Back to all activities

Operational Security Survey

Summary

This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote surveys and/or interviews. By also requesting to review and official policies as well as conducting multiple iterations of this with different staff members, some basic verification of the practices and awareness/understanding of existing policies can be achieved

Considerations

    • Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
    • Consider the threat context if an online survey tool is used to collect information and manage data access and storage responsibly.
    • Any remote communication on physical security should be done over secured channels from a private space
    • It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

    This activity should build on the preparation work of the auditor, as well as the capacity assessment and context research work:

    • Capacity Assessment: If the auditor has already completed the Capacity Assessment interview, many of the answers from its introductory "Open Up" questions (5-22) provide threat history, likelihood, and some basic policy information, and the questions grouped as "Threat Information," (58-68) go deeper into previous problems and responses. If those were not asked, they can be included here as a follow-up interview/survey.
    • Context Research: Ensure context research has revealed whether the organization would be targeted by adversaries due to their work (e.g. advocacy, engagement in or media coverage of socially sensitive topics, etc.). Threat identification and technical context research should provide insight into likely technical capabilities of adversaries (are malware or other surillance tools used (https://sii.transparencytoolkit.org/) ? Physical surveillance/monitoring? Keyloggers?)

    Once an initial interview or survey has taken place (as part of capacity assessment or dedicated to the above-mentioned questions), Send a follow-up request for any policies mentioned or referred to (travel policies, onboarding/offboarding policies for staff changes, personal device usage ("BYOD") policies, etc.). After reviewing those documents, request any additional policies those may refer to (general IT or security policies), and/or schedule a follow up interview or informal survey to dig deeper into remaining unanswered questions on the operatioal security situation of the organization as well as their adaptations to it. In the (likely) case where there are no policies governing these topics, the auditor can ask their points of contact for these discussions what the general practices are and expand and verify this through additional activities.

    In creating new questions, be careful to not "lead" on security in a way that would discourage honest and transparent responses. For example, ask "Do you host community events and trainings?" instead of "Do you allow outside people into your office"?

    Below are questions not already covered in the capacity assessment interview process, and after that selected questions from that process which are of particular use here.

    Office layout and proximity concerns

    Describe your office - is it on a floor of a building? An entire floor? (What level of the building?) How close are other buildings? Is it a shared, open office space or co-working space? (shared network? open access?)?

    Has the organization dealt with robberies/theft, break-ins, or office raids? If so, what happened, when, and how did you respond (or do you have a policy or contingency plan? When was that last reviewed/updated?)

    What other wifi networks can you see? (See https://wigle.net/ )

    Physical Access Controls

    Do you consider your office space to be secure?

    • No
    • Yes

    Who has independent access to the office space, and routine after-hours access (i.e. who is able to unlock the space). This may include security, cleaning or other building service personnel.

    Do you have policies and procedures for authorizing and limiting unauthorized physical access to digital systems and the facilities in which they are housed?

    • No
    • Yes

    Describe the measures to restrict physical access to the following

    • Servers (Data server, Internet server, etc)
    • User workstations/laptops
    • Network devices (eg routers, switches, etc)
    • Printers

    Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?

    • No
    • Yes

    Device Controls

    Do you have procedures for physically securing portable devices such as laptops and mobile phones?

    • No
    • Yes If yes, please highlight them

    Do you have a key personnel responsible for the security of digital resources?

    • No
    • Yes

    Do you have policies covering laptop security (e.g. cable lock or secure storage)?

    • No
    • Yes

    Are there procedures to automatically lock digital devices if left unattended for sometime?

    • No
    • Yes If yes, what are the procedures?

    Emergency Planning

    Do you have a business continuity plan in case of serious incidents or disaster to your digital resources and is it current?

    • No
    • Yes If yes, please highlight the steps taken.

    Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

    • No
    • Yes

    Are key personnel aware of the plan and how to respond to the emergency?

    • No
    • Yes

    Programs and staff

    • Do you host events or trainings at the office? Open "cybercafe" or community meeting space?
    • Do you host 1:1 meetings with funders, partners,
    • Do staff work from or meet at homes or cafes/restaurants?

    Selected questions from the Capacity Assessment Interview, "Open Up" section:

    • What issues does the organization work on? Are these issues sensitive where you work?
    • Where does your organization have activities?
    • Does the organization have activities in more than one (city/provence/country/region)?
    • What kind of funding does you organization receive?
    • Does the organization have its own office space?
    • Does the organization have a domain name or brand identity that is used for all online communications?
    • Does the organization have a staff member responsible for working with digital or mobile technology?
    • How regularly do staff members of the organization travel outside of your country
    • Does the organization do any of the following activities when travelling internationally

      • Run programs
      • Participate in events
      • Run trainings
      • Receive trainings
      • Fundraising

    From "Threat Information"

    • To your knowledge, how often do the below incidents occur in the geographic areas or issue areas in which your organization is active? Could you please tell me if you think they happen never, sometimes or often

      • The government lawfully intercepts information communicated by civil society or private person
      • The government lawfully confiscates equipment because of the information it contains
      • Government, public officials, non-state actors, police or security forces use digital or mobile technology to identify and target individuals for arrest or violen
      • Government, public officials, non-state actors, police or security forces use digital or mobile technology to attack the reputations of individuals or organizations
    • To your knowledge, how often do the below actors use digital or mobile technolog to target or to identify individuals for arrest or violence? Do they use it never, sometimes, or often?

      • government or public officials
      • non-state actors (corporations, social groups)
      • police, security forces or paramilitary groups
    • And how often would you say that these actors use digital or mobile technology to monitor or gather information on civil society activities? Never, sometimes, or often.

      • government or public officials
      • non-state actors (corporations, social groups)
      • police, security forces or paramilitary groups
    • What do you feel are the most immediate and serious digital threats to the organization?
    • How much risk do you feel each of these digital threats presents to your organization?

      • Online surveillance
      • DDOS (Distributed Denial of Service) Attack
      • Targeted for physical violence on the basis of digital activity
      • Data loss
      • Other.
    • Do you feel that any of these threats place the physical security of your staff in danger?
    • Do you feel that any of these threats place the physical security of your stakeholders in danger?
    • Do you feel that any of these threats place the physical security of your beneficiaries in danger?
    • In the last six months, have you or any of your civil society peers experienced any of the following?

      • Intimidation or threats of violence by public officials, police or security force
      • Intimidation or threats of violence by private or non-state actors.
      • Threats of arrest or detention
      • Arrest
      • Threats of Torture.
      • Confiscation of equipment
      • Threats to administrative standing, such as stripping individuals of professional accreditation or organization of licenses
      • Other
    • How has your organization responded to these threats?

      • Addressed the issue in the press/online
      • Told other organizations about the threat
      • Contacted the authorities
      • Trained staff to prevent and mitigate such threats in the future
      • Requested help from other organizations
      • Invested in hardware
      • raised funds
      • has not responded
      • other
    • Has the organization taken any of the following steps to prepare against digital or physical threats?

      • Staff have been trained
      • There are specific plans in place for specific situations
      • Equiptment and/or supplies have been made ready
      • Other

    From the Technical Only section:

    • Are Disaster Recovery Procedures in place for the application data?
    • Are Change Management procedures in place?
    • What is the mean time to repair systems outages?
    • Is any system monitoring software in place?
    • What are the most critical servers and applications?
    • Do you use backups in your organization?

      • Are there any data/devices that are not backed up?
      • Are backups tested on a regular basis?
      • When was the last time the backups were restored?