How passwords are created, used, and shared
Who has access to what information (e.g. HR, finance, partners)
Destruction/loss of office devices (fire, natural disaster, etc.)
Lost devices (e.g. while traveling)
Data breach impacting a cloud service used by the organization
New people join or leave the organization
Everyday communications both internally and with key sensitive partners like sources, at-risk beneficiaries, and funders if applicable
For high-risk organizations:
- Response to raids on the office or key staff homes
- Response to arrests of staff or key partners
- What practices are presumed to be in place (e.g. everyone thinks everyone else is using unique passwords)
- What is being applied in practice (with their possible variations among staff members)
- What needs to be updated or defined
- How can the covered aspects be checked or monitored
Build a list of situations where security policies, if followed, would prevent or reduce the impact of a problem; ideally using the Threat Modeling exercise and inputs from Process Mapping, Capacity Assessment, and other methods and activities. These situations can be related to regular operations (looking for best practices) and risks (looking for security procedures). For small and medium-sized organizations, arrange group conversations around a few specific what-if scenarios (this can be integrated into the Data Mapping or Process Mapping approaches). Discussions can include:
Meet with members of the organization and present to them the situations on the previous list, asking if there are some codes or agreements regarding security aspects of the situations presented, take notes of the responses and possible differences between the criteria or knowledge of the agreements. This could be explained by the lack of documentation and formal ways to transmit the agreements
Build a map of practices considering these aspects:
- Asking about them during the interviews.
- Short internal discussions with staff members
- Asking about them alongside threat identification activities and/or process mapping
- Proposing an internal organization roundtable without the auditor(s) and share the outcomes.
There must be a good understanding of the organizational capacity and commitment to implementing and maintaining formal security policies. Based on this assessment, consider beginning with more informal agreements among staff which still help centralize their approach to security and improve their preventative measures and ability to respond to incidents that are easy and effective to adopt. Encourage a "testing" phase of these practices for the organization to then begin formalizing the ones which work and test new approaches for any which did not continue.
Some ways of getting information about shared agreements might be: