Good Practices

Owned by Emma Obermair (Unlicensed)
Last updated: 10 Jul 20 by daiga.kuzmane

(some tips and tricks to stay in safe in the digital sphere and keep the digital infrastructure secure)

Hardware

  • Avoid using personal devices to access work-related information, or if needed to do so, make sure that appropriate security measures are taken to protect your devices from a security breach.
    (How is your computer protected? Also, keep in mind that your mobile device should also be protected and is a great vulnerability.)
  • Keep your workstation password-protected, and lock it when not in use. 

Software

  • Always use the virus and malware protection programmes as well as a firewall.
  • Keep your operating system, security software and other regularly used software up to date. 
  • Download from authentic sources, licenced and genuine copy of software only. Educate yourself to use open source software as community support makes it a robust and secure alternative. 
  • Always pay attention to the Terms and Conditions as well as Privacy Policy of any new software you are downloading on the work machines. 
    In particular, pay attention to the way your data is processed and if it is used for other purposes than providing the direct services to you, how you can exercise your rights to retract, alter, delete etc. your data, and, above all, if the service provider claims to be GDPR compliant.
    In addition, if you would be entrusting someone else's personal information by coming into contract with such service provider, make sure you have the appropriate permission from them to do so.
  • Clear your web browser cache and cookies regularly. See guidelines here on what it is and what they store, as well as how to clear it on different browsers.

Google ChromeMozilla FirefoxMicrosoft Internet ExplorerMicrosoft EdgeApple Safari

Access to the Internet

  • Avoid using unprotected public internet. Pay attention to the Terms and Conditions and Privacy Policy before connecting to it.
    If necessary, change the access credentials of the accounts after using such a connection.
    Under no circumstances access the sensitive information/databases/server when connected via unprotected internet connection.
    Consider using a virtual private network (VPN) for accessing information. 
  • If using other devices to access your accounts, use private/incognito mode in the web browser, so that your login information and web history, that might be confidential, doesn't get stored. 
    Also, pay attention to the fact that different browsers have different private mode settings with regards to what information is deleted upon exiting the session.

Passwords

  • Do not write your password on a piece of paper or an unencrypted file. 
  • Do not save your password in the web browser. 
  • Use strong passwords (letters/digits/symbols) and never use the same password for several tools/machines. Avoid using your name or other common identifiers about you in the password. 
    There are many articles online on how to create strong but meaningful passwords as well as random password generators.
  • It's good practice to change your account passwords on a regular basis (e.g 6 months). 
  • If you have too many passwords to remember (which most probably will be the case, if you are not reusing them) - use a secure system to store them. 
    There are many tools for password managing, yet before committing to one, make sure they are GDPR compliant and where/how they store the data. You should be fully aware of their Privacy Policy and Terms and Conditions and the procedure to retrieve the information. 
  • Do not rely on passwords alone and consider applying also two-step authentication to make access more secure.
  • If you have to enable access to someone - do not share the same access and passwords but use the generated account - invite them to set-up the account.
    If you must share the access, never share the user name and the password in the same channel/medium. (E.g. share the user-name via email and the password via an SMS or USB drive).

Emails

  • Avoid opening suspicious mails from unknown sources, clicking on the hyperlinks in those mails (you can always right-click to copy the link and inspect what it actually is) and especially downloading zipped attachments.
    The safest way is not to open the suspicions and unrecognized emails and rather delete them.
  • Keep into consideration the good-practices not to end up in the spam folder when writing your email - e.g. do not use many pictures, hyperlinks that are renamed and are not reflecting the actual text of the link, forwarding of the emails, sending bulk emails from a non-personal email account, adding too many people in the list of receivers etc.
  • Keep in mind different tools that can support you with the extra protection of your emails. You can, for example, encrypt it and password protect it when sending via different tools available.

Data management

  • Create regular backups. You might be able to use the organisation server as well as external hardware to do so. Do the research what would be the pros and cons as well as the level of security for either having automatic back-ups (e.g. to the cloud) or manual ones (e.g. in a USB drive or external HDD) or it is best to use both in your particular case.
    Always test the backup after creating it, to make sure it will work when/if ever needed.
    Protect your backups from a security breach.
    When backing-up confidential data, use appropriate security measures (e.g. encryption).
  • Always scan external storage devices before copying data from them. And format the external storage if it appears empty to eliminate chances of transmitting malware/viruses to your system.
  • Data Deletion: Ensure that data is deleted from all sources and no copies are left (Empty the Trash folder and make sure the information you prefer to delete is not replicated in the back-ups). 
  • Respect the copyrights and protect your own intellectual property. E.g. 
    • Use the materials under Creative Commons license in your presentations. 
    • Do share the materials, but determining the exact scope of exposure for your organisation and making sure we have cleared your liability.
    • When giving your presentation to a 3rd party, omit/delete any personal and/or confidential information from it.
  • Data Access: Access to user data should be granted only to authorised people within the workplace.  And the access rights should be reviewed periodically. Further data should be compartmentalised it can be easily delegated to relevant person to process.  

Handling other people’s personal data 

  • Please read the basics of personal data and GDPR changes here or a quick summary here. Keep in mind that there is a difference between “personal” and “sensitive” data, the latter to be handled with even more care.
  • Before further processing personal information from participants in events/conferences be sure to have their consent. See your organisation's internal regulations on that.
    In case of doubt about the level of sensitivity of the data, always contact the data controller to verify that before storing or transferring the data. 

Keep your eyes open

  • Identify what is the most crucial parts of your work/data processed that should be protected/could be most vulnerable for potential threats. 
  • Keep track and stay aware on what is the data you are exposing yourself (e.g. see the practices of social engineering). 
  • The best security breach will be the one you don’t even notice, so always stay attentive to the details within your digital infrastructure/accounts. (Always check the reply address when sending off the email, or web URL when entering sensitive information in your browser).
  • Read more to keep up to date with the latest trends in keeping your data secure. Ask for training if you need them from your hierarchy or if you need to educate your team, look for support materials. 
    There are many National Data Protection Authorities that are doing their best to help their beneficiaries to get up to speed and share such support material with the public.
  • Know your institution's line of action in case of a security breach. What is the protocol and the course of action? Who are the responsible people? Who should be informed and notified?

Exercise your rights!

  • GDPR is your friend. 
    And aims to give you more power in being in control of your data. And the data is the new most valuable currency - so use your rights and be respectful towards others! 
    Do you know who can access/is storing your personal or sensitive information? If you are collecting data - have you made the people affected aware of that?