Back to all activities

Assessment Plan

Summary

This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. pets_legal_considerations^,^pets_separate_permissions This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization.

A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.

Considerations

    • Consider the threat landscape of the organization when determining secure communications channels. This may require some pre-agreement work using parts of the Context Research methodology.
    • In addition to the overall mandate to send information encrypted to the organization, also demand encrypted communication back from them. Failure to establish a secure planning channel also contributes towards a no-go situation by putting both the auditor and organization at risk.

Walkthrough

    • Develop an agreement signed by both parties outlining the scope of the audit including:

    • Develop and sign a confidentiality and non-disclosure agreement
    • Share a liability waiver signed by the host organization. pets_permission_to_test
    • Obtain approval from any third parties, if necessary. pets_third_parties

    The Audit agreement, non-disclosure agreement, liability waiver may be accomplished through a single document, or they may be separate documents.

    Auditors are encouraged to use, or at least reference text from the following sources:

    • Sample Text for a Statement of Work and Engagement Agreement in the Confidentiality Agreement Activity.
    • The SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.