SAFETAG
Security Auditing Framework and Evaluation Template for Advocacy Groups
SAFETAG is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world.
About SAFETAG
SAFETAG audits serve small scale civil society organizations and independent media houses who have digital security concerns by working with them to identify the risks they face and providing capacity-aware, pragmatic next steps to address them.
Traditional security audits are based upon the assumption that an organization has the time, money, and capacity to aim for perfect security. Low-income at-risk groups have none of these luxuries. SAFETAG combines assessment activities from the the security auditing world with best-practices for working with small scale at-risk organizations.
SAFETAG auditors lead a risk modeling process that helps staff and leadership take an institutional look at their digital security problems, expose vulnerabilities that impact their critical processes and assets, and provide clear reporting and follow up to help the organization strategically move forward and identify the support that they need.
- Read the Introduction to SAFETAG to learn about the SAFETAG Audit Framework Core and the Life Cycle of a SAFETAG audit.
- Read about the SAFETAG approach to Risk Assessment and Capacity Building.
- Read about preserving Operational Security during a SAFETAG audit
- Scroll down to browse all SAFETAG Methods.
Getting Started with SAFETAG?
Recent Updates
- 2021 Organizational Security Village Day 4 — September 3rd, 2021
- 2021 Organizational Security Village Day 3 — September 2nd, 2021
- 2021 Organizational Security Village Day 2 — September 1st, 2021
- 2021 Organizational Security Village Day 1 — August 31st, 2021
- Announcing the 2021 Organizational Security Village — July 20th, 2021
The SAFETAG Methods
Explore all Safetag Methods
Preparation
Audit preparation activities which ensure all components of the audit can be conducted safely, effectively, and within your time-frame.
Context Research
Identify the relevant regional and technological context needed to provide a safe and informed audit.
Capacity Assessment
Engage with staff to identify the organization's strengths and weaknesses and use this information to modify audit scope and recommendations.
Reconnaissance
Use publicly available data sources to identify resources, assets, and information connected to the organization and which forms a potential attack surface.
Risk & Threat Analysis
Identify and map critical organizaional processes and profile the possible attackers in order to develop a risk matrix.
Organizational Policy Review
Explore existing organizational practices, informal agreements, and policies around managing information security and responding to threats.
Staff Awareness and Individual Device Assessment
Assess the security of the individual devices in the organization through interviews, surveys, and inspection of devices.
Infrastructure and Cloud Service Assessment
Discover and assess the security of infrastructure and cloud services used in the organization.
Data Assessment
This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.
Vulnerability Scanning and Analysis
Discover possible flaws in the organization's devices, services, application designs, and networks by testing them to identify known vulnerabilities.
Physical and Operational Security
The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world -- how...
Responding to Advanced Threats
Identify, triage, and analyze suspicious behavior on a device or in a network for potential advanced threats and recommend urgent mitigation steps.
In-Audit Support & Incident Response
During the audit, the auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects or ongoing activities) -- this...
Reporting & Recommendation Development
Synthesize data collected through the engagement to produce targeted recommendations then provide a report and debrief for the host organization.
Follow Up & Ongoing Support
This component supports a continued relationship with the host organisation after the assessment report has been presented, allowing time for the organization to digest findings,...
License
SAFETAG resources are available under a Creative Commons Attribution-ShareAlike (CC BY-SA 3.0) License.
Check out the Credits and Licensing page for content attribution and a usage guide to referring to the SAFETAG wordmark.
The SAFETAG Community of Practice is governed by the SAFETAG Code of Conduct.
Get in touch
[email protected]We have a global network of auditors trained in the SAFETAG framework available for independent work with small NGOs.
For updates or suggestions for the framework, please submit an issue.