Safer Office Management

Safer office management is about creating habits. Office management habits can be useful or harmful. To develop useful office management habits, it helps to understand the reasoning behind them. We’ve put together lists of habits that can help you manage your information more safely - but only if you develop these habits and think about why they are important.

What is most important for privacy and security in office management?

1. Being conscious of your information and who has access to it.
2. Developing safe habits and using them consistently.
3. Using the tools properly.

Administration

Many organisations have a system administrator or someone who has administrative privileges to access email, network computers and oversee installation of new software. If someone leaves the organisation or is unavailable, the administrator can then access the individual’s information and business can continue uninterrupted. Also, this means someone is responsible for ensuring that the system software is clean and from a reputable source.

The problem is that some organisations consider this role merely as technical support and allow a third party contractor to hold administrative privileges. This administrator has effective control over all information in the organisation, and must therefore be absolutely trustworthy. Some organisations share the administrator role between the head of the organisation and another trusted individual.

Some organisations choose to collect PGP private keys and passwords, encrypt and store them securely and remotely with another trusted organisation. This prevents problems if individuals forget their password or lose their private key. However, the location where the files are kept must be absolutely secure and trustworthy, and specific and extensive protocols must be created relating to accessing the files.

The rules:

1. NEVER give administrative privileges to a third party contractor. Not only are they less trustworthy than people within the organisation, but someone outside the office may also be difficult to reach in emergencies.
   
2. Only the most trustworthy individuals should have administrative privileges.
   
3. Determine how much information should be accessible by the administrator: Access to all computers, computer pass phrases, login pass phrases, PGP keys and pass phrases, etc.
   
4. If you choose to keep copies of pass phrases and PGP private keys with another organisation, you must develop protocols for access.
   
5. If an individual leaves the organisation, his or her individual pass phrases and access codes should be changed immediately.
   
6. If someone with administrative privileges leaves the organization, all pass phrases and access codes should be changed immediately.
   

Software administration

Using pirated software can leave an organisation vulnerable to what we call the “software police”. Officials can crack down on an organisation for using illegal software, imposing huge fines and effectively shutting them down. The organisation in question gets little sympathy or support from Western media because this is not seen as an attack on a human rights NGO, but as an attack on piracy. Be extremely careful about your software licenses and do not allow software to be randomly copied by anyone in the office. Pirated software may also be insecure because it can contain viruses. Always use an anti-virus utility whenever software is being installed.

An administrator should have control over new software being installed to ensure that it is checked first. Do not allow installation of potentially insecure software, and only install software that is necessary.

Install the most recent security patches for all software used, especially Microsoft Office, Microsoft Internet Explorer and Netscape. The biggest threat to security lies within software and hardware delivered with known vulnerabilities. Better yet, consider switching to Open Source software, which doesn’t rely on the “Security through Obscurity” model, but rather welcomes security experts and hackers alike to rigorously test all code. Using Open Source software and any software other than Microsoft has the added benefit of making you less vulnerable to standard viruses and non-specific hackers. Fewer viruses are created for Linux or Macintosh operating systems because most people use Windows. Outlook is the most popular email program, and therefore the most popular target for hackers.

Email habits

Email encryption should become a habit. It is easier to remember to encrypt everything than to have a policy of when email should be encrypted and when it should not. Remember, if email is always encrypted, no one watching your traffic will ever know when your communications become more significant and delicate.

A few other important points:

• Always save encrypted email in encrypted form. You can always decrypt it again later, but if someone gains access to your computer, it is just as vulnerable as if it had never been encrypted.
• Be persistent with everyone with whom you exchange encrypted emails to make sure they do not decrypt and forward emails, or reply without bothering to encrypt them. Individual laziness is the biggest threat to your communications.
• You might wish to create a few safe email accounts for people in the field that are not generally used and so do not get picked up by spam servers. These addresses should be checked consistently but not used, except by field staff. This way you can destroy email addresses that are getting a lot of spam without endangering your contact base.