The recommendation instructions are written either for staff (🧑) directly - so that they can follow the instructions on your own devices / accounts, and learn about the best practices independently, or directed at the change leader (🏗️) who can use the instructions to organise the roll-out in their organisation.
The action items under Preparation will assist you in strengthening your digital security. The more items from this list you complete, the less at risk your organisation's staff is while using digital technologies at work, or while carrying their devices with them. The items under Conduct are aimed at changing the behaviour and mindset of the staff in your organisation to remain vigilant and make digital hygiene and security a personal habit.
The items starting with 🔒,📱,💻,🖥️ are linked to the guides. The items starting with 🔘/✅, are just more detailed steps of the recommendation directly above them. For each set of 🔘s only one needs to be completed, for the ✅s, you can complete as many as you want.
Each of the items on the checklist will link to more detailed steps on how to implement that step. Each recommendation will list:
How important is it that this recommendation is followed, possible values are:
- ⭐ - Optional
- ⭐⭐ - Recommended
- ⭐⭐⭐ - Best Practice
- ⭐⭐⭐⭐ - Strongly Advised
- ⭐⭐⭐⭐⭐ - Essential
How much technical expertise is required to follow the recommendations, values range from:s
- ⭐ - Anyone can follow this unassisted
- ⭐⭐ - Anyone can follow this with some assistance
- ⭐⭐⭐ - Some technical knowledge is required
- ⭐⭐⭐⭐ - Advanced technical knowledge is required
- ⭐⭐⭐⭐⭐ - Getting external support is recommended
How much effort is typically required to follow the recommendation:
- 🧑 - Can be learned or done independently within 5 minutes
- 🧑🧑 - Can be learned or done independently within 30 minutes
- 🧑🧑🧑 - Can be learned or done independently within 120 minutes
- 🏗️ - Requires some centralised planning; the organisation roll-out is less than 30 minutes per case
- 🏗️🏗️ - Requires centralised planning; the organisation roll-out is less than 120 minutes per case
- 🏗️🏗️🏗️ - Requires centralised planning; the organisation roll-out may take several hours per case
How much funding is needed for the roll out of the recommendation. Most recommendations are free, but for those that cost money, the estimate cost is given per person or device. Pricing for subscription is specified on an annual basis, and has a 🔁 to indicate the recurring nature:
- 🆓 - free
- 💵 - between USD 1 and 10
- 💵💵 - between USD 10 and 25
- 💵💵💵 - between USD 25 and 100
- 💰 - between USD 100 and 250
- 💰💰 - between USD 250 and 1000
- 💰💰💰 - in excess of USD 1000
In the recommendations, the following icon conventions are used:
- 📱 - Smartphone
- 💻 - Laptop
- 🖥️ - Desktop
- 🌐 - Web Service
- 📄 - Policy
- 🔒 - Passwords
- 🧑 - Regular Users
- 👩💻 - Advanced Users
- 🏗️ - Admin / Management
- 🍏 - Apple
- 🤖 - Android
- 🦊 - Mozilla Firefox
- 🦁 - Brave Browser
Glossary of Terms
In the recommendations, we will use digital security terms as described by the EFF SSD which have the following meanings:
adversary- The person, organisation or institution attempting to undermine your
security goals. Adversaries can be different, depending on the situation. Your adversary profile is provided in the needs assessment.
compromise- The use or modification of your
adversariesin ways that disadvantage you or your organisation. This could be that military read messages that were not intended for them, see case files that are supposed to be confidential, but also changing email addresses or phone numbers in your contact list so you may write the wrong person.
data- Any kind of information, typically stored in a digital form. Data can include documents, contact lists, pictures, passwords, programmes, messages, and other digital information or files.
encryption- A process that takes
data(typically, a message or file) and makes it unreadable except to a person who knows how to "decrypt" it back into a readable form.
security goals- What the organisation wants to achieve by keeping its
datasecure - common goals include physical security of devices, confidentiality of communication, thwarting phishing attacks, and having a contingency plan in place.
risk- The chance that a
threatcould exploit a
vulnerabilityin your digital security and
threat- A potential event that could undermine your efforts to defend your data from being compromised. Threats can be intentional (conceived by adversaries), or they could be accidental (you might leave your computer turned on and unguarded). Threats specific to your organisation are listed in the needs assessment.
vulnerability- A weakness in the defence of your devices, configurations, personal habits, that can be exploited by an adversary. Vulnerabilities specific to your organisation are listed in the needs assessment.
The guide was developed by Mart van de Ven.