- Organizational technology capacity assessment
- Sensitive data and/or process mapping
- Analysis of operational and technical vulnerabilities
- Threat actor and context research
- Creating with the organization an agreed-upon ranking of risks based on the above processes
- AUDITOR commits to prioritizing the stability and integrity of SUBJECT’s digital infrastructure over any additional testing which could be carried out through more aggressive methods. AUDITOR will make every effort to avoid disrupting SUBJECT's work environment, even temporarily. No tests will be performed that would stress the network, or any individual workstation, beyond what could be expected from normal use. If they have any doubt, AUDITOR will consult with SUBJECT before carrying out the test.
- AUDITOR will not share the assessment report—or any notes created, data gathered or knowledge obtained about SUBJECT during the evaluation—with anyone other than a single point of contact, designated by SUBJECT. AUDITOR may need to share some general information with SUBJECT staff, as part of requesting information necessary to carry out the audit itself. If AUDITOR has any concern that this could be sensitive, they will first clear it with the point of contact. This commitment to protecting SUBJECT's private information extends to AUDITOR’s colleagues, supervisor and funder. The only details about the assessment that will be shared, confidentially, with these three groups (and only these three groups) will include: a) the name and location of the organization audited; b) basic time line information; and, with SUBJECT's approval, anonymized “lessons learned”. During and after the audit itself, all data will be stored securely in an encrypted volume on AUDITOR’s computer.
- AUDITOR will securely delete all data from the audit one year after submitting the final assessment report to SUBJECT or at any time, should SUBJECT's point of contact request it.
- AUDITOR will work with whatever level of access SUBJECT is comfortable providing. This includes access to staff members for brief "interviews," as well as more technical access, such as passwords, local connectivity, privileged or unprivileged accounts on local or remote services, etc.. That said, some level of access typically allows an auditor to produce a report that is significantly more useful than the output of a pure "black box" audit. (And this is doubly true when the auditor wishes to tread lightly in order to avoid impacting the stability of the subject’s network infrastructure and the productivity of its staff.)
Negotiate a Confidentiality Agreement: Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.
Below are a sample Statement of Work and Engagement Agreement which can be adapted into your agreement template. See also the SAFETAG Agreement Generator for a more advanced as well as a flexible "plain language" agreement text and guidance on selecting which clauses to include.
Sample Statement of work
Conduct a comprehensive risk assessment using the SAFETAG framework, to include these core methods:
For each method, the auditor is expected to combine research, interaction with key staff members, larger facilitated exercises, and where appropriate, technical verifications/investigations to achieve a comprehensive understanding of the organization's potential risks.
Sample Engagement agreement
In order to protect the privacy of SUBJECT, AUDITOR agrees to comply with the following restrictions: