Newsroom source protection checklist.

Work through the reporting workflow from first contact to publication.

Use this before a sensitive investigation, after a staffing change, or when a newsroom is deciding whether it needs a tip line, private workspace, or deeper security review.

Source communication channels

• Approved source communication channels are defined by risk level: email, phone, Signal, in-person, legal channel, or anonymous tip line.
• Reporters know what each channel is and is not safe for, including metadata, account ownership, and device risk.
• Shared inboxes and source-facing accounts have MFA, named owners, limited access, and recent access review.
• High-risk source intake has a separate plan before anyone asks a source to submit sensitive material.

Accounts, devices, and access

• MFA is enabled on newsroom email, file storage, publishing, password manager, social, and admin accounts.
• Reporters and editors use a password manager for unique passwords on source-facing and newsroom systems.
• Devices used for sensitive reporting receive updates, disk encryption, screen lock, and basic malware protection.
• Freelancer, contractor, and departed staff access is removed from files, accounts, workspaces, and shared devices.

Pre-publication materials

• The team knows where drafts, FOIAs, source notes, claims, timelines, web captures, and sensitive files should live.
• Personal drives, unmanaged folders, and ad hoc document links are not used for sensitive pre-publication collaboration.
• Access is limited by project or investigation, not granted to the whole newsroom by default.
• There is a plan to export, archive, or offboard project material when the investigation closes.

Escalation path