Security plan

Here's the draft security plan that we talked about at our retro on June 24, 2011. Next steps are to figure out dates and assignments on getting this done (as well as filling out any missing items).

Remember to shred all printed information that contains sensitive information.
Come up with a way to ensure physical security of any documents, drives, etc. that are kept in the office.
Replace dropbox with something that provides client-side encryption. An article about the dropbox security fiasco over the weekend mentions that http://www.wuala.com/ and https://spideroak.com/ provide similar services to Dropbox but which offer client-side encryption.
Move all wikis to GitHub. These will be viewable by everyone who has access to the GitHub project associated w/ each wiki, and also to GitHub, but will be better than what we have now. Generally we trust GitHub, but if there's something super sensitive, it can be stored in a different fashion.
Use full disk encryption on all computers. Jen-Mei is using PGP Whole Disk Encryption, which seems to be one of the better software options. However, software solutions will degrade performance. Lee said that Lion has full disk encryption built-in, which might be an option (assuming the issues with the various Rubies and the other software for development are worked out by the time Lion gets released). Some tasks:
- Benchmark performance for both HDD and SSD w/ and w/o encryption. Maybe test Lion, Ubuntu, and PGP.
- Look into hardware encryption options.
Use safe passwords.
- Password managers like 1Password are recommended, with unique and complex passwords for each site. We should probably check availbable options. Both KeePassX and LastPass are cross-platform (including Linux and Windows), with the former being free and the latter winning PC Mag's editor choice over 1Password and others.
- We should look at options for saved passwords on dedicated pairing stations. Someone should check in w/ Pivotal to see how they handle that. Also, looks like LastPass has a feature that allows you to share information. I (Jen-Mei) am going to try out LastPass and report back.
- Master passwords (ones that you can't use a password manager to login for you) should be pretty complex (sentence-like passphrases are great for complexity and easy memorization).
Use GnuPG or other system for encrypting sensitive e-mails.
Carefully manage SSH keys.
When using chat, use secure versions.

Security plan

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally