Security culture is an agreement made by a group which outlines the minimum security, tools and security processes the group will use. This allow individuals to understand their personal risk as well as the risk to the group and the groups actions.
Security culture also build the skills of members who are lacking in technical skills as they will be the “weakest link” in the security and the group will need to have them collectively at the minimum level.
An example is from the DAM group:
- We should remain consistent in our practices so that it becomes habit.
- “Need to know” ?? This is a large issue and still needs to be specifically discussed and figured out with the group.
- Phones off, laptops off (unless temporarily required) and placed outside the room, if it is safe to do so.
- Do not include dates, times, related to any specific actions within the same email.
- Do not include any specific locations and names (this includes full names of people involved, as well as places, corporations, etc) out of any emails and electronic documents.
- Communicate sensitive information face to face.
- If needed, use Code words for targets, locations etc.
- No recorded details of full names on who is responsible for what, or details on campaign tactics.
- Password protected laptops.
- If possible, try to avoid venues that we know/suspect are bugged.
- Clue in all DA volunteers/participants on this security protocol, by bringing it up at pre-action trainings and having a hand-out with easy to follow dot-points
- DAM organiser meetings to be attended by those already inducted as DAM organiser members. New attendees must be vouched for by two current members.
- Avoid storing any information online that contain any action specific details.
- Keep the data securely. Only keep data for as long as you need it. Eg. Don’t store information in emails. Delete old emails, from sent inbox too! Destroy data securely (completely) You may need a specific “data shred” program to do this effectively.