Minimum requirements for the SecureDrop environment¶
- The Application and Monitor Servers should be dedicated physical machines, not virtual machines.
- A trusted location to host the servers. The servers should be hosted in a location that is owned or occupied by the organization to ensure that their legal department can not be bypassed with gag orders.
- The SecureDrop servers should be on a separate internet connection or completely segmented from the corporate network, such as a dedicated subnet with DENY rules for all traffic to and from the corporate LAN.
- All traffic from the corporate network should be blocked at the SecureDrop’s point of demarcation.
- Video monitoring should be recorded of the server area and the organizations safe.
- Journalists should ensure that while using the air-gapped viewing station they are in an area without video cameras.
- An established monitoring plan and incident response plan. Who will receive the OSSEC alerts and what will their response plan be? These should cover technical outages and a compromised environment plan.