Edit on Github
Digital Risk Assessment Template
Journalists face a wide-array of digital risks when carrying out their work and completing a risk assessment is an important factor when it comes to keeping data and sources safer. This risk assessment template is designed to get you thinking about the risks that you face as well as the steps you need to take to reduce that risk.
This template can be completed as a stand-alone document or as part of the SaferJourno training course. Journalists may need to consult the SaferJourno guide for best practice guidance on how to carry out certain digital security steps. You may not need to complete all of the risk assessment, choose the sections or questions that best suit your security needs.
This document can be shared with editors as a way to better protect you when working on a story. Please think about where you will store this document and how you will share it securely with the news outlet you are working with. Consult with a digital security advisor if you need guidance on how to do this.
Thinking about general digital risk
What general digital safety concerns do you have? Please detail below.
Have you faced any previous digital threats? Please detail if you feel comfortable to do so.
Are you living and working in a country with a high-level of surveillance? What steps do you need to take in order to be digitally more secure?
Are you working on a sensitive story? If so, what do you need to know in order to be safer online and when using devices?
Do you have a significant online presence? What steps have you taken to protect your online data and your accounts?
Account security
What areas do you feel you need to improve when it comes to account security? Please detail below.
Do you know who may wish to target your accounts? If so, does this adversary have a history of hacking or carrying out phishing attacks against journalists or others? Please detail below.
Is there a risk the government could subpoena a company for your online information? If so, what steps will you take to protect your data?
Steps to reduce risk
Complete the checklist to secure your accounts.
- I have created long (15 characters or more) and unique passwords for my accounts
- I have created and follow a plan for creating and storing my passwords securely
- I have turned on two-factor authentication for my accounts
- I have accessed and saved the backup codes for those accounts
- I have reviewed the content of my most important accounts and removed anything I would not feel comfortable with others accessing.
- I have taken steps to separate out my work and personal accounts online
- I have now secured all my online accounts using the steps above
- I am aware of the steps I need to take to better protect against phishing
Device security
Note down any questions or concerns you have regarding how to best protect your devices.
Do you know what content is on your devices and have you taken steps to remove anything you would not want to be obtained by others? What steps have you taken?
Do you know who may want to gain access to your devices? For example, law enforcement, protestors at an event? Have you taken steps to secure your devices and the content on them?
Do you know how to encrypt your devices and have you researched the law around encryption in your country?
Are you crossing borders, at risk of arrest, detention or having your devices seized? What steps do you need to take to secure your devices and information ahead of travel?
Have you researched whether you are at high-risk of having spyware inserted on your devices? What steps are you taking to protect your devices?
Safer online research
What concerns do you have with regards to carrying out online research? Please state below.
Do you have a specific story that causes you concern when it comes to carrying out research online? If so, please detail below.
Do you know who may be interested in obtaining your online data and what their tech, legal and financial capacity is? What steps are you taking to protect your data?
Is there a risk the government could subpoena a company for your online information? If so, what steps will you take to preemptively protect that data?
What steps do you now need to take to protect your online browsing, including use of VPNS if needed.
Protecting materials
Please write down any concerns or questions you may have about how to keep your materials secure.
What steps do you need to take to mitigate the concerns above?
Steps to reduce risk
- I have researched who may be interested in obtaining my documents and I understand the ways they may try to do this. For example, subpoena, device seizure
- I have a plan for backing up my content in more than one place
- I have researched and chosen a method for backing up, deleting and storing content
- I know how to encrypt single documents
- I know how to encrypt USB sticks, HD cards, external hard drives amongst others
- I have created a plan with my team around how we will all store materials more securely
- I know what steps to take should our material be accessed by someone
Safer communications
What concerns do you have when it comes to securely communicating with others? Detail them below.
Do you need to protect your phone number from the source? Have you looked into obtaining Google Voice and other such services?
Do you know who may want to target you for data linked to your communications? Have you researched how they obtain that information, for example, subpoena, digital surveillance, physical surveillance? Make notes below.
Are you speaking with someone who is under digital surveillance? If so, please write down the steps you will take to protect those communications.
Have you taken steps to secure the communications tool you are using? For example, turning on disappearing messages for WhatsApp What other steps do you need to take?
Online abuse and protecting personal data
Have you previously been targeted by online abusers? Please detail below
Are you being targeted because of certain stories that you are publishing?
Do you have an understanding of who may be targeting you and the tactics that they are using?
Steps to reduce risk
- I have carried out an advanced search for my data online
- I have taken steps to remove as much personal data as I am able
- I have set up Google alerts for my personal data, including my name
- I have secured my accounts by turning on two-factor authentication and by creating long unique passwords
- I have spoken to family and friends about what data I am happy to share online
- I have worked with family members to secure their accounts