Balancing creativity with compliance in digital delivery
As part of Brathay Trust’s 2020–25 strategy and 2021/22 business plan, we stated that we will “develop, promote and deliver distinctive programmes containing a blend of residential, local and digital elements, which will have maximum impact and safeguard against future disruption to our ability to deliver to our clients”.
With the support and funding of Catalyst we have moved on significantly in developing the digital element of this plan — not just as a kneejerk reaction to the pandemic, but as part of a blended learning and development offer moving forward.
We’ve brought in design thinking methodology to help our innovation and have excitedly explored different tools and apps with our digital expert partners through the Catalyst Definition programme that we can use with participants in synchronous live virtual learning sessions.
However, one of the biggest challenges we’ve had to negotiate is balancing creativity with compliance and we headed into our Catalyst Continuation extension funding phase with our sights firmly set on a compliance checklist to ensure we are as safe online as we are on a high ropes course or in street-based youth work. This was also our number one priority, as unless we get this right, we can’t test anything with end users.
At the same time, we were facing the monumental task of trying to gain our Cyber Essentials certification. This has resulted in delays to testing but increased our cyber safety, and a LOT of learning along the way! So, to be able to share this very simple table below with our social sector peers feels like a place we weren’t sure we would ever get to and represents months of blood sweet and tears that we hope we can help spare others some of!
This represents our decision-making process, checklist, and choices — yours may be different. It includes links to the National Vulnerability Database where you can search by product name, vendor name, CVE, etc. As well as links to Common Sense a privacy programme that evaluates privacy policies to help make informed choices about learning tools.
It is a small but significant stage of the following iterative framework we are developing for software requests.
And if you’re keen on the detail then read on to find an example of our live scenario checklist for Miro, which we’ve now approved and tested.
Flowchart Checklist
Need
Identify Digital Tools to enhance the interactive capabilities of learning sessions online.
Software request: Miro
Requires Authorisation
Then
Requires budget or cost approval
Then IF
This scenario is funded by Catalyst/CAST budget for licensing
https://betterdigital.services/principles/
Then
Select digital app Miro for use on Laptops only, no mobiles are to be tested initially but longer term the need to deliver the Apps on both Android and OSX should be considered.
Then
Select appropriate App (Desktop and Web versions are to be tested).
Then
Lookup vulnerability database online as a means of identifying the security risks of the chosen App. This is an internal assessment to identify initial exposure to risk.
https://www.cvedetails.com/
Then
IT support do further security and vulnerability checks and update
NVD Checkout on National Vulnerability Database USA https://nvd.nist.gov/
Common Sense https://www.commonsense.org/
Then
Notification from IT support with details to begin testing and inform on the best test environment to deploy which will be determined on an App-by-App basis.
Then IF
Issue’s loops repeat as many times as is necessary until all issues are resolved
Then IF
Consider alternative App if the one chosen has a low security score.
Then
IT support review T&C’s or Terms of Service are they are also known.
Then IF
Share T&C’ s with Team internally to be aware of any penalties on leaving contract early for example
And automatic renewal and termination notice periods.
Then IF
Notify people who manage and monitor contract
Then IF
IT support no concerns
Then IF
Internal Team no concerns
Then IF
Issue’s loops repeat as many times as is necessary until all issues are resolved
Then
Determine features available in free plan v features and costs in appropriate price plan
Then IF
Free Plan does not offer Unlimited Anonymous Board Editors, but this is available in the Team Plan
Then
Does the App vendor offer nonprofit discount — Yes 30%
Then If
How do we apply? Complete the form.
https://miro.com/contact/npo/ (Supporting evidence must be provided)
Then IF
Non-profit discount applied for and approved
Then IF
Consider investigate non-profit discount feature restrictions if any
ThenRequired installation RMM manual or Remote Access or other
Then
Once testing, feature selection, feedback from all groups is collated and preferred App is selected
Then
Discuss automatic renewal of licenses Yes/no
Then
Discuss termination notice period of licenses and determine where best to record this info.
Then IF
Training Add time. Examples could be documentation guide, video, internal or external trainer or other.
End
Discuss the items below to consider and develop further.
Then
Other good sources for vulnerability checks are
Then
Vulnerability Scanning Tools
https://owasp.org/www-community/Vulnerability_Scanning_Tools
Then
Vulnerability Scanning Tools Evaluation
https://sectooladdict.blogspot.com/