SAFETAG
Security Auditing Framework and Evaluation Template for Advocacy Groups
SAFETAG is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world.
About SAFETAG
SAFETAG audits serve small scale civil society organizations and independent media houses who have digital security concerns by working with them to identify the risks they face and providing capacity-aware, pragmatic next steps to address them.
Traditional security audits are based upon the assumption that an organization has the time, money, and capacity to aim for perfect security. Low-income at-risk groups have none of these luxuries. SAFETAG combines assessment activities from the the security auditing world with best-practices for working with small scale at-risk organizations.
SAFETAG auditors lead a risk modeling process that helps staff and leadership take an institutional look at their digital security problems, expose vulnerabilities that impact their critical processes and assets, and provide clear reporting and follow up to help the organization strategically move forward and identify the support that they need.
Recent Updates
- 2021 Organizational Security Village Day 4 — September 3rd, 2021
- 2021 Organizational Security Village Day 3 — September 2nd, 2021
- 2021 Organizational Security Village Day 2 — September 1st, 2021
- 2021 Organizational Security Village Day 1 — August 31st, 2021
- Announcing the 2021 Organizational Security Village — July 20th, 2021
The SAFETAG Methods
Explore all Safetag Methods
Preparation
This component consists of audit preparation activities that are needed to ensure the components of the audit are able to be conducted effectively and within...
Context Research
This component allows the auditor to identify the relevant regional and technological context needed to provide a safe and informed SAFETAG audit. This component consists...
Capacity Assessment
In this component the auditor engages with staff through both formal interviews and informal conversations to identify the organization's strengths and weakness (expertise, finance, willingness...
Reconnaissance
The remote assessment methodology focuses on direct observation of an organization and their infrastructure, consisting of passive reconnaissance of publicly available data sources ("Open Source...
Organizational Policy Review
This methodology explores existing organizational practices, informal agreements, and policies around managing information security and responding to threats. It also seeks to reveal presumptions made...
Network Mapping
This component allows the auditor to identify security issues with the host's network and map the devices on a host's network, the services that are...
Organizational Device Usage
This component allows the auditor to discover and assess the security of the devices on the network and/or used in the organization. This component consists...
User Device Assessment
This component allows the auditor to assess the security of the individual devices on the network. This component consists of interviews, surveys, and inspection of...
Vulnerability Scanning and Analysis
This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of...
Data Assessment
This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred. ...
Physical and Operational Security
The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world...
Process Mapping and Risk Modeling
This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical...
Responding to Advanced Threats
This component allows the auditor to be able to identify, triage, and analyze suspicious behavior on a device or in a network. Depending on the...
Threat Assessment
This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the...
Responsive Support
The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that...
Debrief
This component consists of an out-brief to key points of contact, providing basic pressure relief through group and individual interactions, and planning future follow-up with...
Follow Up
This component allows an auditor to explain and get feedback on their report as well as evaluate the success of the process over time through...
Report Creation and Recommendation Development
In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical...
License
SAFETAG resources are available under a Creative Commons Attribution-ShareAlike (CC BY-SA 3.0) License.
Check out the Credits and Licensing page for content attribution and a usage guide to referring to the "SAFETAG" wordmark.
Get in touch
[email protected]We have a global network of auditors trained in the SAFETAG framework available for independent work with small NGOs.
For updates or suggestions for the framework, submit an issue.