Digital Security Policy – Tibet Action Institute

The guidelines in this policy must be followed at all times, including if you are using a Tibet Action device for personal use. 

Laptop/Desktop

• Laptops must be password protected (see Password Policy) and full disk encrypted using FileVault for Mac or BitLocker for Windows.
• Contact the Digital Security Team (DST) before you install any unknown software. Don’t download from unverified software stores without the prior permission from the DST. If you need to install software on your laptop then you need to confirm software security/availability with the DST.
• Laptops must be shut down to enable Full Disk Encryption. Laptops must be shut down completely during travel, at the end of a working week, and whenever the laptop is not with the person.
• Firewall in Mac and Windows must be turned on.
• All Windows laptops must have Glasswire and all Mac laptops must have  Little Snitch running for monitoring the network on your laptop. Please contact your manager or DST for the Little Snitch license.
• All operating systems and software on laptops must be updated when updates become available.
• Sharing of thumb drives/pen drives is not allowed on any Tibet Action device unless it is carried out by the DST. Using a pendrive for personal use is permissible if you are using it just for yourself and you use it only for one device.
• If your device is a Chromebook, it must be updated regularly. To check, please go to options, more and About Google Chrome for confirmation.
• When traveling, and especially at hotels, you must keep your laptop with you at all times.
• If you are on Windows OS then you must turn on Microsoft Defender, it is an anti-malware component which protects your device from malicious attack. 
• When you are done with a Tibet Action laptop you must run CCleaner, log out of all accounts and reset the settings to factory default.

Recommendation 

• Use a webcam cover for protection at all times. This is a precaution step in case your device gets compromised.
• Avoid sharing your personal information on social media platforms to restrict how such information can be used in Open-Source Intelligence gathering. If possible, set your privacy settings on your personal social media accounts to the highest level if you are handling any of our official social media accounts.

Mobile Device

• All mobile devices must be password protected with the passphrase option of  at least 15 characters, and not with a pin or pattern.
• All mobile devices must have Full DIsk Encryption turned on (FDE) , check to determine whether FDE is the default mode and if not, turn it on.  FDE is now turned on by default on Android (version 5.0 and above) and for IOS (version 8 and above). 
• All mobile devices should be activated with the locate and remote wipe functionality using ‘Find My Apple’ for iPhone and ‘Device Manager’ for Android. [7] ;Find My Apple’ and ‘Find My Device’ will not work unless you provide your device’s location permission.
• Don’t connect your devices to free public wifi networks. In case you need to connect, use a VPN (Psiphon). 
• You are not allowed to download and install Chinese apps on your official devices. Installing apps from unknown sources (outside of official app stores) on your devices is not allowed unless you are asked to do so from the DST.
• Update your devices’ apps and operating system whenever available.
• Always use ‘Zom’ as the main medium to communicate within the Tibet Action team, Signal can be used only as a backup. 
• For video conferencing, use TibCERT Meet or set-up Signal group call for any conversations that involve level 4 or 5 information. Google Meet can be used for conversations that don’t involve level 4 information, although we recommend using TibCERT Meet.
• If you are required to run wechat/insecure apps for program work or testing purposes, you must not access your RAL/Tibet Action email, Google Drive, Zom, RAL’s facebook account, or any other RAL/Tibet Action related accounts on the device. This also applies if you are running wechat/insecure apps on your personal devices. 
• Don’t click on links you received from unknown sources at any platform. If you receive any suspicious messages, you must report them to the DST for analysis. 
  • Prior to installation, always check app permission, app developer details and its history with China. If you are unsure, don’t install and check in with the DST.
  • Always refrain from clicking on links in your email, mobile devices, any messaging apps  and especially when it is from unknown sources.

Recommendation 

• It is advised to use VPN software on your device to have an extra layer of protection. Use Psiphon VPN.
• It is advised to install only required software on the device. Having less software means less vulnerabilities on the device.

The guidelines in this policy must be followed at all times, including if you are using a Tibet Action device for personal use.

• We recommend using Chrome browser for all your normal work such as accessing your email, Facebook and other work related websites, and using Firefox for browsing your other activities .
• Since Tibet Action is integrated into the Google ecosystem, use Chrome browser as your main official browser and you must use the Password alert Plugin for Chrome to combat phishing attacks. [6]
• If you are installing extensions on your Firefox check for the recommended extensions by Firefox as it is evaluated by the Firefox team thus has the highest standards of security.
• You must  enable Privacy protection  and install NoScript Security Suite plugin for Firefox when browsing unknown and suspicious websites, Chinese government sites, and Tibetan websites including India-based Tibetan sites, which can contain malware that could possibly compromise your device. [5]
• You must also install these browser extensions AdBlocker Ultimate , NoScript Security Suite and Privacy Badger addons for Chrome and Firefox to enhance your browsing security. [6]

Recommendation 

• We suggest you clear browsing data once a month which includes removing cookies, cache and browsing history. Routinely clearing your browsing history helps protect your data.
• It is recommended to use Chrome, Firefox or Brave browser over Microsoft Edge and Safari. The latter two update only when you update your operating system and hence  your device is more vulnerable to any new malware or fall victim to zero day attacks.
• Enabling privacy protection on Firefox which allows you to manage a tracker on site.
• If possible use a separate browser for your personal and official use.

• All Tibet Action email accounts must have a strong and secure password containing at least 15 characters which consist of symbols, numbers etc.. All Tibet Action email accounts must have 2-step verification turned-on.
• You are not allowed to give your email account access to any third-party apps unless it is advised by the DST or you have already received permission to use it from the DST. If required, inform the DST before granting access to a third-party app.
• You are not allowed to login to your Tibet Action email account on any other device that does not follow our Tibet Action Digital Security Policy.
• You are not allowed to open links or attachments sent from an unknown sender. Please send such emails to the DST with the full headers. 
• You must check the ‘details’ option once every week on your gmail account to see an unknown ip address. 
• All staff must set up PGP on their Tibet Action email account  to be able to send and receive end-to-end encrypted emails. According to the ‘Data Classification Level’ some emails will require end-to-end encryption. [8] PGP has become a standard requirement among CSOs to share information. Besides, as an organization working on digital security we must need PGP setup on your official email.
• In an event when a contractor is provided with a Tibet Action email account, they will be required to undergo a digital security onboarding process. Every information shared to the contractor must be based on a need to know basis.
• You must do  the quick 30 sec internet detective method before accessing any unknown or suspicious email. Follow the link to  see how to perform the 30 sec Internet detective. Training video. 

Recommendation 

• Due to the relative insecurity of email clients, when sending emails, always assume the content of your email could be shared publicly.
• It is advised to do the security checkup on your email to see any suspicious activities and alerts.

Password-Policy

• All passwords must be longer than 15 characters and must contain letters in both upper and lower cases, along with at least one number and symbol.
• You are not allowed to use the same password for all your accounts instead use a different password.
• Use a password manager like Bitwarden and keepass to store or create your passwords [9]
• Sharing passwords for organizational accounts must only be done via Bitwarden and cannot be sent via email or chat.

Every piece of data or information created within the organization must be classified into one of the following five categories. Data classified at level 2 and above must not be shared with a new staff member or contractor until the DST has confirmed the cleanliness of this person’s device. Sharing of data classified as Level 4 must be approved by a Tibet Action Director. The classification of folders in the organization’s Google Drive will be determined by the relevant Director. All staff setting up a new folder are responsible for designating a security level to  the folder, and all staff and contractors are responsible for adding or creating documents in the designed folder to avoid documents being saved or shared outside of RAL drive (i.e. saved only in the team member’s “My Drive” folder).

Level 5: Contains information that is highly sensitive and confidential and contains PII (Personally identifiable information) of contacts or trainees inside Tibet and can cause harm to individuals or the organization if it falls into wrong hands. It must not be stored in the Rights Action Lab Google Drive. Sharing and storage of such content will be determined between the Director in charge of the project and the Director of Technology.

Level 4: Contains information that is confidential and could cause harm to the organization if it falls into wrong hands. For example, it contains financial information, or elements of organizational strategic plans. It is only shared on a need to know basis with select staff members. Classification of a document as level 4 will be defined by the Director in charge of the project and the Operations Director or Director of Technology. 

Level 3: Contains information and documents which are meant for only Tibet Action staff and contractors working specifically on a project. May contain plans, strategies, funder information or other important information. ‘Level 3’ documents will only be shared amongst Tibet Action personnel and on an as-needed basis. Classification of a document as Level 3 is to be defined by the relevant Director.

Level 2: Contains files and information which are project based and shared amongst personnel involved within the project. Can be shared within Tibet Action staff if necessary but should only be shared with contractors on a ‘need to know’ basis.

Level 1: Contains files and information shared that do not include sensitive information and can be shared with everyone in the Tibet Action Google Workspace Drive. Can be shared externally based on need however access must be revoked if not needed.

Level 0: Contains files and information which can be shared publicly with contractors or on other public facing sites.

The primary system Tibet Action Institute uses to store and organize data and information is Google Drive as part of G Suite. A Google Drive Tier Structure and access protocol outlines how the data classification policy is followed in terms of Google Drive access by Tibet Action staff and contractors. 

All data defined as Level 5 must be encrypted and can only be shared encrypted unless another protocol is approved through discussion with the Director of Technology. Please refer the appendix for process.[8] [11]

• All level 5 information must be encrypted with Veracrypt if you are keeping it on your device.
• Use Tresorit to store sensitive information online for sharing.
• To send or receive end-to-end encrypted emails you must use PGP on Thunderbird or Mailvelope as an email client or you can use ‘Zom’ for messaging. The DST will provide backup services for PGP keys for interested members.

Each folder should be labeled per its classification in Google Drive. After labeling, check the folder for people who have access and check whether it is in compliance with “Data Classification Policy”.

This policy applies to any type of electronic media file that requires it to be securely deleted. When a file is deleted from your computer using the usual deletion procedure, it only erases a small bit of information that points to the location of the file. The actual file still remains on the system’s hard drive, where it can be retrieved with a common data recovery software. The following policies must be followed when a data that is classified at level 4 or above needs to be deleted or when discarding an electronic device.

• To securely delete on a Windows system or discarding Windows laptop you are required to delete data/files with Eraser. Eraser securely deletes electronic media from the system and makes it very difficult for the data recovery software to recover deleted files.
• To securely delete on Macbook or discarding Macbook you are required to delete data/files using the ‘Secure Empty Trash’ option, or the secure erase options in ‘Disk Utility’.  Following this step ensures your deleted files are unrecoverable with the help of data recovery software.
• To securely delete on newer versions of Android or Apple devices or when discarding your phone you will be required to reset the phone. This step will ensure that your information is not recoverable as Android and iOS built-in encryption should make your deleted data unrecoverable 
• To securely delete on older Androids (version 5 or older) and Apple devices (Iphone version 7 or older) or when discarding your phone you are required to reset your device and fill up mobile storage with insignificant files like movies or video and repeat these steps at least three times.

This policy is concerned with managing the secure disposal of equipment owned by the organization that is no longer required. Such IT equipments include  laptops, mobile phones, servers and digital storage devices that have the ability and capability to store the organization’s information and sensitive data.The following steps should be taken to execute and ensure the secure equipment disposal process:

• Equipment which is no longer needed or has reached its end of life that has sensitive data must be securely erased. Follow the Secure Deletion Policy. 
• Inform the Operations Department and DST once you have completed the process. 

• 2- step verification must be turned-on for all accounts where it is available and the Google Authenticator App must be used for implementation of 2-step (Do not use text SMS message or phone call to receive OTP).
• Administrator privileges for Tibet Action accounts must be restricted on an as-needed basis and removed when no longer required.
• If you are managing any official social media account then you must enable two-factor authentication on your social media account i.e  Facebook, Instagram, Twitter
  • You must also maintain the highest level of security on your social media account 
• A separate document recording who has access to different accounts such as websites, hosting, Facebook, Twitter, must be maintained by the Operations Director. Once the access for a person is revoked, the password must be changed immediately.

• All Tibet Action staff must have a PGP setup and should be verified with the team. [8]
• For any information shared with relation to Level 5 data or Level 5 data being shared over email, use of PGP is mandatory.
• Communication methods used between staff and contractors will depend on the classification of the data.
• All types of communication must be done either through Zom or TibCERT meet. 
• For all mobile communication, one must use Signal instead of a normal phone call.

1. 1. You system must contain following software depending on your OS 
      • Wireshark(Mac and Windows)
        • Wireshark: Is a tool for achieving high-level awareness of network traffic on your system since most malware and cyberattacks use the network. 
      • Sysinternal tools(for windows) installation is not required 

• Sysinternal Tools is a collection of tools used to scan windows systems for malware.

• Objective see tools(for Mac) installation is not required 

1. 1. • • Objective-see tools is a collection of tools use for scanning mac system for malware

• Teamviewer(mac and Windows)

1. • • Teamviewer is a remote access and support tool.
2. To conduct an incident response you must send your wireshark package captured file via Gmail to thayai[@]tibetaction.net. More on wireshark packet capture
3. DST has to respond within 24 hours with a wireshark analysed result. If a system is found compromised then the DST will take appropriate steps to remove the threat from the system.
4. You must check daily for any unknown behaviour on the network monitor software (Glasswire or Little Snitch). Training on this will be provided by the DST. [3][4]
5. In case of any incident when you see some suspicious activity or you think your device or account is compromised, contact the DST immediately and the device must be taken off the network by disconnecting from the Wifi or removing the ethernet cable unless the DST suggests another option. 
6. DST will ask you to perform following steps
   • DST reserves the right to take remote access to your device using remote access tools like TeamViewer
   • Depending on the computer’s operating system, you may have to install Wireshark, Sysinternal and Objective-see tools. Follow instruction on Laptop policy
   • In case your device gets compromised, the DST reserves the right to ask individuals to go through a digital security policy training and verify that the team member is complying with the policy.

How will you know if your device or account is compromised? How to tell if your computer is been compromised

All applications should use the 2-factor authentication feature if available.

Trello: 

• 2-step verification must be turned-on. 
• If a Trello board for a particular project is completed, the project manager must close and delete the board. 
• If a list/card is no longer needed, archive it and then delete it from the archive. 
• Note: Archiving a card doesn’t delete the card.

Bitwarden: 

• 2 -Step verification must be enabled. 
• Automatic logout must be enabled and set timeout for 8 hours.

Tresorit: 

• 2 -Step verification must be enabled.

TibCERT meet: 

• Tibet Action uses TibCERT meet and jitsi meet for its team calls and meetings. 

• New Short Term Contractor will be assigned a classification based on the data classification policy. 
• A Short Term Contractor who is given access to Level 3 and above data must be given access to a Tibet Action Email account and as per the contract must follow a specified onboarding process.
• Short Term Contractors who are not given access to restricted data need not maintain a Tibet Action email account, but must maintain a minimum level of security as deemed necessary by the DST as part of the onboarding process.
• The DST reserves the right to conduct random digital security checks-ins with CRC and short term contractors.

DST: This policy is maintained by the DST which is based in India currently. The team can be reached at lobsang(@)tibetaction.net, thayai(@)tibetaction.net and in case of emergencies, please contact Lobsang at +919882407365 @lobsang:nang.zom.im or Thayai at  +918091239435 @thayai:nang.zom.im

Additional parts of the policy that will be maintained by the Senior System Admin and the Digital Security Program manager

• Website Policy Maintained by the Web-Admin: A separate Website Policy is maintained by the Senior sys-admin. In case of new websites or sites, please contact Dawa Paljor at Email: dawapaljor(@)tibetaction.net Zom: paljordawa:nang.zom.im.
• Data Backup Policy Maintained by Operations Director: All Tibet Action Google Drive data must be backed up offline as well as online. Tibet Action Institute follows an iterative backup policy where we backup data every month from our online account for a 6-month iterative backup. Backup will be maintained by the Operations Director as per data access. [6] 
• Onboarding policy and process: The onboarding process and policy is a working document which will be maintained by the DST and Operations Team.
• Offboarding policy and process: The offboarding process and policy is a working document which will be maintained by the DST and Operations Team.

1. Full Disk Encryption:Full Disk Encryption (FDE) is a storage encryption technology that secures a desktop or laptop computer by encrypting all the data at rest on its hard drive. This includes end-user files and application settings, as well as application and operating system (OS) executables. Many times attackers access your file by removing the hard disk from the computer and reading the file directly, so having FDE prevents those attackers from accessing your data. Use filevault for mac {https://support.apple.com/en-us/HT204837} and Bitlocker {https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10} for Windows
2. Firewall:Firewall must be turned on as it is generally turned off by default. For Mac OS, refer guide {https://support.apple.com/en-in/HT201642} and for windows {https://www.computerhope.com/issues/ch000551.htm}
3. GlassWire: GlassWire is a free network monitor & security tool for windows with a built-in firewall. You can download here: https://www.glasswire.com/ A guide for how to use Glasswire: https://www.youtube.com/watch?v=EQ5qzg4xZiQ
4. Little Snitch: Little Snitch is an application firewall for Mac. A guide for using Little snitch and setting it up: 

https://www.obdev.at/ftp/pub/Products/LittleSnitch/LittleSnitch-Documentation-1.1.pdf. For licenses, please contact the DST.

•  Little Snitch guide

5. NoScript: NoScript for Firefox preemptively blocks malicious scripts and all scripts from all websites. You can set it up also to allow JavaScript, Java from sites you can trust such as Gmail, Facebook, Twitter and others. It is only available for Firefox. Install from here: {https://addons.mozilla.org/en-US/firefox/addon/noscript/}.   How to manage NoScript extension https://proprivacy.com/adblocker/guides/noscript-extension-gain-privacy-security
6. Browser Plugins:  You can find and install the following extensions by opening your browser’s store(ChromeWeb Store,Firefox ADD-ON), Type following extension on the search bar.

AdBlocker Ultimate is used for content-filtering, namely ad-blocking and this plugin will block most ads on different websites. You can install it from here.{AdBlocker Ultimate}

Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web.  If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser.{https://www.eff.org/privacybadger}

Password Alert is a plugin by Google which detects phishing attacks which are a common form of attack in the Tibetan Community. Phishing attacks try to get you to input your password on a fake website which looks real. This plugin will send an alert if a website tries to masquerade itself as Google. {https://chrome.google.com/webstore/detail/password-alert/noondiphcddnnabmjcihcjfbhfklnnep?hl=en}

NoScript: NoScript for Firefox preemptively blocks malicious scripts and all scripts from all websites. By default NoScript block will javascript from every website and make sites not work properly. Please follow the link on how to manage noscript on your browser. You can set it up also to allow JavaScript, Java from sites you can trust such as Gmail, Facebook, Twitter and others. It is only available for Firefox. Install from here: {https://addons.mozilla.org/en-US/firefox/addon/noscript/}.   How to manage NoScript extension https://proprivacy.com/adblocker/guides/noscript-extension-gain-privacy-security

7. Remote Device Wipe: A process where it is possible to remotely wipe a device if it is lost or stolen. This requires one to set up Find My Phone on your phone. In the case of an Iphone, read the following guide: https://support.apple.com/en-us/HT205362. If device is lost, you can find it using : https://support.apple.com/kb/ph2701?locale=en_US

For Android, Find My Device is turned on by default. In the case that an Android device is lost, you can erase, lock, find. For information on how to enable these functions, refer to: https://support.google.com/accounts/answer/6160491

8. PGP: Pretty Good Privacy (PGP) encryption program provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Setting up your PGP on a browser using Mailvelope is the simplest solution towards encrypting and decrypting emails. https://www.mailvelope.com/en/help. For more info about PGP, please read https://ssd.eff.org/en/module/introduction-public-key-cryptography-and-pgp

Set up PGP for Windows: https://ssd.eff.org/en/module/how-use-pgp-windows

Set up PGP for Mac: https://ssd.eff.org/en/module/how-use-pgp-mac-os-x

9. Password Manager: An encrypted container for managing multiple passwords. One has a choice to use a browser based password manager Bitwarden { https://bitwarden.com } or use a local password manager KeepassX.{https://www.keepassx.org/} Important note: If you forget the master password, it might be impossible to recover any of the passwords.
10. Google Drive Data Backup: This monthly backup will be maintained by the Operations Director as that person has and needs access to all the data apart from Top Secret and as such is the ideal person to maintain this backup. 
11. File and Folder Encryption: To encrypt Top Secret Folder/Files, use VeraCrypt to create an encrypted folder. This encrypted folder can then be shared with others online and password for the encrypted folder must be shared via Bitwarden. 
12. VeraCrypt: VeraCrypt is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication https://www.veracrypt.fr/en/Downloads.html
13. Tresorit: Tresorit is a cloud storage system where you can store your file encrypted. Tresorit allows you to control your file sharing and it is shared using end to end encryption. It also follows Zero knowledge encryption protocols. https://tresorit.com/
14. Recommended Extensions: When you see a trophy badge recommended on Firefox extension then it means that Firefox team has reviewed extension code and it is secure. 
15. How to send Email header: Please follow the instructions steps bellow

1. 1. Open the email that you want to report to DST
   2. Next to Reply , click More Show original.
   3. Copy the text on the page
   4. Click  next Reply  , click More   Forward
   5. In email body, Paste full email header that you copied 
   6. Send it to submit(@)tibetaction.net

16. Security Checkup : This allows you to add account recovery options, setting up 2-step verification for extra account security and checking your account permissions. Follow the instructions below

1. 1. On your email, click on your profile icon on the top right corner.
   2. Click on ‘Manage your Google Account’
   3. Then click on ‘Secure account’ box
   4. Make sure all items in the list are green

17. Bitwarden: Bitwarden is open source password manager software which offers both cloud and local data hosting options. It uses 256-bit AES encryption to secure our passwords. You can set up  2FA(Two-factor Authentication) to access the password vault. Bitwarden can be used for both personal and organization use.

https://docs.google.com/document/d/1N8JTlyFti1Br-W8YOq3aINh944Xjxcn2jhwo0OPZFuU/edit

18. Eraser: It is a secure deletion software for windows which securely deletes sensitive information by overwriting it multiple times based on the erasure method you choose. Learn more on the eraser software.  This policy applies to any form of electronic media file that requires it to be securely deleted because of the type of data it contains. When a file is deleted from your computer using the usual deletion procedure, it only erases a small bit of information that points to the location of the file. The actual file still remains on the system’s hard drive, where it can be retrieved with a common data recovery software. The following steps should be taken to execute and ensure the secure deletion process:

How to tell if your computer might be compromisedHere are some signs which indicate that your computer is compromised.

• • Your computer starts running slower than usual
  • Your computer’s fans is running on full speed
  • Computer’s battery drains faster than usual
  • Your webcam’s LED blinks even when it is not turned on
  • Starts seeing more pop-up for ads
  • Your browser’s homepage is changed
  • Seeing programs that you haven’t installed
  • Seeing more traffic on your Glasswire app or seeing unusual traffic requests on the Little Snitch