Organizational Self-Assessment

These questions should help you build a better understanding of how your organization approaches security already. They also make a good starting point for a best practices list.

How to use the information you collect

  • Tailor your recommendations for best practices (especially as they relate to newsroom-wide policies or changes to infrastructure). In many news organizations, you’ll find that the IT side and the newsroom side aren’t communicating with each other on these topics. This training and these conversations are a great way to help an organization get started.
  • Help select lessons and training modules to use from this curriculum.
  • Share a summary of your findings with the key stakeholders (both on the IT side and the newsroom leadership) so they can create benchmarks and track progress over time.

Questions for IT

As a general rule, you want to work with, not against, internal IT policies. So if the newsroom enforces password updates every six months, that’s cool.

  • Do staff use company-issued mobile phones?
    • Do you have remote wipe access on staff phones?
    • Do you distribute recommendations or requirements for mobile phone security? (Ask for a copy!)
  • How do you manage newsroom laptop and desktop computers?
    • Do you enforce software and operating system updates?
  • Do you provide remote access to your internal network? If so, how?
  • Is device storage encrypted by default on internally provided computers? If not, are there policies or technical issues preventing this?
  • How often do employees have to update their passwords? And how complicated are your password requirements?
    • Do you have a preferred password manager?
    • Do you require multi-factor authentication for email, CMS, and/or server access?
    • Do you use single sign-on (SSO) for unified login to externally-hosted services?
  • Do you have a data-retention policy for when an employee leaves the company?
  • Do you have a corporate policy with respect to use of cloud services? Are any explicitly encouraged? Forbidden?
  • How often do you review third-party tools and TOS for security (i.e.: Slack deletion, multi-factor authentication, data retention, etc. in contracts)
  • Where is your server infrastructure? On-site, in a data center, cloud?
  • Do you have an incident response plan in place in the event of a DDOS attack or email system hack?
    • Have you communicated that plan to newsroom management?
    • Does that plan include post-mortem review?

Questions for newsroom leadership

  • Do you use collaborative document editing and storage services (eg. Google Drive, Dropbox, Trello, Evernote)?
    • Do you have a policy about whether or not to store “sensitive” information in these services?
  • Do you discuss information security as a newsroom?
  • Does your newsroom currently have recommendations for secure communications (i.e.: protonmail, signal, etc)
  • Are there reporters or teams that require a higher degree of security when dealing with sources than others?
  • BEST PRACTICE: Does the newsroom regularly meet with someone from technology regarding infrastructure maintenance (password maintenance, shared accounts, where to store sensitive information, which collaborative document storage is preferred by the company, review incident response plan for high level sitewide issues)
  • Are there legal issues or concerns with the implementation of a set of defined security best practices?
  • Do you have recommendations or policies for secure communications with freelancers (i.e.: sourcing, payments, SSN for finance team, etc.)
  • Does your newsroom and technology team have a workflow for incident response (hacking, doxxing, etc)
  • What are your policies with regard to anonymous sourcing and have those policies been updated to include technological concerns?

Questions for reporters and editors

  • What tools and techniques have you already tried?
  • What have you been meaning to try? And what has stopped you?
  • Are there tools or techniques you’d like to use but can’t because of internal editorial policies or internal IT policies?
  • Have specific incidents prompted you to seek out additional tools and/or training?