Seamus Tuohy of Prudent Innovation has completed an in-depth decision tree program for auditors/assessors to answer questions and builds a detailed, plain language agreement for you to use in your engagements. It’s built in Python on Debian/Ubuntu, and available in the SAFETAG community github.
It allows auditors to provide custom fee schedules and has specific call-outs for parts of the agreement which are the most critical to have local legal advice on. Given that SAFETAG auditors operate in legal jurisdictions all over the world and in a variety of languages, the template text will focused on clarity and conciseness instead of legalese. By clearly articulating the scope and intent of the each component lawyers in different regions will be able to evaluate and update the language to support their legal code. The repository comes with an example plain language template. It includes a “base” outline template and a fine-grained template file that extends this base. By editing the base template a assessor can add/remove large sections of the agreement without searching through the fine-grained template for the text they wish to remove, which also customizes the interactive agreement process, enabling auditors to quickly re-generate new agreements with small modifications.
The project’s README file includes both an installation guide as well as usage and advance customization documentation.
Please test it out and send in feedback via the issue queue, as this will be replacing the existing “draft engagement agreement” currently in SAFETAG.
Internews is launching a funding pool to diversify and scale SAFETAG across the broader human rights and digital security community. Internews is seeking to fund approximately individuals or teams embedded in organizations to customize SAFETAG to meet their needs, conduct SAFETAG-based assessments integrating these customizations, and share these approaches back with the SAFETAG community. Grant amounts are expected to vary based on local costs and scope, but the average grant is expected to be $25,000 USD and approximately 4 months in duration.
Winning applications must support at least two SAFETAG-based assessments of at-risk organizations working with vulnerable or marginalized communities. These assessments should be in parallel with the creation and documentation of customized approaches – new activities which work better for the applicant’s region/community/specific threats and/or a “playlist” of existing (and custom-created or modified) SAFETAG activities which best work for this community. Grantees will be expected to responsibly share the non-identifying context research (e.g. high-level country risk assessments) within the SAFETAG community and to coordinate on peer-training events to share their approach. Following each assessment, the grantee will help the recipient organization develop risk mitigation plans to address weaknesses, and either provide direct support through existing organizational programming or connect the organization to external services, goods, or funding support as needed to address their security vulnerabilities.
Throughout this entire process, the grantee will have ongoing access and mentoring from Internews’ SAFETAG team and access to the combination of skills and implementation expertise of the entire fellowship pool. Internews will work to “match-make” grantees working on similar or related challenges for peer-training opportunities.
Preference will be towards individuals embedded in organizations working in the human rights and digital security space. Individuals may also apply, but the funding mechanism may be different. Winning applications will demonstrate continued post-funding usage of and contribution to SAFETAG as a community project.
Applications are due November 17 and will be evaluated by Internews’ SAFETAG team, the SAFETAG Community Advisory Board, and in consultation with SAFETAG funders according to the criteria (and regulations) in the submission form. If funds permit a second round will be opened in 2018.
Please submit your applications via this Google Form
If you would prefer to submit this information via PGP, please send to [email protected] and [email protected], encrypting to these keys: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xB46A01C3270C17F1 and http://pgp.mit.edu/pks/lookup?op=get&search=0x6316FC03DF318F76 .
As more and more contributors are helping build SAFETAG, we realized that the existing guidance on the structure had fallen out of line with the current setup, and how the SAFETAG content is getting mapped into the Content as Code framework.
We have now updated and combined our disparate documentation on the structure of SAFETAG in light of recent feedback and (in the ongoing effort to polish the repository) have uploaded it as a CONTRIBUTING.md file
Finally, there’s an updated release (ironically not including the above documents yet) which rolls up the changes from the recent write-sprint.
An ongoing interest in the SAFETAG community has been how to use the SAFETAG framework in situations where the auditor cannot travel to the organization at all, or cannot travel to remote or multiple office locations – what can be done remotely, what can be done with help, and what gaps remain that must be accommodated? Thanks to coordination and co-funding with multiple organizations, a SAFETAG peer-training and content sprint answered these questions with new approaches and adaptations to support a variety of remote-only SAFETAG assessment work.
Content created from this training and content sprint is included with summaries below and has been compiled into an updated SAFETAG release. The content sprint approach taken with this event took advantage of the existing expertise and experience of the attendees to co-create new approaches as a peer training approach. This has the exciting add-on benefit of supporting community-sourced contributions on the SAFETAG github repository, which can be seen via the github commit and pull history
Operational Security (expanded from Physical Security)
The thought process for dealing with “remote” audits - as well as the multiple scenarios they would be most likely - also led to improved clarity on the future of the “Physical Security” module for SAFETAG. It has been transformed into an “Operational Security” section to also include activities to determine staff traveling, working remotely or from home, and the security impacts of multiple offices, especially in situations where the auditor can only assess a subset of an organization’s offices.
The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world – how secure are the devices at an organization’s office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?
This also enabled the movement of some odd pieces of the framework inside of this, such as hands off discovery of wifi networks and device beacons/probes (https://github.com/SAFETAG/SAFETAG/pull/289) – transforming an awkward “module” into an activity underneath this module that fits more naturally.
Office Mapping (New)
This activity seeks to identify potential physical vulnerabilities to an organization’s information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential “external” risks such as nearby/shared office spaces. This can be done in person independently or alongside the “Guided Tour” activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.
Guided Tour (Adapted to include remote support)
During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location. This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily. Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.
Scavenger Hunt (New)
This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the “Risk Hunting” exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.
Remote Local Network Scanning and Device Assessment (Adapted)
This allows the auditor to work remotely to identify the devices on a host’s network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.
Remote Facilitation (New)
Suggested approaches and methods to use if in-person facilitation for activities such as process mapping and data assessment is not possible. This may not provide as deep results as in-person facilitation, but should provide adequate level of expansion and verification needed.
We are exploring how to better present the SAFETAG content and enable auditors to explore, build and share audit plans, and contribute back to SAFETAG.
Please fill out this survey and inform the next steps of converting the content of SAFETAG into a more interactive and usable structure:
Based on the work from Berlin and revisions and feedback since, we have an updated and streamlined SAFETAG community governance document!
You can find it, alongside the Code of Conduct in the Code of Conduct file in the github repository, which contains the mission, community standards, and community governance structure.
This makes the code of conduct to better more specific, revised the community standards to reflect that the SAFETAG community is living within the orgsec.community world, and simplified the Advisory Board language to get things rolling sooner. As this becomes a self-sustained consortia, we can expand and codify additional items as necessary.
SAFETAG continues to expand its adoption among groups doing organizational security work. Towards this, we joined with a group of 15 practitioners recently in Prague who are working on all aspects of organizational security, from the audit/assessment piece through to implementation and follow-up support. We all shared experiences, resources and approaches to address our collective challenges by coalescing our understanding of what organizational security is, and how we can grow and hone our practice.
We were all very encouraged and buoyed by the depth and breadth of the collective knowledge to be tapped, and resolved to use this as a launching pad towards a larger knowledge space and a community of practice.
If you are attending the Internet Freedom Festival, we invite you to join the discussion, hear our outline of how to grow as an independent, open, and collaborative community; and if you are interested, to join efforts.
There is an initial session Thursday March 3 Noon-1 focused on building a more collaborative assessment framework based out of SAFETAG, followed up by an all-morning session scheduled for Friday 10–1, March 4. We want to hear from you about the challenges you face implementing organizational security support and your solutions; about your own organizational security systems and practices; and how you could benefit and contribute as an active member of this growing community.
This comment has been adapted from a cross-organizational posting which has included the below people and organizations:
- Ali G. Ravi, Confabium - post
- Alix Dunn, the engine room - post
- CC, EngageMedia - post
- Friedhelm Weinberg, HURIDOCS - post
- Jon Camfield, SAFETAG/Internews - post
- Karel Novotný, APC - post
- Kody Leonard, The ISC Project - post
- Kristin Antin, the engine room - post
- Maya Richman, the engine room - post
- Michael Carbone, Access Now - post
- Natasha Msonza, Digital Society of Zimbabwe
- Niels ten Oever, Article 19
- Pablo Zavala, Front Line Defenders
- Peter Steudtner, HIVOS-DIF / pantraining
- Wojtek Bogusz, Front Line Defenders
I’d be willing to wager that you, like me, have been offered “credit monitoring services” more than once in the past few years, because a place you’ve done business with or a past employer was hacked, potentially putting your personal data out on the market.
Corporations and governments, while they are struggling to keep up with hacks, do have resources and teams devoted to the battle. But smaller, much more vulnerable victims of attacks deserve our attention too.
Non-profit organizations around the world are also targeted by cybercrime, and don’t have the benefit of expensive services or personnel monitoring or protecting their systems.
And it’s not as if these small organizations don’t have valuable information — from pre-published research to healthcare data, records of environmental transgressions to election monitoring procedures — development and civil society work around the world collects reams of information that, in the wrong hands, can put an organization or its beneficiaries at risk. Even a lost smartphone or laptop will contain contracts, financial data, and private conversations embedded in the constant steam of emails.
Organizational security can feel like an impossible task, and many security audits or “penetration tests” are expensive and can be too aggressive for most small organizations. Vulnerabilities exist but fixing them are not necessarily high-priority for the organization.
Over the past two years, Internews has developed SAFETAG™ (Security Auditing Framework and Evaluation Template for Advocacy Groups) to address this challenge.
What is SAFETAG?
SAFETAG provides a framework that a digital security expert can use to help organizations identify and prioritize the risks they face and suggest a tightly-focused path to mitigating them. This path to increased safety is designed to be responsive to the actual capacity of an organization. This last element is critical. We have learned that even the best-laid plans will go to waste if the organization is not capable of implementation.
Audits based on the SAFETAG methodology start by working with the organization to explore the information and processes that they consider the most valuable.
For a media or journalism organization, for example, there might be calls and emails between a writer and confidential sources, which then turn into a working draft that is emailed between the author and editors before being sent to a webmaster to be added to the website. Are the phone calls sensitive? Should they be made over an encrypted connection? Where are the emails being stored? Work laptops? Personal smartphones? Email servers hosted by the organization?
The answers to each of these questions help the auditor and the organization think about where vulnerabilities that actually matter to the organization might be hiding. The process mixes interviews, exercises and technical verification and scanning, including documenting what the organization thinks it does versus what it actually does. The goal is to make all the organization’s processes and practices — not just the official ones — safe.
At the end of the day, SAFETAG is like the stone soup parable — the deepest impact comes from the organization taking the time to reflect on the threats they realistically face, the danger this puts them in, and their capacity to reduce these risks over time. The auditor is a catalyst with the resources to make it happen.
Another way that SAFETAG differs from more traditional security audits is that the entire framework is open source and licensed for reuse and re-mixing. Even the trademark on the name “SAFETAG” is meant to encourage organizations to adapt and build on SAFETAG — it requires auditors to avoid calling their work a “SAFETAG audit” but instead use phrases more like “based on SAFETAG.”
SAFETAG continues to evolve — as of today, Internews has trained 13 digital security auditors around the world and performed audits and risk assessments based upon the SAFETAG methodology for 20 at-risk organizations. More exciting than that, however, is organic uptake of the SAFETAG methodology. Other organizations are conducting their own versions of audits based upon SAFETAG.
The entire methodology is open and available on github, with active conversations around the future of the framework visible in the issues queue. “Compiled” versions of SAFETAG are available at https://www.SAFETAG.org .
The future of SAFETAG is to drive — and be driven by — this cross-organizational adoption. Working with this community, Internews is creating a set of practices and a common language that make up the SAFETAG “core activities,” along with with a “plug-in” type approach for advanced SAFETAG topics that auditors can provide to help organizations work through not only digital security risks, but also financial, reputational, or even legal risks.
Interested? We’d love to see you over in our issue queue!
(Image credit: Padlock: Plovdiv, Bulgaria – Rachel Titiriga/CC-BY)