Security Audit Self Assessment Questionnaire FAQ

All browsers have tabs, of course, one tab for each page you’re currently looking at – you probably have a bunch of tabs open right now.

The Chrome browser can also have instances. This shows up as a window on your computer, a collection of tabs. You might use this to organise tabs, for example, one instance of Chrome has tabs for the Model Liaison work you’re doing today, and another instance may have some DDL’s you’re updating.

Each instance of the Chrome browser can be logged in to as a different Google user. Most typically, this might be one instance for your personal browsing (for example, personal email, streaming music, WhatsApp, and similar), and another separate instance for your jane.smith@abbywinters.com Google account for your work stuff (for example, work email, work Google Drive, DDL’s, web applications).

Some people in our organisation use multiple work Google accounts (for example, model.application@abbywinters.com, and jane.smith@abbywinters.com). These also require separate browser instances to be used.

More info on why using separate browser instances is important.

ABOVE: (1) The Person selector icon (2) The person currently logged in to this browser instance (3) Other people set up in Chrome that can be opened in separate browser instances.

Yes, work on the SA SAQ is paid.

For general contractors (not Shoot Producers), track the time you spend on the SA-SAQ each time you complete it, and add a line item to your next invoice. Use your agreed hourly rate (or part thereof).

For Shoot Producers, we offer a flat fee of €100 for the first time you complete the SA SAQ, and €40 for each subsequent time. Add it to your invoice as “SA SAQ for ” for example, “SA SAQ for Jan 2022”.

For Staff, work on the SA SAQ is to be done during business hours, thus your salary covers the time spent on this.

Access means taking action to see Personal Information about People or Company Data. For example;

Logging on to your AW Google account; Logging on to a web application the company provides (eg, MDB, PPCMS, Homonoia as a Shoot Producer or Administrator, Chklsty).

People means, models, employees, customers and contractors. For example;

Mary the model. Angus the Shoot Producer. John the customer. Jane the Contractor.

Personal Information is data about specific people. Examples include;

Names, addresses, work history, our notes on their work and our relationship, telephone numbers, ID details, government ID numbers, email addresses, or similar metadata.

Company Data is data we have created or worked on in the company. Examples include;

Payment info, invoices, work files, unpublished media (eg, test shots, grooming shots), paperwork, policy, procedure (DDL’s), checklists, data, reports, and similar.

Taken means storing in data systems other than those managed by the company, or giving data to other people, or making it available to other people. Examples include;

• Copying and pasting data (text, images, video, or otherwise) from a Google Doc into an online forum, filestore, personal Office365 or Google Doc (or similar);
• Downloading files to your local computer;
• Sharing files online with unauthorised people;
• Showing something on your screen to someone else;
• Telling someone Personal Information about People or Company Data.

This is not a complete list.

Trello is used in the business to keep track of projects, especially in the web development and Production departments. Trello instances have sensitive information about the company, so must be kept secure. For this reason, we require anyone who accesses a company Trello account to have their personal Trello account secured by 2FA. Trello is owned by Atlassian, and it’s the Atlassian account that is actually secured by 2FA. Trello has a handy feature to sign on with your Google account (fname.lname@abbywinters.com), which we recommend you use day to day. Doing so will mean you will not have to actually enter the 2FA code every time to need to log on to Trello (but anyone trying to break in to your Trello account will need to!). To set up 2FA on your Trello / Atlassian account;

1. Be logged in to Atlassian
   1. Sign in at https://id.atlassian.com/manage-profile/security
   2. Set a password if you usually sign in with Google, as it will be required in the next step
   3. Save these credentials in LastPass
2. Ensure to have an authentication app in your smartphone
   1. This could be any of the following: Google Authenticator (recommended), Authy or Duo
3. Enable two-step verification
   1. Select “Manage two-step verification”
   2. Enter the password created at the previous step to unlock 2FA settings
   3. Go through the process to register a new 2FA with a QR code and your smartphone
   4. Trello will provide an emergency recovery code, add that to your LastPass entry for Trello

A VPN – Virtual Private Network – is a way of accessing the internet more securely from your computer.

While everything works as normal when using a VPN, there’s an additional invisible layer of security because all internet traffic goes through the VPN, which can be visualised as a tunnel directly from your computer to a computer that’s known to be safe and secure.

ABOVE: Simplified schematic of how a VPN works.

Many workplaces require VPN’s be used by everyone doing any work with the company, but but for our needs we only require them when working away from home (because we make other checks in our Security Audit to make sure your home network is appropriately secure).

VPN’s reduce risks like having people who also have access to your wifi router / modem snooping on data you send through. While that’s (hopefully) not so much a risk at home, in public internet places (hotels, airports, cafes, AirBNB, mobile phone hotspots, etc)  it’s a real risk.

There’s no way to know who could be listening. Other people on the same network can “sniff out” insecure communications and “listen in”, effectively bypassing other security measures we have in place (for example, if someone is looking over your shoulder while you browse the MDB, it does not matter how secure your Operating System password is!).

Using a VPN completely solves that problem: everything you do when connected to a VPN is secure and private from anyone else, other than you and the computer you are communicating with at the other end (labelled as “server” in the diagram above).

A VPN is a paid service provided by various companies. There are free VPN services available, but they are not reputable (“If you’re not paying for product, you are the product” – for a VPN, this may mean, they are selling your data to other people!).

Once a VPN is set up, a small program runs on your computer. Each time you work away from home, you start this program, and that’s all – it runs in the background and keeps us safe. It should be entirely unnoticable to your day-to-day work.

Setting up a VPN

We use and recommend ExpressVPN, because it’s reasonably priced, reliable, and fast. If you buy a one-year subscription to ExpressVPN for US$99.95, add a line item to your next invoice for the amount and we’ll reimburse you for that expense. Include the Tax Invoice from ExpressVPN as an additional page to your invoice.

When setting up, you should select a server that’s geographically near to you – this will ensure the fastest speed.

Testing the VPN

Even if you’re at home, you can still test the VPN is working, so go ahead and connect to the VPN and do some browsing (personal, or for AW work) for a few hours as you normally would and see how it works – it should be completely transparent and you won’t notice anything different.

Using the VPN

Whenever you’re doing AW BV work away from home, regardless of how you connect, turn the VPN on.

That includes working from a friend or family member’s home, a co-working site, an AirBNB, a hotel, a cafe, a park, an airport.

When connected to the VPN, everything will appear to work as normal, but data you work with will be more secured, because it’s going through an encrypted virtual “tunnel” from your browser to the VPN server.

This means if the wifi access point, router, modem, or local ISP is compromised or just has low security settings, it won’t matter – if your connection is “hacked”, all they will see is random data (not model or customer names and ID’s and addresses!).

When you’re done with AW BV work for the day, turn the VPN off (or you can just leave it on all the time, to be super-secure all the time!).

Modem-routers have a tiny web server inside them, you can connect to that (like any other web server, using a web browser), and change the settings. Indeed, this is where the danger is – if the modem/router has default settings, potentially anyone can log in to it, and see everything you do on the internet! Changing the admin password for this device is a two step process; first we find out how to connect to the modem/router by its IP address, then we log in to change the admin password.

Finding the modem/router IP address, for Windows

1. Start menu, type “command”, run the “command prompt” program
2. Type, “ipconfig”, press enter
3. Look for the “Default Gateway” IP address
4. Write this down
5. Type “exit” to close the window

ABOVE: Finding gateway IP in Windows. (1) Issuing the command “ipconfig” (2) “Default Gateway” section (3) The IP address we need, highlit in yellow.

Finding the modem/router IP address, for MacOS

1. Click the Apple icon (at the top left of the screen) and select System Preferences.
2. Click Network.
3. Select your network connection and then click Advanced.
4. Select the TCP/IP tab and find your gateway IP address listed next to Router.

Finding existing modem/router password

Now we know the IP address, we know how to find the modem/router… but how do we log in? There are a few ways:

• The modem/router might use a default username and password, like “admin” and “admin”, or “admin” and “password”
• You could search online for that modem/router brand and model number, to see what the default setting is
• The modem/router might have a sticker on it that says what the router login details are (see example below). The sticker might be on the back, side or bottom of the device – might be easiest to take a pic of it with your smartphone!
• The manual that came with the modem/router might have this information
• Your ISP can provide this information

Once known, write this down, it’s needed in the next step.

ABOVE: an example router/modem sticker. It has wifi network names and passwords, and below the second barcode, router login details – that’s what we need!

Changing the modem/router password

1. Visit the IP address for the Gateway (Router) as found in the previous step
2. Enter the existing username and password, as found in the previous step
3. Change the admin password
   1. Every modem/router is a little different. Look in the menu for “admin settings”, “management”, “access control” or similar
   2. Set a strong and complex password, it does not need to be memorable. Use https://passwordsgenerator.net/, at least 16 characters
   3. The router may reboot after changing the password, meaning no internet for a few minutes 😱
4. Record the new password
   1. Add it to your personal password manager (while you can add it to your work LastPass account, that’s not ideal we do not need to know it)
   2. Add the modem/router’s IP address to the record as well, and name it “Home modem/router” or something useful
5. Bask in the nerdy feeling of being more secure 🙂

Wifi has three main settings:

1. The SSID or “network name”
   1. This is what shows up when you search for new wifi networks. It can be anything you like. Have some fun with it.
2. The security protocol
   1. How data between you and the wifi modem is encrypted (more info)
3. The password
   1. Only people with the password can connect to this wifi connection

Changing all of these settings is done on your modem/router, or on wifi access point (if you don’t know what a “wifi access point” is, you probably don’t have one – or rather, your modem/router fulfils this role, which is quite common).

These notes assume your wifi is generated by your modem/router.

1. Access your modem/router’s web interface
   1. As described in the How do I change my router/modem password? FAQ
2. Select the “Wireless” or “wifi” menu option
   1. Wifi comes in two types: 2.4Ghz travels further but is a little slower. 5GHz travels a shorter distance, but is considerably faster. It’s no problem to have both running at the same time, with the same settings – most modern devices choose whichever is most suitable, but devices might get it wrong sometimes.
3. Change the password as necessary – might be in a “security” subsection
   1. If you are connected by wifi when making this change, you’ll lose access to the internet and the modem/router as soon as the password is changed
4. Each device that connects to wifi will become disconnected (because it does not know the new password), so re-connect each device
5. Consider adding the password to your personal password manager
6. Tell your housemates the new wifi password!

Required wifi security protocol

If you never connect by wifi (that is, you use a wired connection on any computer you do AW BV work on), it’s appropriate to answer “NA” to questions about wifi – there’s no need to read the info on this page. There are many different wifi security “protocols”, that define how our wifi device and the modem/router “talk” to each other. It’s likely you’re already using a secure protocol, but we need to make sure. Acceptable security protocols are, in order of preference:

1. WPA3 (best)
2. WPA2 + AES
3. WPA2 + TKIP

WPA2 Personal is equivalent any of the last two options, so it’s acceptable. Anything else may be a problem. These protocols work for anything else you do online (ie, not just work with AW BV), and are used by billions of people every day. More context.

Check wifi security type in Windows

On Windows 10, find the wifi Connection icon in the taskbar. Click it, then click Properties underneath your current wifi connection. Scroll down, and look for the wifi details under Properties. Under that, look for Security Type, which displays your wifi’s protocol.

Check wifi security type in MacOS

Hold down the Option key and click on the wifi icon in the toolbar. It will show your network details, including what security type you’re on.

Change wifi security protocol

To change your wifi security protocol;

1. Access your modem/router’s web interface
   1. As described in the How do I change my router/modem password? FAQ
2. Select the “Wireless” or “wifi” menu option
3. Change the security protocol – might be in a “Security” subsection
   1. Set it to  the higher-most item on our list at the top of the page
   2. If you do not have any of those options, make a screenshot of what you do have, and share with your main contact at AW BV. A new modem/router may be necessary, and your ISP will likely provide this for free. If not, AW BV can contribute.
   3. If you are connected by wifi when making this change, you’ll lose access to the internet and the modem/router as soon as the protocol is changed; you’ll need to reconnect (same wifi password as normal)
4. Each device that connects to wifi will become disconnected (because the security protocol has changed), so re-connect each device
5. Tell your housemates they’ll need to reconnect to the wifi as well!

Does the computer you use for AW BV work do things you do not anticipate or expect? For example;

• Reboot or shut down when you don’t want it to.
• Operate slowly.
• Have applications fail and closed unexpectedly.
• Show error messages you do not understand.

If the computer you use for AW BV work does these things, the answer to this question is “false”: provide details in the draft email, so it can be investigated.

Your modem/router is an electronic device that your home internet comes from. It’s usually smaller than a shoe box, has a bunch of wires connected to it and flashing lights on it. It’s usually located near where your phone line or internet supply enters your home, and may be in a closet, under a desk, or near your TV.

One wire will be for a power supply, and one wire will go to the internet connection point in your home. There may be other wires (for example, to connect to a Mac / PC, set-top-box, TV, gaming console, or similar).

The device is usually provided by your Internet Service Provider, and enables devices in your home to connect to the internet. It usually provides a wifi signal, as well as allowing cabled devices to plug in to it.

If you are not sure if a given device in your home is your modem/router, capture some images of the front and back, and of any stickers on it, and pass them to your main contact to assess.

This question is only relevant to users of Microsoft Windows 10 (or higher) operating system (see also, What is an Operating System?). Microsoft Defender is software that detects virus (more info) and malware (more info), and prevents it from harming your computer and data.  It’s used as an alternative to commercial IT threat management software, like Norton Security, McAfe, Kaspersky Endpoint Security, Symantec Endpoint Protection (we do not recommend any of these, but you choose to use them instead of Microsoft Defender – and they are activated – this requirement is met). Microsoft developed their Microsoft Defender software between 2011 and 2020, and it has become full-featured, reliable, free and very easy to use (basically, silent and does its job!). By default, Microsoft Defender is enabled in Windows 10 and above, but it can be manually disabled by the user (not recommended). We require that, if using Windows 10 or above, it (or an equivalent) is enabled when engaged in work for the company. To check if Microsoft Defender is correctly enabled;

1. Open the Start menu, click the Settings gear
2. Select the “Update & Security” module
   1. See screenshot below
3. Select the “Windows Security” tab on the left
4. Click the “Open Windows Security” button
   1. See screenshot below
5. Review the settings
   1. See screenshot below.

ABOVE: Accessing Windows Defender, (1) Start menu (2) Settings gear icon (3) Updates & Security.

ABOVE: (1) Select the “Windows Security” tab (2) click the “Open Windows Security” button.

ABOVE: Windows Security settings in Microsoft Defender are revealed. Your screen should look like this. (1) OneDrive can be dismissed (or, log in if you use this for non-AW stuff) (2) Account Protection can be used or dismissed if you prefer.

The AWS (Amazon Web Services) Management Console is used to administer the company’s AWS accounts. Typically, these accounts are only used by people in the Web Development department.

ABOVE: If you log in to AWS using a screen like this, 2FA on your AWS account is required.

Sometimes, the SA-SAQ requirements are changed. Check here for what those changes are.

For May 2025 SA SAQ round

No changes! 👍

For Jan 2025 SA SAQ round

No changes! 👍

For Sep 2024 SA SAQ round

No changes! 👍

For May 2024 SA SAQ round

• Added a new item to the checklist: “I have enabled Always use Secure Connections on Chrome.”
  • The enablement of this setting is to ensure middle man malicious actors cannot peek at the communications between your browser and AWBV servers.
• Added a new item to the checklist: “I have not imported my Chrome tabs into other browsers, and if I did, ensured it wouldn’t happen again.”
  • This measure is to ensure AWBV secure sites addresses aren’t leaked to unathorised browsers for analytics and search engine purposes.

For Jan 2024 SA SAQ round

No changes! 👍

For Sep 2023 SA SAQ round

• Updated method of password strength checking measure as “days to crack”, and linked BitWarden’s password checker tool, as the previous one was no longer being updated.
• Updated verification of password ages for Google and LastPass items.
• Added an item for SSH keys protection with passwords (Only applicable for Developers team members).
• Revised the wording of SA SAQ completion statements.

For May 2023 SA SAQ round

• On statement “I lock computers I use for AW work when I am away from them, if other people could access them”.
  • Added “Closing the lid of a laptop meets this requirement, if a password or biometric ID (face scan, fingerprint) is required to log back in.” as an exception
• On statement “If I connect to the internet to do AW work outside of my home, I use a VPN (including using my phone as a hot spot)”
  • Clarified the risk of not using a VPN (“assume all networks are insecure, unless known otherwise”).
• When redacting screenshots, removed the indication that blurring or pixelation is acceptable, only black boxes may be used (pixelation and blurring has been found to be insecure; technical background as to why)
• On statement “I have never been asked for data from AW BV by someone I do not know the identity of”
  • Added examples in the notes
• Move 2FA questions for all services to be under the “Password security” heading
• Updated FAQ for setting up 2FA for Trello / Atlassian
• Acknowledged request to have links in Chklsty open in a new tab (not possible currently; please use centre mouse button or Ctrl-click for MacOS)

For Jan 2023 SA SAQ round

No changes! 👍

For Sep 2022 SA SAQ round

Changed on 23 Jun 2022;

• Added new item to the checklist ​My iPhone is not “jailbroken” or my Android is not “rooted”.
  • Even if we delete / clear WhatsApp conversations, these remain in the protected storage area forever (until the app is deleted and reinstalled, the app is fully cleared or the smartphone is reset to factory). If the smartphone is rooted/jailbroken, these conversations can be read / stolen / leaked through malicious apps. Uploaded Telegram media uploaded remains in their cloud forever as well. More info for iOS; more info for Android.
• Made acceptable wifi protocols more permissive (see the FAQ).
• Added new item, I never share passwords to shared services using anything other than the LastPass share tool. 
  • This refers to shared accounts like model.application@abbywinters.com, or Twilio (for web devs).
  • Credentials for these accounts should only, ever be shared using the “Share” tool in LastPass.
• Added new item, ​I work in the web dev department. I ​have notified the Sys Admin about any credentials stored directly in GitHub repos for code bases I work on (as opposed to environment variables​).
  • This improves the security of our repos.
• Added new item, If I use Github for work, I have 2FA set up on my Github account.
  • This improves the security of our repos.

22 Dec 2021

Added a requirement for 2FA to be set any any Trello accounts that access company Trello boards. More info.

02 Dec 2021

Password Security: Added “I consider who can see me enter master passwords ​(eg for the OS, for LastPass and similar), including cameras in public spaces”. This is a real risk – see https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security) for more info. Added requirement to use VPN when using smartphone hotspot function.

01 Nov 2021

Data Security: Add “When I make screenshots of things that contain personal data, I redact that data before sending the screenshot anywhere” and “Before I stop work for the day, I delete all screenshots I made that contain anything to do with abbywinters.com work”.

27 Oct 2021

Added items for handling customer data Data Security, added “When specifying a customer, I use their SubID or username (never their real name) in every medium” Data security, added. “I never retain company data on my computer longer than 24 hours” While these items were covered implicitly, they were not covered explicitly – but they are now.

20-Oct-2021

Expanded definition of “password” Expanded the definition of “password” to include all secrets (meaning, Access Key ID’s (as used on AWS and similar services), PGP private keys, and similar). Added deleting chat histories if they contain personal info Prompted people to delete chat histories weekly if they contain personal info (typically, this would be about models).

15 Oct 2021

Added requirement for Windows 10+ Security Added new question, “If using Windows 10 or higher, Microsoft Defender is always activated (or equivalent anti-virus / anti-malware application is used)” to the Operating System Security section of the SA-SAQ.  More Info. — End.

Background: The difference between Tabs and Instances

Using separate browser instances for separate Google accounts is important for a few reasons.

Separating personal and work browsing for your privacy

abbywinters.com BV pays Google to allow us to use their “Google Suite” of web applications – email, docs, drive, and so on. As part of that, we have many opportunities to “manage” the web browsers people in our organisation use, for example;

We limit the browser Extensions you can use when you’re logged in to the Chrome browser with your work Google account, because some browser extensions can take data on web pages and pass them to other web applications we don’t control or trust.

While typically, these functions are usually done to improve the functionality of the Extension, some browser Extensions can maliciously capture data and exploit it (even if the original author of the Extension did not intend that). Because we deal with a lot of people’s personal information, we don’t want to risk that.

So, we only allow a few browser extensions that we know and trust (for example, LastPass, Google Translate, Boomerang for Gmail) .

There’s a lot of other things we can do in G Suite to control the browser you use for work purposes, but we don’t actually limit much. But having this level of control also means we can see what users are doing (to some degree). We can certainly see what websites you visit, and theoretically see what you did on that site, see cookies and other things that you probably consider “private”.

In the course of your work, you probably don’t care if the company can see you visited a porn site 😉, the MDB or other web application, a DDL or whatever (and, btw, we don’t even look at that stuff), so it’s fine.

But if you log on to a personal website in your work browser instance, you’d probably prefer we don’t see that (and, we don’t want to!).

So, always use your personal browser instance for personal stuff, and you work browser instance(s) for work stuff. Simple!

Role separation

If you have two or more work accounts you use with regularly (the most common example in our organisation is probably model.application@abbywinters.com, and jane.smith@abbywinters.com), you also need to use separate browser instances for them.

Different roles in the organisation have different requirements, access levels and permissions. Just because you are working in this role now, does not mean you will be always. When tasks or roles move to different people we need to know what access levels they need, and no-longer need. We administer this by different Google accounts (perhaps what you think of as email address).

Less confusing for everyone

Consider this scenario;

1. You log into a browser instance as model.application@abbywinters.com
2. You process some emails, all good
3. You go to open a DDL – you don’t have access (the ml@aw account does not have access to DDL’s, it’s only used for processing emails)
4. You open a new tab, and log in a jane.smith@abbywinters.com, and check some of your own work emails too
5. You open a Google Drive tab

Then there are some potential problems…

• What accounts Google Drive is accessed? For model.application@abbywinters.com, or jane.smith@abbywinters.com?
• You go to attach a file from Google Drive to an email… which Google Drive account is referenced?
• Which bookmarks are on display in the bookmarks bar?
• Which account’s browser history is used?
• Which account’s personal spellcheck dictionary is used?

The potential for confusion is possible, as well as wasted work. By having separate instances, each person and role has their own “workspace” with the appropriate accesses.