Sample Campaign Cybersecurity Policy (4 minute read)

Welcome to the “Jane Q Candidate for Congress” Campaign. 

Cybersecurity is extremely important to Jane. No matter what your role, she expects everyone to do their part to keep the campaign cyber secure. 

Why is cybersecurity so important?

Because campaigns are so integral to our democracy, they are natural targets for those interested in disrupting our way of life.  Over the course of the campaign, we will amass significant amounts of sensitive data including information about voters in our district, donors, and more.  The campaign is committed to protecting data entrusted to us, and keeping access to vital campaign documents limited to those who need to see it.

You must assume that your potential for being targeted is greater than that of other computer users.

Since you are now associated with a campaign, you may be a target for bad actors. Oftentimes, efforts to breach an organization start with attempting to gain entry through personal accounts. 

Some people may try to compromise your account or access the campaign through sophisticated, highly targeted phishing efforts known as spear phishing via email, social, or texts. Remain alert to these efforts. Pay close attention to any requests for immediate action or to share something that you normally wouldn’t.

Policies for the Jane Q Candidate Campaign

The campaign has the following policies for all staff and volunteers designed to keep the campaign and you safer.

Minimum Cybersecurity Standards:

• Passkeys : Use passkeys on all online accounts where available. Users can use the Advanced Protection Program on their personal accounts as well.
• Security Keys: everyone in the campaign will be issued a security key that can be attached to your email and other accounts. Use of this key is mandatory. It is the primary way we protect accounts. 
• Password Manager: The campaign uses ____________ password manager. This program will help you create strong unique passwords. It is expected you use the designated password manager for all campaign accounts you access.
• Encrypted Communications:  The campaign uses _______________ for protected and sensitive communications. In general, you should use encrypted communications to share the most sensitive information. For example, any documents containing personal information about yourself or others, reports with personal information, documents with upcoming strategy, drafts of policy ideas, or media strategies. When in doubt, use encrypted communications. 
• Using a Shared Account: You may be tasked with using a shared account. Some examples include responses to emails from a general account or posts on social media. You will be advised about whether or not you can use your security key for that account and given the password, which of course you should not share. If you forget it, ask the campaign manager. Do not reset the password, as it will deny access to others.
• Never Share Data Outside the Campaign: Unless you have explicit permission from a supervisor or it is part of a regular order of business for your position, such as communicating with a campaign vendor, never share campaign information outside the campaign. Do not, under any circumstances forward work to a personal email address to work on later.
• Do not download documents to local drives: We store all our documents and data in the cloud. People are given access to those documents as needed. One way we protect the campaign is by limiting access to only those who need it. Do not download copies of documents to local drives on computers.
• Report incidents: The best way to mitigate a cyber incident is to know about them as soon as possible. “Jane Q Candidate” understands that some cyber incidents are mistakes, such as clicking on a link that you might subsequently think is suspicious. On our campaign, we understand that mistakes can happen even to the most sophisticated computer users. No matter if you made a mistake or think you made a mistake, report it. If you receive emails that are suspicious, report them as well. If you are getting them it is likely others are too and that is information we will share with staff.  Report any suspicious behavior on social media to ________.
• Ask questions: We don’t expect everyone to be a cybersecurity expert and sometimes it can be hard to remember everything you are supposed to be doing. Feel free to ask ________________ if you have any questions about cybersecurity. 

Protect Yourself

The campaign can not require you to do a better job protecting yourself online. However, as stated above, now that you’re on a campaign, you become a target. We strongly encourage you to take the following steps:

• Use passkeys on all online accounts where available. Users can use the Advanced Protection Program on their personal accounts as well.
• Turn on multifactor authentication: Multifactor authentication should be available for most personal email, social, and financial accounts.  These core accounts should have the strongest protections available.
• Password managers: Like keys, password mangers can be used personal devices so use the one given to you by the campaign.  If the campaign doesn’t have or use a stand-alone password manager, use the browser-based password managers in Chrome, Edge, and Firefox. Never ever reuse passwords.
• Protect Social: In addition to strengthening account access through multifactor authentication, be careful about what you post about the campaign and yourself might be used to gain access to accounts.
• Keep software up-to-date: Updating software fixes known security issues. So running the most recent version of programs is an important security function. A lot of software updates automatically.  Some you need to set up to do so. Use automatic updates where available, and don’t put off manual updates. Phones and tablets are just like any other device. Mobile operating systems and apps need to be kept up-to-date as well.

Learn More: Addressing the Human Factor: Creating a Culture of Cybersecurity