Volunteer Security Protocol

U.S. Digital Response Team Security Protocol

Updated: February 15, 2021

1. About Us

U.S. Digital Response (USDR) helps governments and other stakeholders meet the challenges of the COVID-19 crisis by strengthening decision-making and supporting their ability to effectively deliver critical services to the public at scale. The U.S. Digital Response (USDR) website details our efforts, mission and values.

2. Overview: U.S. Digital Response Security Protocol

Right now, federal, state, and local government organizations need volunteers who can fill a variety of roles. We recognize skills our community possesses -- technology, data analytics, and online support, among others -- are needed in supporting roles in response to this crisis. As a USDR Team volunteer, you may have access to sensitive data, including personal information, proprietary information, or other critical records, and you may have access to critical IT systems. You promise to understand, agree to, and follow this USDR Team volunteer Security Protocol, which memorializes some key best practices for data security and ensures that USDR volunteers take appropriate steps to safely and securely use data provided by federal, state, and local governments or other relevant third parties. We understand and appreciate that many USDR Team volunteers have strong backgrounds in technology and data security. In addition to this Security Protocol, use your good judgment, experience and background to keep security a priority.

This Security Protocol refers to “systems” and “devices,” which include desktops, computers, laptops, mobile phones, or tablets that you may use in your USDR Team volunteer work. However, to the extent that you are provided access to government partner’s IT resources, you may be required to comply with that entities’ security policies. To the extent there is any conflict between a security requirement from a government partner and this Security Protocol, volunteers should use the more secure process, and ensure compliance with the requirements of our government partner.

3. Definitions

A. Personal Information. Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The California legislature has a list of the types of data that can constitute Personal Information. If you have any questions about whether data might be Personal Information, please reach to [email protected].

B. Non-public Data. Data provided to or hosted by USDR that contains any information supplied to USDR by a government partner, non-profit organization or related entity not intended for dissemination beyond intended recipients.

4. Obligations of the Security Protocol

As a USDR Team volunteer, I promise to abide by the following protocol and to take additional security measures in order to ensure the safety and security of the USDR Team and the data used in our work together:

A. Respect for Personal Information and Non-public Data. It is USDR's policy to foster a culture of respect for client and user privacy and to prevent Personal Information or Non-public Data from being compromised. Volunteers are further requested to abide by and respect the security and privacy guidelines of the government partner, non-profit organization or related entity they are engaged with.

If you have any questions about guidelines and policies as it relates to the access, handling and notification of Personal Information and Non-public Data please contact USDR Security Team [email protected].

B. Notification of Personal Information and Non-public Data, and Data Security Incident Reporting. Any project or engagement which intends to collect or store Personal Information or Non-public Data must notify the USDR Security Team at [email protected] with information on what is being collected and the safeguards being implemented.

If you suspect a data security incident impacting Personal Information or Non-public Data related to any project or engagement, notify the USDR Security Team immediately at [email protected] with the subject header “security incident.” USDR’s Security Team will take steps to investigate, document, report and work to contain and mitigate all incidents, including suspected or known violations of privacy and security, in a timely manner and in partnership with any impacted government partner as may be appropriate given the specifics of any particular incident.

C. Access to Personal Information and Non-public Data. Do not store Personal Information and Non-public Data on personal accounts that the USDR Security Team does not have access. Do not share access to Personal Information and Non-public Data contained within USDR databases with external parties without the approval of USDR’s Security Team.

If your engagement with the USDR is terminated you must let the USDR Security Team know if you retain any access to Personal Information or Non-public Data through personal accounts.

D. Handling of Personal Information and Non-public Data. Whenever possible, the e-mailing of Personal Information or Non-public Data should be avoided. Personal Information and Non-public Data should not be stored on removable media.

Please refer to the USDR's Data, Security and Software Guidelines document for further information for how to build software systems that handle Personal Information or Non-public Data. If in any doubt about policies please consult USDRs Security Team at [email protected].

E. Choose Strong Passwords. Please use a password manager to securely generate and store passwords. If you need help setting one up reach out to the USDR Tools Team.

F. Securely Working with Data in a Remote Environment. Please take steps to protect devices and documents containing personal data from unauthorized access (e.g., if possible, store devices or documents in locked drawers and lock doors to work spaces).

a. Please lock the screen of devices before leaving them unattended. In addition to the importance of social distancing, for security reasons please avoid working in co-working or shared spaces.

b. While most of our work is likely to occur in secure cloud environments, where you are permitted or required to work locally, keep track of hardware (e.g., USB sticks) and documents.

c. Protect the confidentiality of your projects, and take care not to disclose information about your projects to any unauthorized parties. Please ensure that you take confidential calls in closed rooms without unauthorized individuals being present.

d. Take care when using video, mobile or web chat services for conversations in which you discuss confidential information, and consider suggesting a more secure means of communication when in doubt. Try to stay up to date on the latest industry guidance regarding privacy and security recommendations related to video conferencing and the steps that you can take to guard yourself and the USDR Team members from attackers.

G. Keep Software, Including Web Browsers, Up to Date: As many of you will be working on your own personal devices, please ensure that you install software updates so that known problems or vulnerabilities are patched. Many operating systems offer automatic updates. Enable this option if available. You are responsible for the security of the devices you use for USDR Team volunteer work. If you use anti-virus software please be sure to regularly scan your devices.

H. Use Two-Factor Authentication. Where appropriate and possible, please enable two-factor authentication on any device, system or program that you use for your USDR Team volunteer work.

I. Encryption Tools. Check if you have encryption tools installed. When transferring sensitive data to other USDR Team members or to external government Partners, please password protect and encrypt any file prior to transfer, or use a secure file transfer protocol. If appropriate, consider recommending a more secure data transfer alternative and security measure (e.g., passwords, encryption) to the USDR team or partner. Do not transfer sensitive personal information across public networks in an unencrypted manner.

J. Sharing Credentials and Secrets. If you need to share credentials to on-board volunteers or to operate shared accounts only use tools approved by the USDR Tools Team. Do not email, Slack, or share credentials by any other means.

K. Secure Connection. Ensure your Wi-Fi connection is secure. Please do not use public Wi-Fi and only use known Wi-Fi connections with WPA2 or equivalent connections. While most Wi-Fi is correctly secured, some older installations might not be, which means people in the near vicinity can snoop your traffic. If available, use an encrypted VPN to connect to any server.

L. Inventory Data. Data developed during projects for our government partners belongs to the partner and must be returned or securely destroyed at the end of the Project. Accordingly, please keep track of the data that you use, collect and store related to your USDR Team volunteer work. Consider when additional security measures (e.g., passwords, encryption) may be appropriate for sensitive data at rest that you maintain while working on the project and follow all guidance in the USDR Data and Software Guidelines.

M. Spot Signs of, and Avoid Clicking on, Suspicious Emails and Messages. You should not click on links in unsolicited or otherwise suspicious emails. You should be wary of email attachments, and you should not reveal personal or financial information or account passwords in emails, and do not respond to email solicitations for this information.

N. Be Wary of Third-Party Applications. Although third-party applications may provide functionality, please use caution when deciding which applications to enable. Please avoid applications that seem suspicious, and modify your settings to limit the amount of information the applications can access.

O. Back-Up Strategy. Please ensure that you are regularly and securely backing up your files in order to prevent data loss.

P. Disposal of Data. Please properly dispose of what you no longer need. Please do not retain files, including those with sensitive data, unless necessary for your work as a USDR volunteer. At the conclusion of the project, ask your government partner whether they prefer you securely destroy or return the project data.

5. Enforcement

The USDR team reserves the right to ask anyone in violation of USDR policies, including this Security Protocol, not to participate in USDR projects, events, and digital forums. If asked to leave a project or forum, you are expected to fully transition any information to a member of the USDR core team prior to termination and to exit any external conversations with grace, humility, and professionalism.

6. Questions?

• USDR's Security Team: [email protected]