Minimum requirements for the SecureDrop environmentΒΆ

  • The Application and Monitor Servers should be dedicated physical machines, not virtual machines.
  • A trusted location to host the servers. The servers should be hosted in a location that is owned or occupied by the organization to ensure that their legal department can not be bypassed with gag orders.
  • The SecureDrop servers should be on a separate internet connection or completely segmented from corporate network.
  • All traffic from the corporate network should be blocked at the SecureDrop’s point of demarcation.
  • Video monitoring should be recorded of the server area and the organizations safe.
  • Journalists should ensure that while using the air-gapped viewing station they are in an area without video cameras.
  • An established monitoring plan and incident response plan. Who will receive the OSSEC alerts and what will their response plan be? These should cover technical outages and a compromised environment plan.