Security Guidance

From IMSMA Wiki
Revision as of 15:53, 5 October 2021 by Andrewk (talk | contribs) (Add Security Guidance Page (auto converted from github markdown file))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Information Security - Good Practices

As more services and processes become digital and connected online in mine action, the risk of data loss and other information security incidents increases. As with companies and government organisations, the humanitarian sector can also be subject to cyber security incidents.

To ensure both the security and authenticity of information stored within IMSMA, it is recommended that National Mine Action Authorities and partners follow information security best practices. These best practices can apply to all systems and not just to IMSMA NG, and while they can help reduce the risk or impact of an incident they cannot guarantee protection from cyber attacks.

We outline some best practices here, which should complement any IT policies or guidance your organisation has in place.

  1. Back up your data
  2. Protect your authority or organisation from malware or other threats
  3. Keep mobile devices such as tablets and smartphones safe
  4. Use passwords, and where applicable encryption, to protect your IMSMA data
  5. Understand how to avoid phishing attacks

As well as steps to protect the authenticity and security of information stored within IMSMA, you should also consider data protection processes where your IMSMA database contains personal information - for example on community members or victims of accidents. Further guidance can be found in the ICRC Handbook on Data Protection in Humanitarian Action, and laws in your country may determine how personal data should be processed.

Back Up Your Data

As the system of record of mine action activities, it is important to keep regular backups of the IMSMA database. This can reduce the impact of data loss or corruption not just from cyber attacks but also in case of hard drive failure, or from theft or physical damage such as from flooding or fire.

  1. Identify What Needs to be Backed Up

    While any backup should include the IMSMA NG database and attachments, you may also have important information stored elsewhere for example forms or other files. IMSMA NG includes a backup function that can be used to provide a backup of the configuration, data and attachments.

  2. Backups should be stored separate from your IMSMA NG computer or server

    You should keep your backup separate from your computer. If you backup to a USB drive then ensure that this is not permanently connected to your computer. Ransomware can encrypt connected devices, if this happened while your backup disk was connected it could leave you with no backup to restore. The backup media should be in a separate location in case there is a catastrophe such as fire that destroys the facility where your IMSMA NG system is located.

  3. Make Backups Routine

    Don’t just backup when you need to share your IMSMA NG database. Decide how often backups should be taken and ensure that the schedule is followed. How often you make a backup will depend on the amount of activity on your database, for example whether to take daily, weekly or monthly backups. If you use an external USB drive to save your backups it may be helpful to keep more than one disk and alternate between them.

  4. Consider Backing Up to the Cloud

    Online, or cloud storage can help to store backups separately from your IMSMA NG server. For example if you work with a GICHD IM advisor they may already ask you to share backups with them via box.com. If you do backup to an online provider remember to ensure the security of you backups that is uploaded. For example by encrypting backups before uploading them, or turning on two factor authentication for your account - this can send a code by SMS to your phone when you login and provide an extra level of security.

Protect your Organisation from Malware and other Threats

Malware (which can include computer viruses and cryptoware) could lead to IMSMA NG data being lost, stolen or corrupted. There are some straightforward steps that can help keep your system safe;

  1. Install and Turn on Anti-virus software

    Windows now comes with free anti-virus software built in, if you have a recent version you can enable Windows Defender. If you use an older or different operating system, there is other software available that offers Malware protection.

  2. Be careful about downloading and installing extra apps

Especially on your IMSMA NG computer, be careful about what apps you download and install. Consider whether you really need to install any other software on the same computer as IMSMA NG, and ensure that it comes from a safe source or store. When installing software to tablets or smartphones make sure that it comes from the official Google Play or Apple App Stores.

  1. Keep your Computer and Devices up to date (patched)

    Apply security updates and patches to your computers and any tablets or other mobile devices when they are released. While some software like IMSMA NG now uses older components that are no longer being updated, it is still best practice to keep your computer and other devices updated.

  2. Take care with USB drives, sticks or memory cards

    While useful for transferring files, be careful when using drives or memory cards from others. You may want to only use these on a different computer from your IMSMA NG database, and make sure that any drives or memory cards (e.g. from a camera) are scanned for viruses and malware before being used.

  3. Switch on your firewall

    Depending on your local setup and whether you have a network or not, you should ensure a firewall is enabled to protect your systems from the internet. This is important to prevent access to your IMSMA NG system except by authorised users. A firewall can be enabled and configured in Windows, or your IT function may do this centrally. If you allow partners to access the IMSMA NG database via VPN or similar, the firewall must be configured to enable this securely.

Keep Mobile Devices Safe

Because mobile devices, including laptops and tablets are portable and leave the office they can easily be lost or stolen. Laptops that contain IMSMA databases, or tablets that are used to collect data should be secured to protect your data. This is especially important where devices are connected to IMSMA Core or MARS.

  1. Switch on Password Protection Use suitably complex PIN’s or passwords on all devices to protect the information contained on them. Also follow best practices on the use of passwords (for example don’t write passwords down and keep them on or close to the device).
  2. Consider enabling device management so lost or stolen devices can be locked or wiped Android and iOS devices come with management tools that allow them to be erased or locked if the devices are are lost or stolen. Where your device is connected to the internet, consider installing and enabling Android Device Manager or Find my iPad. These services must be enabled before a device is lost.
  3. Keep your Devices up to date As with computers it’s important to keep devices up to date, you can do this by enabling automatic updates. This is especially true for any tablets or phones that are connected to the internet.
  4. Keep apps up to date If you are using mobile data collection apps like Survey123 or MARS, keep these up to date.
  5. Don’t connect to unknown Wi-Fi Hotspots When using public wi-fi there is no way to know how the hotspot is secured or who controls it. When connecting to public wi-fi hotspots, somebody else could access or record;
  • What you are connecting to for your work - for example the address of the MARS server, and
  • Potentially login or other connection details that you are using.

To avoid these problems be cautious about connecting to wi-fi hotspots outside your office or that of a partner organisation.

Use Passwords and Encryption to Protect your IMSMA data

Passwords provide important protection for your IMSMA data, but only if you use them properly;

  1. Switch on Password Protection As well as for mobile devices, switch password protection on for any computers that collect or store IMSMA data.
  1. Consider using encryption on devices that store IMSMA data Encryption can prevent anyone accessing or manipulating IMSMA data. This can include on portable drives that contain your IMSMA NG backups. Newer versions of windows includes Bitlocker and Bitlocker to Go that can be used to encrypt and add password protection to your computers disks and any portable drives where you store your backups.
  2. Avoid Using Predictable Passwords, and change Default Passwords Passwords should be easy to remember, but difficult to guess. Combinations of random words can make good passwords that are easier to remember. Change any default passwords, especially the IMSMA database accounts, and do not use common passwords such as ‘password’ or ‘imsma’.
  3. Do not re-use the same password for multiple accounts Especially for online accounts try not to use the same password for more than one website or login, for example using the same password for a forum as you use for MARS or IMSMA Core. This is because if hackers gained access to your login details for one website or app, they could try to use that same password to login to another.
  1. Consider using a Password Manager Where you have a lot of passwords to remember, a password manager such as KeePass can help. With these tools you store your passwords in an encrypted ‘vault’ and use one strong master password to access them. If someone obtains the password file they can’t access it without knowing your master password.
      1. Understand how to avoid phishing attacks

Phishing attacks are where hackers or scammers will send fake emails or use bad websites to try to collect sensitive information. They may trick you into logging in to a fake website with your real username and passwords, which they can then use to steal information or in the case of bank accounts, money. Phishing is more of a risk for common online accounts and websites rather than IMSMA NG, but you should still be aware of the risk, for example to protect your email account which you may use to share IMSMA data.

You can read more about Phishing in this article from microsoft that provides some practical tips.

Resources

Material has been adapted from the UK Cyber Security Guide in accordance with the Open Government Licence.