Summary

The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity.

Q&A sessions are unabashedly white box aspects of a security assessment, and you will occasionally hear push-back along the lines of, "You wouldn't have found that thing if we hadn't told you about this other thing." Compelling black box findings certainly do have an advantage when it comes to persuasiveness, but obtaining them can be quite time-consuming, so relying exclusively on vulnerabilities that you can identify without "help" is generally a mistake in this resource-constrained sector.

Considerations

    • If the auditor or organization believes that there is a good chance of surveillance on the channel you are communicating over, do the rest of the interview on a secured channel or in person where possible, though some information-gathering is critical to do before planning the audit. Inability to do so contributes towards a no-go situation.

Walkthrough

    The questions below are roughly divided into categories for management, program staff, and technical staff. The questions for technical staff may be best asked of the manager or another point of contact. Within that section, there are specific questions that often only actual IT staff are likely to be able to answer. An auditor may find value in re-asking the same questions to multiple staff members. Specifically, however, the "Baseline Threat Identification Questions" should be asked of whoever the auditor feels most able or willing to answer them.

    In all cases, the HCD Toolkit recommends that you "warm up the participant with questions they are comfortable with." hcd_toolkit -- balance this against not asking questions which you should already know from basic organizational research, followed with informative questions which "prompt bigger, even aspirational, thinking that they may not be accustomed to on a daily basis." hcd_toolkit

    • What is your position in the organization?
    • What are your main responsibilities in this organization?
    • What issues does the organization work on? (Provide an example if needed - examples below)

      • Human Rights
      • Transparency
      • Public Service Delivery
      • Health
      • Free Media and Information
      • Climate Issues
      • Gender Issues
      • Poverty Alleviation
      • Community Building
      • Peace promotion
      • Agricultural Development
      • Entrepreneurship
      • Water, Sanitation
      • Transportation
      • Disaster Relief
      • Other
      • No Specific Mandate
    • Where does your organization have activities?
    • Does the organization have activities in more than one (city/province/country/region)
    • What kind of funding does you organization receive?
    • How many projects is your organization currently managing?
    • What is the organization’s working language? (for password dictionary)
    • Why are you having the audit done?
    Management and Baseline Questions
    • Could you tell me, approximately, which percentage of the organization’s currently annual budget is dedicated to supporting the use of digital or mobile technology?
    • Does the organization have its own office space?
    • Does the organization have a domain name or brand identity that is used for all online communications?
    • What other languages are used by the organization, formally or informally? (for password dictionary)
    • In what language has your organization accessed online resources to support its work?
    • How many paid, full-time staff does the organization employ?
    • How many paid, part-time staff does the organization employ?
    • How many unpaid workers, such as volunteers or interns work at least one day a month at the organization?
    • Does the organization have a staff member responsible for working with digital or mobile technology? Yes, more than one
    • Is this staff member responsible for any of the following areas:

      • Office IT infrastructure
      • Internet Presence or website
      • Outreach or communications
      • Managing programs
    • Has turnaround in staff members been a problem for retaining technical capacity in your organization?
    • How regularly do staff members of the organization travel outside of your country?
    • Does the organization do any of the following activities when travelling internationally:

      • Run programs
      • Participate in events
      • Run trainings
      • Receive trainings
      • Fundraising

    Go Specific

    "Dig deeper on the challenge at hand & prompt with ‘what if’ scenarios."

    • Is the manager aware that a test is about to be performed?
    • What is the most important reason for your organization to exist? (Provide an example if needed - examples below)

      • To raise awareness in the organization's policy area.
      • To impact policy.
      • To improve policy.
      • To improve service delivery.
      • To change specific legislative or administrative governance structures.
      • To provide citizens with a greater voice in public affairs and deliberations.
      • To expose corruption or malfeasance.
      • No concrete strategic objectives.
    • Does the organization provide services directly to individuals (for example health, educational or legal service?)
    • What type of direct services does the organization provide? (provide an example if needed - examples below)

      • Legal Services
      • Health Services
      • Education Services
      • Water/Sanatation Services
      • Financial Services
      • Other Services
    • Does the organization have a hierarchy for decision-making, according to which different people have different responsibilities and levels of authority?

    Go Personal

    "Dig deeper on the practices outside of work & prompt with ‘what if’ scenarios."

    • Does the staff usually work remotely?
    • Does the staff usually take their work devices home?
    • Does the staff usually access organizational assets from personal devices? (Provide an example if needed - examples below)

      • Work email
      • Work social media accounts
      • Office network (VPN)
      • Shared files
    • Does the staff usually attend out-of-office events? (Provide an example if needed - examples below)

      • Protests
      • Trainings
      • External meetings
      • Press conferences
    • What time does the staff usually come in and get out of the office?
    • How secure are the office surroundings?
    • What are the common means of transportation used?
    Program Staff Questions

    For organizations with signficant online operations/programs, the following questions may be asked of the management point of contact and/or a program staff member.

    • Does the organization primarily rely on digital media in its work?
    • What digital tools does your organization use? (Examples follow)

      • Email
      • Email newsletters
      • Websites
      • Maintain blog or discussion fora, or another social media account(s)
      • Engage in online discussions and interactions on external sites
      • Maintain interactive websites
      • paid software (like microsoft office or basecamp) to manage the organization or projects
      • Free branded platforms (like google apps) to manage the organization or projects
      • digital or mobile tools to collect data or evidence
      • Digital or mobile tools to deliver health, financial, or other public services
      • Mass communication to mobile phones
      • security software (anti-virus, circumvention tools, etc)
      • disseminate information through third party sites and platforms.
      • Other
      • How many people of the organization’s staff currently use digital or mobile technology on a daily basis?
      • How many of the organization’s currently active projects would not be possible without the use of these media?
      • Has the organization used the internet (including online training, discussions or research) to get better at any of the following activities

        • Communicating with stakeholders and raising awareness on issues.
        • Keeping the organization and its staff safe.
        • Fundraising and developing the organization’s strategic focus.
        • Managing staff and organizational activities (such as payroll, hiring and other administration)
        • Measuring impact of programs.
      • What are the most important motivations for the organization to use these tools?
      • What data would create the greatest risk to the organization if exposed, corrupted, or deleted?
      • Does the organization have specific plans to increase their capacity to use digital or mobile technologies in their work
      • Which of the below factors are the three most significant obstacles to the efficient use of digital and mobile technology by your organization?

        • Limited skills of staff
        • Limited infrastructure for media or electricity.
        • Limited technical literacy and media use among staff
        • limited financial resources
        • Insufficient hardware or software
        • None
        • Other
        • don't know
      • How well do you believe your organization is able to identify appropriate digital and mobile technology tools for the organization’s work?
      • How well do you believe your organization is able to use appropriate digital and mobile technology tools for the organization’s work?
      • In what ways, if any, have you experienced that technology inhibits the organization’s work?
      • What new activities using digital or mobile technologies would the organization like to attempt in the future? Please give examples of programs, activities, or management functions
    Technical Staff Questions

    Ask these of the most technical staff member you are in touch with. If the organization has dedicated IT support, this section also includes specific questions for IT.

    • Do the organization’s staff have access to computers for their work?
    • How many staff members do not have access to their own computer or need to share computers with other?
    • How many staff members use their personal devices to access organizational assets?
    • How many staff members work remotely?
    • What ways has the organization used any of the following methods to build skills and capacities for using digital or mobile technologies?

      • Local Training
      • Training in other countries
      • Online Training
      • Purchesing equiptment or hardware
      • hiring consultants
      • hiring staff or restructring human resources
      • devoting staff time to independant learning
      • participating in international events
      • searching and learning online
      • Other
      • None
    • Have these efforts to increase capacity targeted specific staff members in the organization?
    • Has the organization actively worked to strengthen its digital security in the last year?

      • (IF NO) Why did the organization not work to strengthen its digital security in the last year?
      • (IF YES) How has the organization work to strengthen its digital security in the last year? (Examples Follow)

        • Limited skills of staff
        • Limited infrastructure for media or electricity.
        • Limited technical literacy and media use among staff
        • limited financial resources
        • Insufficient hardware or software
        • None
        • Other
        • don't know
    • Has turnaround in staff members been a problem for retaining technical capacity in your organization?
    • Are there systems on the network which the client does not own, operate, or rely on, that may require additional approval to test?
    • Does the organization communicate with its beneficiaries/members/sources?

      • How does the organization communicate with its beneficiaries/members/sources?
    • Does the organization use any of these tools to maintain information about its members?

      • Paper lists
      • Mobile phone contact lists
      • Email contact lists
      • Spreadsheets
      • CRM (customer relationship management software)
      • Other
    • What other tools does the organization use to maintain information about its members?
    • I will now read a list of hardware tools you might be familiar with; From this list, could you please tell me about the three tools that are most important to the organization?

      • Desktop computers
      • Laptop Computers
      • Mobile Phones
      • Satellite Phones
      • Video Equiptment
      • Cameras
      • USB Dongles
      • Hard Drives
      • Servers
      • Audio Recorders
      • Web Cams
      • Wireless Routers
      • Other
    • Other hardware that is important to the organization’s work? Please describe if needed
    • How important you think each of these hardware tools is for achieving the organization’s strategic objectives?
    • I will now read a list of software tools you might be familiar with; From this list, could you please tell me about the three tools that are most important in the daily work of your organization?

      • Social media
      • Blogging Platforms
      • Tools for creating and managing pictures or videos
      • Cloud Based collaboration applications
      • Budgeting Software
      • Tools for building and managing websites
      • project management software
      • Anti-virus software
      • tools for managing databases
      • Graphic design or visualization software
      • software to manage sms or mobile communication for groups
      • circumvention software
      • other
    • Other software that is important to the organization’s work? Please describe if needed?

    IT Only

    • Are there any systems which could be characterized as fragile? (systems with tendencies to crash, older operating systems, or which are unpatched)
    • Does the organization have a standard procedure for installing software? If so can they provide a list of the software they install?
    • Is any system monitoring software in place?
    • What are the most critical servers and applications?
    • Do you use backups in your organization?

      • Are there any data/devices that are not backed up?
      • Are backups tested on a regular basis?
      • When was the last time the backups were restored?
    • How many websites does your organization have?
    • What are their URLs?
    • Where are they hosted?
    • How many wireless networks are in place at the organization?
    • Is a guest wireless network used? If so:
    • What type of encryption is used on the wireless networks?
    • Does the organization implement filtering of MAC addresses?

      • If so, can they provide the list of MAC addresses?
      • If they don't filter MAC addresses, can they make a list of devices and MAC addresses connected to their local network?
    • Does the guest network require authentication?
    • Approximately how many clients will be using the wireless network?
    • How many total IP addresses are being tested?
    • How many internal IP addresses, if applicable?
    • How many external IP addresses, if applicable?
    • Are there any devices in place that may impact the results of audit scans such as a firewall, intrusion detection/prevention system, web application firewall, or load balancers?
    Baseline Threat Identification Questions
    • To your knowledge, how often do the below incidents occur in the geographic areas or issue areas in which your organization is active? Could you please tell me if you think they happen never, sometimes or often

      • The government lawfully intercepts information communicated by civil society or private person
      • The government lawfully confiscates equipment because of the information it contains
      • Government, public officials, non-state actors, police or security forces use digital or mobile technology to identify and target individuals for arrest or violen
      • Government, public officials, non-state actors, police or security forces use digital or mobile technology to attack the reputations of individuals or organizations
    • To your knowledge, how often do the below actors use digital or mobile technology to target or to identify individuals for arrest or violence? Do they use it never, sometimes, or often?

      • government or public officials
      • non-state actors (corporations, social groups)
      • police, security forces or paramilitary groups
    • And how often would you say that these actors use digital or mobile technology to monitor or gather information on civil society activities? Never, sometimes, or often?

      • government or public officials
      • non-state actors (corporations, social groups)
      • police, security forces or paramilitary groups
    • What do you feel are the most immediate and serious digital threats to the organization?
    • How much risk do you feel each of these digital threats presents to your organization?

      • Online surveillance
      • DDOS (Distributed Denial of Service) Attack
      • Targeted for physical violence on the basis of digital activity
      • Data loss
      • Other.
    • Do you feel that any of these threats place the physical security of your staff in danger?
    • Do you feel that any of these threats place the physical security of your stakeholders in danger?
    • Do you feel that any of these threats place the physical security of your beneficiaries in danger?
    • In the last six months, have you or any of your civil society peers experienced any of the following?

      • Intimidation or threats of violence by public officials, police or security force
      • Intimidation or threats of violence by private or non-state actors.
      • Threats of arrest or detention
      • Arrest
      • Threats of Torture.
      • Confiscation of equipment
      • Threats to administrative standing, such as stripping individuals of professional accreditation or organization of licenses
      • Other
    • How has your organization responded to these threats?

      • Addressed the issue in the press/online
      • Told other organizations about the threat
      • Contacted the authorities
      • Trained staff to prevent and mitigate such threats in the future
      • Requested help from other organizations
      • Invested in hardware
      • raised funds
      • has not responded
      • other
    • Has the organization taken any of the following steps to prepare against digital or physical threats?

      • Staff have been trained
      • There are specific plans in place for specific situations
      • Equipment and/or supplies have been made ready
      • Other
    • Does the organization experience power outages in its office
    • Does the organization have access to the Internet in its offices?
    • In the last month, has your organization lost access to Internet for reasons other than power outages
    • What are the security threats in the office surroundings?

      • Robbery?
      • Kidnapping?
      • Harrasment?
      • Surveillance?
      • Physical violence?
    Questions for Known High Risk Organizations

    See Guiding Questions for High Risk Organizations if there are concerns that the organization may be targeted by advanced threat actors.