Back to all activities

A Night in the Life

Summary

The auditor interviews the staff about their practices, personal devices, software and other security capabilities that they use outside of work. The auditor checks for known vulnerabilities to any out of date software and identifies risks in the practices and behaviors.

This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.

Considerations

    • Communicate with the staff members the level of confidentiality you are treating discussions around their device and technology usage with - i.e. explain what incident response triggers you have agreed upon with the organization, and that anything not triggering that is to be only reported in aggregate.
    • If using screen sharing, use a service with transport security and "lock" the room or make sure the user knows to end the call if anyone unexpected joins the room (unlikely)

Walkthrough

    As you work with staff members (this pairs well with the device checklist activity and a day in the life), also interview them about the other devices they use, and how they connect to work or personal services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, social media, and website management tools.

    This can also be done remotely. Ask to have the staff member use a screensharing tool (meet.jit.si or appear.in offer easy-to-use, browser based options) so that you can watch how they interact with their computer and what applications are active in the background.

    Phone Usage

    • Work or Personal Email
    • Work or Personal Calls
    • Chat Apps with partners/friends non-work related
    • Social media apps

    User Software and Tools

    • Email software
    • Calendars
    • Other shared file systems
    • Chat
    • Voice calls
    • General browser usage
    • Program tracking software

      • Financial
      • Progress
      • Databases
      • intranet
      • extranet / other sites?

    Remote Services

    • Dropbox / Google Drive
    • Work Email
    • Personal Email
    • Websites and blogs
    • Social media
    • Online CRM or mass-mailing tools (SalesForce, CiviCRM, MailChimp...)

    Personal Practices

    • Office/home location
    • Transportation means
    • Physical security

Recommendation

    Multi Factor Authentication

    When possible, enable multi factor authentication on work accounts (email, social media, website administration, etc). Specially if the accounts are being accessed with personal devices.

    See also the recommendations under the Device Checklist Activity