by the new information and communication technologies. It is not enough to know how to use a computer -- we need to learn how to secure our information, protect our privacy and use safer tools in our daily work. It is urgent that we implement measures, not only for our own security, but for those people who trust our work and form the networks of support of our organization.

In this publication, we have reviewed some of the most important issues that must be taken into account. However, it is not enough to read and learn -- it is critically important that we act. Little by little we can discuss the issue, educating people who work in organizations to eventually develop a security policy that will frame change.

The security policy must be firm, and its implementation should be monitored constantly, but the implementation of measures is much easier if we all understand the importance of procedures. Therefore, training and agreement are essential.

Moreover, it is very important that the use of computer tools for security involves a continuous process. For example, it can happen that years after making an encrypted back-up, the person who knew the password of the disk leaves the organization, or someone forgets to save the password in the storage place intended for it. This would mean no access to the information backed-up, which is a good example of what can happen if procedures are unclear and there is no consistency.

Another key detail is the reciprocity of other organizations. Our organization can implement many security measures, but that effort is not enough if we communicate with other institutions

38

that do not secure their information appropriately. As a sector, we need to raise our security concerns in our networks, not because we distrust the institutions we work with, but because the issue of information security should be worked on in a coordinated manner, ensuring that organizations take care of each other.

Finally, as probably noticed, this publication mentions and constantly recommends Free Software operating systems. This preference is based not only on the philosophical principles that underpin this global movement for freedom and a more sustainable technological future, and that they are consistent with approaches that guide the work of organizations working for human rights – it is based on the security that open source software provides to users. Having the source code makes it possible to modify the problems or defects in software because communities of developers share knowledge and the solution is within reach of everyone. Furthermore, only in open source software is it possible to check if the program does what it is supposed to do and NOTHING more.

Moreover, the high costs of private software licenses require organizations to spend resources needed for their work. For this reason, they often resort to the use of illegal software, which becomes a huge vulnerability for social organizationsdue to the serious consequences of economic sanctions and the threat of loss of information due to raids or messed up migration processes or changes to free software operating systems. If there are already free, open, and more secure tools, it is recommended that organizations begin to consider the need to secure their future changing to free software operating systems.

39

Soft

war

e Lib

re

(runs

in W

indo

ws o

r GNU

/Lin

ux op

erat

ing

syst

ems)

TOR http://www.torproject.org/index.html

CustomizeGoogle http://www.customizegoogle.com/

ClamWin http://www.clamwin.com/ ClamAV (para GNU/Linux) http://www.clamav.net/

E-mail client

Internet Browsing

Anonymous Internet Browsing

Privacy configuration forGoogle search bar with Firefox

Antivirus

Software to encrypt and sign e-mails (complements for Mozilla applications)

Mozilla Thunderbirdhttp://www.mozilla.com/en-US/thunderbird/

Enigmail http://enigmail.mozdev.org/

Mozilla Firefox http://www.mozilla.com/en-US/firefox/

Recommended Tools

Truecrypt 15 : http://www.truecrypt.org

Keepass: http://www.keepass.infoIPCop http://www.ipcop.org/

Protecting files and documents through encrypted drives

Program for secure handling of passwords

Firewall Program

Free antivirus (not open source)

Avast http://www.avast.com/

Soft

war

e

15 Truecrypt is an open source software with a license. Its legal regulations have been discussed here. http://www.mail-archive.com/debian-legal@lists.debian.org/msg38222.html

40

Sources consulted:

Barrera, María Elene y Montague, Jason. Recreando privacidad en el ciberespacio. Ob-tained in Internet on August 19th, 2008 at: http://www.dlh.lahora.com.ec/paginas/judicial/PAGINAS/D.Informatico.16.htm

Castells, Manuel. Internet, libertad y sociedad: una perspectiva analítica. En: Polis Revista On-line de la Universidad Bolivariana de Chile,Volumen 1, Número 4, 2003. Obtained in Internet on September 4th, 2008 at: http://www.revistapolis.cl/4/cast.htm

Colectivo Mononeurona. Manual/FAQ Debian - ¿Porqué en Linux no hay virus? Obtained in Internet on August 19th, 2008 at: http://www.wikilearning.com/tutorial/manual_faq_debian-porque_en_linux_no_ hay_virus/6515-8

Benedicto, Rubén. “Guerra de Información en el Referéndum sobre el Tratado de Libre Comercio en Costa Rica: un Análisis Psicosocial Crítico desde la Observación Electoral”. Obained in Internet on July 14th, 2008 at: http://www.liber-accion.org/Joomla/index.php?option=com_docman&task=doc_ download&gid=48

Tactical Technology Collective y Front Line Defenders. NGO in a Box: Security Edition, October 2005. Available on-line at: http://security.ngoinabox.org/html/sp/content.html

Concepts consulted in Wikipedia:

http://es.wikipedia.org/wiki/Criptografía http://es.wikipedia.org/wiki/Firma_digital http://es.wikipedia.org/wiki/Criptología

* For a complete compilation of tools:

NGO in a Box Security Edition http://www.security.ngoinabox.org

Carolina Flores Hine Fundación Acceso

(with the support and knowledge of colleagues

from social organizations in Central America)

Let’s get to work! Concrete reflections and actions for securing information in our

organizations