- Consider the threat landscape of the organization when determining secure communications channels. This may require some pre-agreement work using parts of the Context Research methodology.
- In addition to the overall mandate to send information encrypted to the organization, also demand encrypted communication back from them. Failure to establish a secure planning channel also contributes towards a no-go situation by putting both the auditor and organization at risk.
Develop an agreement signed by both parties outlining the scope of the audit including:
- The start and end dates of the audit.
- The location where the on-site audit will take place. pets_pre-engagement_location
- The responsibilities of the host staff.
- The responsibilities of the auditor.
- The host names and IP ranges of any services run by the organization. pets_host_and_ip
- Emergency contact information for the organization. pets_emergency_contact
- The procedure the auditor will follow when handling incidents. nist_incident_repose_plan
- The data security standards for evidence handling and communication. pets_evidence_handling
- Develop and sign a confidentiality and non-disclosure agreement
- Share a liability waiver signed by the host organization. pets_permission_to_test
- Obtain approval from any third parties, if necessary. pets_third_parties
- Sample Text for a Statement of Work and Engagement Agreement in the Confidentiality Agreement Activity.
- The SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.
The Audit agreement, non-disclosure agreement, liability waiver may be accomplished through a single document, or they may be separate documents.
Auditors are encouraged to use, or at least reference text from the following sources: