- Ensure staff invited to the call are not located in an operationally sensitive environment when conducting real time discussions around sensitive matters. This consideration should be adhered to during any remote or in-person engagement.
- Some of the documents produced in this exercise may be sensitive. Proceed with caution and ensure documents are sufficiently secured so as not to result in a data leak.
- Additional considerations and research should be conducted before using technology for real-time collaboration and teleconferencing. Not all teleconferencing technology is made equal. Be sure to evaluate the risks of using a technology prior to engaging in sensitive conversations online.
- Determine which staff must attend the virtual engagement.
- Once you have a list, work with your point of contact within the organization to divide the team into smaller groups, perhaps by those who work more frequently together or on a thematic area. Use the Logistics Document to stay organized.
- Determine the teleconferencing tool to be used. Use the Logistics Document if necessary. For example, if using Jitsi Meet as a breakout group, include all Jitsi Meet links in the document prior to the meeting.
- Similarly, determine which shared collaborative document platform you'll use. Google Drive may not be suitable for all organizations and it is important to understand the risks involved in using different platforms. Alternatives to Google Drive include CryptPad and etherpad
- With staff input, fill the template in with the most popular places where data is kept (laptops, email, shared drives...) prior to beginning the meeting.
- The Remote Asset Valuation Table template is ideally completed in two phases: 1) Iterating Assets; 2) Evaluating the Sensitive of those Assets, so as not to ask too much of the group all at once. However, in past audits, most groups skipped ahead and proceeded to do both steps per asset. This caused some groups to not progress as quickly as others. Try to emphasize doing one step at a time to not overload groups with tasks.
- Regular check-ins within the breakout groups. Set clear times you will check-in with each group (e.g. after 5m, mid point, 5m remaining).
- Coordinating online takes time. Give yourself some buffer, as the logistics always takes longer than expected. This is especially true of groups less familiar with the teleconferencing technology you may be using.
- Give an overview of what will be accomplished and the goals.
- Review the Logistics Doc and sequence of events.
- Review the Asset Valuation Table example and answer any questions.
- Release groups to connect via their small virtual breakout room. Ask each group to assign a notetaker and to discuss each point. You do not want individuals to silently complete the document. The point is to stir discussion.
- For the first 20-30 minutes the breakout groups should only be identifying assets and their locations. Reiterate they may have multiples of the same asset listed in different locations.
- Check-in with each group at the very beginning to ensure everyone understands the instructions.
- For the second 30 minutes, to ensure time isn’t lost regrouping all staff, the auditor may visit each breakout group once again to instruct the group to move on to the second step, asset valuation. This entails going through each asset and evaluating its sensitivity (high - red, medium - orange, low - green). Healthy discussion is encouraged.
- Often groups will lean towards marking everything high sensitivity, but this is not helpful when prioritizing defensive strategies.
- A way to support the groups and help them calibrate their ranking is by asking them to compare assets to one another. Compare two high sensitivity assets. Are they equally sensitive? Compare to another asset. Are they also equally sensitive and so on.
- Once all groups have complete the Asset Valuation Tables, regroup all staff.
- Depending on the size of the group, ask a team leader to highlight the top most sensitive assets identified. Do staff agree? Are there discrepancies?
- As a way to quickly take notes, the auditor should follow up if there are discrepancies and list them in the documents. It is also easier to highlight in dark red the most sensitive assets identified in each group.
- Discuss access controls and how they access different assets (physical authentication, login access, shared accounts, etc.)
- Further discussion points include things such as: the impact of a lost or stolen device and backups, the impact of a data leak or exposure of certain information assets