Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update security.md #1287

Merged
merged 6 commits into from
Oct 4, 2023
Merged

Update security.md #1287

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0b8f64a
Update security.md
sammydelao Sep 22, 2023
0f991d5
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Sep 22, 2023
c5ce083
Merge branch 'master' into sammydelao-patch-1
dmundra Sep 22, 2023
eb5f954
Fixing link
dmundra Sep 25, 2023
92b1b14
Merge branch 'master' into sammydelao-patch-1
dmundra Sep 25, 2023
f4cce0d
Merge branch 'master' into sammydelao-patch-1
dmundra Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions company-policies/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,23 @@ IT team system administrators working on CivicActions servers must also:
- Ensure offsite backups are transferred and stored only in encrypted form.
- Ensure the Hurricane Electric and RimuHosting access list (that controls remote hands and physical server access) is maintained.

## Mobile Device Security

Mobile devices are portable devices that connect to the internet, specifically devices like smartphones and tablet computers. Most (or all) mobile devices used at CivicActions are personal devices - this policy is intended to cover these personal devices, if they are used for CivicActions work.

Securing mobile devices used for CivicActions work is crucial for safeguarding sensitive information and maintaining the integrity of our organization and our customer's data. The following are best practices for mobile device security (for more information see NIST SP 800-124 - [Guidelines for Managing the Security of Mobile Devices in the Enterprise](https://csrc.nist.gov/pubs/sp/800/124/r2/final)):

1. Keep the device updated on all firmware and OS updates, including critical security updates.
2. Enable security features to lock devices when not in use. Recommended security features include a password or 6-character pin, and biometric security (fingerprint, facial recognition, if available).
3. The device must be set to automatically lock after a maximum of 5 minutes of inactivity. If security features make unlocking convenient then a shorter lock time is recommended.
4. Verify that data is encrypted on the device. Ways to set this up by OS type:
- iOS - setup icloud account to enable data encryption
- Android - setup biometric/pin code to enable data encryption
5. Do not "jailbreak" or "root" your mobile device, removing inherent OS security and exposing it to malware apps.
6. Install apps from only secure sources (official app stores) and avoid side-loading apps.
7. If a device used for CivicActions work is lost or stolen, please notify the security team immediately to document and assist in recovering or wiping the device.
8. Follow [CivicActions' prohibited hardware and software policy](prohibited-hardware-and-software.md) to avoid using/installing items on the list.

## Security awareness and tools

We maintain a [Security Awareness and Tools](../common-practices-tools/security/README.md) document that dives deeper into some additional topics, including:
Expand Down