Security Auditing Framework and Evaluation Template for Advocacy Groups
SAFETAG is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world.
SAFETAG audits serve small scale civil society organizations and independent media houses who have digital security concerns by working with them to identify the risks they face and providing capacity-aware, pragmatic next steps to address them.
Traditional security audits are based upon the assumption that an organization has the time, money, and capacity to aim for perfect security. Low-income at-risk groups have none of these luxuries. SAFETAG combines assessment activities from the the security auditing world with best-practices for working with small scale at-risk organizations.
SAFETAG auditors lead a risk modeling process that helps staff and leadership take an institutional look at their digital security problems, expose vulnerabilities that impact their critical processes and assets, and provide clear reporting and follow up to help the organization strategically move forward and identify the support that they need.
- Read the Introduction to SAFETAG to learn about the SAFETAG Audit Framework Core and the Life Cycle of a SAFETAG audit.
- Read about the SAFETAG approach to Risk Assessment and Capacity Building.
- Read about preserving Operational Security during a SAFETAG audit
- Scroll down to browse all SAFETAG Methods.
Getting Started with SAFETAG?
- 2021 Organizational Security Village Day 4 — September 3rd, 2021
- 2021 Organizational Security Village Day 3 — September 2nd, 2021
- 2021 Organizational Security Village Day 2 — September 1st, 2021
- 2021 Organizational Security Village Day 1 — August 31st, 2021
- Announcing the 2021 Organizational Security Village — July 20th, 2021
The SAFETAG Methods
Explore all Safetag Methods
Audit preparation activities which ensure all components of the audit can be conducted safely, effectively, and within your time-frame.
Identify the relevant regional and technological context needed to provide a safe and informed audit.
Engage with staff to identify the organization's strengths and weaknesses and use this information to modify audit scope and recommendations.
Use publicly available data sources to identify resources, assets, and information connected to the organization and which forms a potential attack surface.
Organizational Policy Review
Explore existing organizational practices, informal agreements, and policies around managing information security and responding to threats.
This component allows the auditor to identify security issues with the host's network and map the devices on a host's network, the services that are...
Organizational Device Usage
Discover and assess the security of the devices used in the organization.
User Device Assessment
This component allows the auditor to assess the security of the individual devices on the network. This component consists of interviews, surveys, and inspection of devices. ...
Vulnerability Scanning and Analysis
This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and...
This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred. ...
Physical and Operational Security
The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world -- how...
Process Mapping and Risk Modeling
This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the...
Responding to Advanced Threats
This component allows the auditor to be able to identify, triage, and analyze suspicious behavior on a device or in a network. Depending on the analysis, the...
This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the...
The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an...
This component consists of an out-brief to key points of contact, providing basic pressure relief through group and individual interactions, and planning future follow-up with the host...
This component allows an auditor to explain and get feedback on their report as well as evaluate the success of the process over time through a...
Report Creation and Recommendation Development
In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical...
SAFETAG resources are available under a Creative Commons Attribution-ShareAlike (CC BY-SA 3.0) License.
Check out the Credits and Licensing page for content attribution and a usage guide to referring to the SAFETAG wordmark.
The SAFETAG Community of Practice is governed by the SAFETAG Code of Conduct.
Get in touch[email protected]
We have a global network of auditors trained in the SAFETAG framework available for independent work with small NGOs.
For updates or suggestions for the framework, please submit an issue.