SAFETAG updates

  • 8 Tips for Facilitating a Remote Training of SAFETAG Auditors

    Image with title 8 Tips for Facilitating a Remote Training of SAFETAG Auditors

    Over the last few months and as a direct result of the COVID-19 pandemic, the world has had to shift to a fully-remote workflow. Organizational security audits and trainings for new SAFETAG auditors are no exception. Thankfully, a few Internews partners have already implemented remote trainings, and have shared some lessons learned and resources.

    Lessons learned from implementing a fully virtual Training of SAFETAG Auditors:

    1. Provide multiple methods of engagement for participants. In addition to live sessions for the training, assign homework, related podcasts, or asynchronous work that can be completed by participants on their own time. This helps keep participants engaged and allows for more flexibility in their schedules.

    2. Keep the live sessions short (2-3 hours), and spread them over the course of a few weeks. Keeping live sessions short, in combination with multiple methods of engagement, will allow participants to maintain engagement without losing focus. Shorter sessions also make it easier for individuals to participate fully as they are able to balance their time and focus on other competing tasks or priorities for the remainder of the day.

    3. Introduce participants to the platform you will be using for the training. Prior to the training (or as one of the first training sessions), show participants how you will be using the platform, and allow time for them to become more familiar with using it.

    4. Choose a platform that allows participants to access materials and sessions all in one place. For example, one partner used Google Classroom for a 10-day training.This platform allowed participants to see the curricula, complete the homework assignments, listen to podcasts, and join the live sessions all in one place. This makes the experience more organized and it is easier for participants to follow.

    5. When possible, record live sessions and allow participants to access. You will likely have some participants with poor internet connection which may prevent them from being able to join the live sessions. By giving participants access to recorded sessions, they will be able to catch up on any missed sessions and continue to participate in the training without falling behind.

    6. Allow participants to access training materials and resources even after the training ends. Participants have noted that it is useful to be able to continue accessing materials for reference after the training. It is also helpful to be able to reach out to trainers with questions or for any clarifications.

    7. Create a group chat for quick updates and outreach during the training. Creating a group chat (on Signal or some other tool of your choosing) enables coordination between trainers and participants, and provides a space where trainers can reach everyone quickly with any announcements, questions, or changes.

    8. Reminding participants to read through materials, ask questions, and attempt the assignments is key. Not all participants will complete the assignments and attend every session. Remote trainings will often mean that participants are working from their homes, with additional distractions and competing priorities. Reminders can go a long way to increase participation.

    Read more

  • How to implement a remote SAFETAG audit: A step by step guide.

    Image with title How to implement a remote SAFETAG audit: A step by step guide.

    Since the pandemic, the information security community has been experimenting with how to make security auditing and risk assessments safer, adapting them to be remote where possible. This is the third blog post in a series exploring how we can improve the remote SAFETAG auditing experience, capturing guidance that will be useful for other security practitioners using the SAFETAG framework.

    Our Goals Don’t Change Simply Because We’re Remote

    Whether you’re using the SAFETAG framework or a standard like NIST or ISO 27001/2, the key to a good information security assessment starts with understanding what the organization values most. This is the reason we have security in the first place. If we do not understand what the organization is trying to protect, we will not be able to recommend appropriate and effective mitigations or controls to improve their security.

    The challenge we often face as practitioners is eliciting this information from the organization quickly and accurately. Simply asking an organization what they value often does not result in the most accurate of information. It is the auditor’s job to read between the lines, ask the right questions, infer, and follow-up to develop a list of “assets”, or things the organization is trying to protect.

    Not surprisingly, this is foundational to the approach of the remote risk assessment using the SAFETAG framework. It is important to remember the approach to SAFETAG can be broken down into three important bodies of work, referred to as the TRI Approach:

    • Technical
    • Research
    • Interpersonal

    In the remote auditing context, it can be tempting to reduce the amount of time dedicated to the Interpersonal type of work such as the interactive threat or process mapping exercises. However, practitioners should resist avoiding the interactive modules, as oftentimes these are the most fruitful and illuminating. Instead, pivoting and reimagining modules is better than eliminating them altogether.

    Minimum Viable Audit vs Remote Audit

    One of the biggest challenges we’ve faced as we’ve had to transition and adapt our audits to be more remote-friendly is that we didn’t want to lose the fiercely pragmatic and capacity-driven nature of the SAFETAG audit.

    So how does the Minimum Viable Audit come into play?

    Through our remote auditing experience, we’ve tried to keep as much of the Minimum Viable Audit components as possible to ensure we’re holistically assessing the organization. In a remote setting, there are often more constraints due to the realities and contexts you’re working in, but there are still core components of SAFETAG that should be attempted across the three areas: Technical, Research, and Interpersonal.

    In some instances, the team had to reimagine a module based on the function rather than the form. For example, the Process Mapping exercise was difficult for us to conduct remotely, and we pivoted instead to one-on-one interviews to get the same information.

    Implementing Your Remote Audit

    Unlike face-to-face audits where in-person time with the organization can be used as a great way to divide up the stages of the process, in remote assessments, the timeline can feel more lengthy and less clear. This includes the end of the audit, which can feel blurry and less definitive since the activities can follow a completely different timeline compared to more “traditional” engagements. In this context, planning becomes key, so we can have a complete picture of all the activities that will be conducted and their status, given many of them will seem to have less defined boundaries.

    Another consideration is that people frequently shift their attention to different kinds of tasks with different people in the remote work dynamic. In this context, it’s harder to have staff engaged in the same way you would have previously when in a room together focused on an activity, like a risk matrix construction or a data mapping exercise. Because of this, it is important to aim for concrete interactions and reduce unnecessary synchronous group activities.

    One way to address this is to very clearly communicate and classify the activities by the involvement of the organization and its staff, including the specific amount of time required. By communicating this to the organization, you will come to a better shared understanding of which activities can be done independently and which will need organization participation. Examples might include deploying a capacity assessment survey that can be completed asynchronously instead of individual one-on-one interviews with the entire staff. The survey would still take some amount of staff time, but likely less than the interview.

    With all of this in mind, a general workflow to implement a remote audit could look something like the following, but should ultimately be built upon the realities and constraints with which you’re dealing.

    1. Prepare and plan: Determine and communicate the activities that will be done without staff members participating such as open source intelligence (OSINT) gathering, Reconnaissance, Web Application Testing, as well as others which will require the attention of people in the organization. In our experience, remote audits have spanned across a much longer time frame. It is important to immediately start logistics coordination on all exercises you want to do synchronously with the organization. You should also aim to integrate into the initial activities any possible information gathering about the organization’s threat model and data interactions usually obtained in physical activities.

    2. Start your asynchronous activities: Starting these asynchronous activities while coordinating larger or one-on-one meetings can help get the audit process moving forward. Some examples of these activities are:

    3. Set up common synchronous activities: As mentioned throughout the article, we cannot overemphasize being organized when doing everything in a remote setting. There are more logistics, more technological difficulties, and overall more challenges with building trust when interacting with staff through a screen. Some examples of synchronous activities you may prioritize to complete during your audit include:

      From Process Mapping to Interviews

      When conducting more and more remote SAFETAG audits it became painstakingly apparent that one-on-one interviews would be increasingly important and necessary to capture much of the information from modules previously completed in-person. The team transitioned things like Process Mapping to a one-on-one exercise with as many of the organization’s staff from different departments as possible. While individual interviews may be more time consuming, they also have their benefits. You can build trust quickly while capturing very honest feedback and information to support the organization in their security improvements.

      Running Remote Virtual Group Exercises

      Virtual facilitation is tough and will have a learning curve. However, through our experience, exercises like data mapping or threat mapping have been successful with the right tool and right preparation. Reduce the technology burden where possible. Use technologies the organization may already be familiar with and only introduce new tools if needed. A few we’ve used in our experience are Jamboards and Google Sheets (depending on the organization and constraints at hand).

    4. Synthesize: With remote audits, where the outcomes are obtained from perhaps a greater mix of activities, it can be challenging to distill into actionable results. However, the same as an on-site audit, one of the primary goals of a remote audit is to have a good and as complete as possible understanding of the organization’s security weaknesses and strengths. We also want to ensure we capture feasible and relevant recommendations. It is important to take the time to review all your notes and artifacts from exercises (especially from the one-on-one interviews, if applicable) and transform them into a holistic and complete picture of the organization to better connect their needs to recommendations.

    5. Presentation and debrief: The virtual debrief and report presentation of findings does not change significantly, since often these are delivered after the in-person audit. However, like any remote presentation or meeting, it can be easier if you have a visual to review with the organization such as top strengths and recommended improvements.

    Remember, the flow presented above is something that has worked for us. There are of course more ways to implement a remote audit, but we tried to come up with a list of learnings based on our experience thus far. You can find more of our lessons learned here.

    We understand remote adaptations to the SAFETAG framework can be challenging in a variety of ways for a variety of reasons. However, SAFETAG audits are still possible with a little adaptation and planning. Get creative and think outside the box when it comes to building a fuller and more complete picture of the organization so that your recommendations will address real-world challenges. And remember, if we’re able to improve our remote audit processes this only helps us reach more organizations in need of security audits, making them more accessible to groups who need them.

    Read more

  • 15 Tips for Conducting Remote SAFETAG Audits

    Image with title 15 Tips for Conducting Remote SAFETAG Audits

    The COVID-19 pandemic has led to a dramatic increase in the need for remote audits and other virtual digital security interventions. Auditors are having to adapt their approaches and respond to new security threats and landscapes. In coordination with auditors across the globe, Internews has developed a Remote Audit Playlist, a collection of SAFETAG activities that can be performed remotely under varying conditions from low bandwidth to distributed team scenarios. While remote audits are new for some practitioners, others have been implementing them for years. Below are some of the lessons Internews and our partners have learned while conducting remote SAFETAG audits.

    1. Building trust is critical, but comes less naturally during remote audits. Accept that you will need to address this ‘confidence gap’. Establish trust relationships with senior people or ‘champions’ of the audit in the organization and allow them to introduce you to other participants and interviewees. Use video during online calls (if possible) to make up for the loss of in-person body language. During group calls schedule strategic breaks in the programming or meeting for ice breakers. Sharing your own style and personal way of reporting with participants is also important. This helps to establish a better connection and mutual level of trust. Frequent check-ins can also help you gauge how participants are feeling at any given moment.

    2. Get organized with your remote tooling and processes. Start with clear communication and planning with the organization. Ensure they understand what to expect and when. Practice your remote facilitation with the tools and activities you plan to run in your audit. Templatize your data assessment exercise, your semi-structured interviews, your risk mapping activities. Whatever you can do to make things easier to repeat is great to have in your toolbox for next time and helps with keeping things organized.

    3. Allow extra time for the full engagement. While you may be able to carry out all interviews, group discussions, and technical investigations over the course of a few days when engaging in-person, expect remote engagements to take longer. Most people have a limit to the amount of time they can commit to online calls and may already be overwhelmed with them. Leave sufficient breathing room in your audit schedule.

    4. Share a pre-audit survey with staff members. An online survey sent to all staff members can help you, as an auditor, find out which members of the organization are most interested in knowing about the security gaps and mitigation strategies. It can also help you identify different user experiences, levels of security practice, and levels of awareness within the organization. Send reminders and enlist the help of senior management or leadership to encourage respondents to complete the survey. Know that not all staff will respond but seek to obtain a key sample of staff such as IT personnel, a mix of technical and non-technical staff, management, and staff in high-risk programmatic positions. Getting a variety of user views and experiences is important.

    5. When sharing an online form or survey related to baseline best practices, closed-ended questions work best. This will keep the survey short and more people are likely to respond. Save the open-ended questions for the interview.

    6. Resist the urge to only do the technical pentesting exercises. SAFETAG is made up of a variety of different components, of which only some are technical. The Interpersonal methods are very important to help build your understanding of what the organization values and how they protect them.

    7. Interweave group, one-on-one, and technical activities. Plan an audit strategy which combines key moments of group engagement (for instance an audit kick-off call, risk assessments, team/department meetings, and presentation of preliminary findings) with one-on-one interviews, and technical assessment activities (such as vulnerability assessment, open source intelligence, and network scanning). Remember that the audit process is iterative - as you discover new information from group calls, you will uncover new assets to scan, and add questions to discuss with individual team members.

    8. Schedule interviews with key staff members to follow-up on survey responses and ask clarifying questions. It is best to limit these interviews to one hour, as anything longer than this can feel overwhelming and can be difficult to schedule. Agree on the logistics in advance (i.e. the platform you will use to connect, etc.).

    9. Familiarize yourself with the technology that the organization uses prior to the remote audit. If you are not yet familiar with the platforms or tools that they use, do some research prior to the audit so that learning about the technology does not take up your limited interview time. Also spend time using the SAFETAG reconnaissance activities to form an independent understanding of their digital footprint and technology used.

    10. It can be helpful to share the interview questions and/or checklists prior to the interview. This can help staff members understand what to expect and prepare for the interview. Since time is limited, this can help eliminate the need for staff to spend interview time finding answers to your questions.

    11. Have a script and an agenda ready to go prior to the meeting. In person, it is easier to go with the flow and dive into topics as they come up, but unstructured conversations online are much more difficult to navigate. It is helpful to have a plan and a structure to follow during the remote assessment.

    12. Prepare for internet connectivity issues. At times there will be challenges with internet connectivity from both the interviewee and the auditor. In order to set yourself up for a successful remote audit interview and user device assessment, consider the internet connection available before proceeding with the task. Also, have a clear plan of action established in case you are disconnected. For example, specify what communication channel you will follow-up on.

    13. Give staff members an indication of what to expect. Before remote interactions, let them know you will be looking into their device and browser. This will give participants the opportunity to close out of any windows they do not want to share. Also be sure to flag any tools you may be using during the interview (such as TeamViewer). Explain what the tool is capable of and provide instructions for installation before the interview and deinstallation once the interview is complete.

    14. Different organizations will have different challenges. Online assessments are easier for smaller organizations. Simpler infrastructures have fewer potential issues and are typically easier to manage. For organizations that are already accustomed to a remote-work culture, online assessments come more naturally. For larger organizations with customized systems, remote audits can be more complicated, and in some cases impossible.

    15. Make it fun! Use interactive approaches to engage participants especially in group calls. Consider using shared pads, polls, quizzes, whiteboards, and other visual simultaneous collaboration tools.

    Read more

  • Responding to COVID-19: A Transition to Remote SAFETAG Audits

    Image with title Responding to COVID-19: A Transition to Remote SAFETAG Audits

    For the past several years, the SAFETAG community has explored what remote support could be provided to organizations in situations where the auditor cannot travel to the organization or meet with staff in-person. There are also organizations which have distributed teams operating fully remotely or from multiple physical locations, making it difficult or impossible to conduct in-person audits. Though these conversations around remote audits began years ago, the recent COVID-19 pandemic has reignited discussions and led to a dramatic increase in the need for remote audits and other virtual digital security interventions. Civil society organizations around the world have been forced to migrate to a fully-remote workflow. This transition, in addition to creating new security challenges, has also required auditors to adapt the way in which they are providing support.

    Internews, in coordination Digital Security Lab Ukraine, Defend Defenders, and Conexo, along with other partners around the globe, has developed a remote audit playlist, or collection of activities that can be performed remotely under varying conditions from low-bandwidth to distributed team scenarios. Some activities (such as reconnaissance) were already remote-friendly and do not require the auditor to be in-person. Other activities (such as device assessments) have been adapted to fit the remote context.

    While the remote audit playlist includes a multitude of activities that can be done remotely, it is important to consider SAFETAG’s Minimal Viable Audit, designed as the starting point for an assessment to be considered viable under the SAFETAG framework.

    Initial groundbreaking work to build a remote-friendly SAFETAG audit approach was first developed by the SAFETAG community during a 2017 content sprint. In 2020, however, remote-first audits have gone from being the exception to the rule, to driving the creation and refinement of approaches by Internews staff and partners in recent months.

    This blog highlights some considerations auditors should keep in mind when organizing and facilitating a remote audit. We’ve also highlighted below where to find existing content for your next virtual audit.

    General considerations when conducting a remote audit

    Prepare for the audit to take more time than normal. When conducting remote audits, there are various factors to take into consideration in addition to those you would need to consider during in-person audits. A remote audit for example, almost certainly will require additional time due to scheduling, coordination, and remote logistics management. Be prepared for additional mishaps and factor in slow internet connections in any remote engagement.

    Prepare to be flexible. Given we’re in the time of COVID, it is also wise to prepare to be flexible. Scheduling a team for a group exercise was difficult before the pandemic. Now it’s even more challenging with alternate schedules and balancing life both in and outside of work. Think about smaller meetings and be intentional with who you invite. Don’t require the entire organization if you don’t really need every single person at the organization.

    Build trust as best you can. This is an important factor to consider during remote audits, as your opportunity to ensure staff feel comfortable with you the auditor will be dependent on how you present yourself to them in a virtual setting. Remote meetings, particularly with individuals you are meeting for the first time, may require more effort to begin building that trust relationship with the individuals. Whereas in-person meetings allow for human connection and understanding through body language, remote meetings make nonverbal interactions more difficult. As such, it is helpful to use video meetings whenever possible.

    There is no perfect virtual replacement for in-person activities. Auditors conducting a remote assessment must also accept this reality and be sure to communicate the limitations to the organization you are working with. Remote audits have additional constraints and we must live within this reality for the moment or circumstance. A remote audit may require a combination of tactics and ultimately some compromises. When meeting in-person with an organization, it is easier to gain buy-in and encourage participation. If individuals are working remotely, it may be more difficult to maintain engagement. Replacing a two-hour in-person meeting to map behaviors and workflows with a 50-question survey requesting the same information will likely not yield the same results.

    Be prepared to not have all the information. Sometimes the very nature of the remote audit where you can’t check the office’s network or don’t have access to all the staff you need during the assessment process can leave you with information gaps that can be difficult to fill. Be creative in finding ways to connect the dots and look for the information as best you can.

    Consider the size and structure of the organization. A smaller organization, or one that is already remote, is easier to assess since staff members typically have a better internet connection and are more comfortable with virtual meetings. Large organizations who are used to working together in an office setting may have more challenges with remote working and may make it more difficult to assess virtually.

    While remote audits require additional considerations and are not a perfect replacement for in-person audits, they can be done effectively. In upcoming posts we will provide a step-by-step guide for conducting remote assessments, as well as an introduction to the new SAFETAG web interface, which will allow users to customize a playlist based on the specific needs of the organization being audited.

    Read more

  • SAFETAG Community Feedback

    Image with title SAFETAG Community Feedback

    This is a cross-posted blog from Internews’ project which is advancing usable organizational security tools, including SAFETAG. Read more about this effort on the Global Technology Blog

    Over the last few months, we have been working with Tafka, a Mexico-based design firm, to develop a new visual identity for the SAFETAG framework. As part of these efforts, we hosted 3 community feedback calls to gather feedback. Additionally, we shared an open survey for those who were unable to join the calls. In total, we received feedback from over 25 SAFETAG users around the globe.

    We have highlighted some of the feedback we received below.

    SAFETAG could be described as:

    • “Complex, yet comprehensive”
    • “Your really smart friend that you like a lot, but gives very detailed answers to very simple questions”
    • “Flexible and adaptive”

    What makes SAFETAG and its community unique?

    • We take the time to get to know, listen, and engage with the organization before starting hands-on work during the audit
    • We are driven by the opportunity to support organizations advocating for civil and human rights, allowing them to do their work more safely and effectively
    • We strive to provide holistic support to organizations, taking into consideration digital, physical, and psycho-social components of their security
    • We enable organizations to make informed decisions regarding their digital security, and contribute to building a more resilient and sustainable foundation

    SAFETAG users believe the framework’s visual identity should be:

    • Building blocks, or individual pieces that come together to form something larger and more comprehensive
    • Colorful and approachable
    • Casual, yet professional

    What challenges do users face when navigating the framework?

    • It is big. As a new auditor, it is difficult to understand the “big picture”
    • The document is overwhelming, and it is hard to decide which parts are relevant
    • No clear hierarchy or organization
    • The information architecture is not intuitive, and it is difficult to search for content that will be relevant for a specific organization, community, or context

    What changes or features would make it easier to navigate?

    • The ability to hide activities so that you can see a smaller version of the framework
    • Less words, more visuals. A clear naming structure and hierarchy
    • A search feature, and a way to select specific activities that are relevant for a particular scenario
    • Using metadata (such as size of organization, theme of activity, etc.) to sort the activities
    • Videos, tutorials, and lessons learned for activities
    • Having a clear “table of contents” so it is easy to locate a specific section or activity

    What challenges do users face when contributing new content to the framework?

    • Many users do not feel comfortable contributing content through GitHub
    • Others reported that contributing content currently takes too long; there are limited options for smaller, less time-consuming contributions
    • The process of contributing content is difficult

    Thank you to all who joined the feedback calls or responded to the survey! The insights you shared have directly informed the design and development of the new visual identity and web interface. We hope that the new visual assets and interface will make SAFETAG easier to use and more accessible for both new and experienced auditors. We are in the final stages of work and look forward to sharing the final products soon. Stay tuned for updates!

    Read more

  • Rights Con 2020: What happens between SAFETAG-based audits in NGOs? Long term tech support

    Image with USABLE logo and title What happens between SAFETAG-based audits in NGOs? Long term tech support

    This is a cross-posted blog from Internews’ project which is advancing usable organizational security tools, including SAFETAG. Read more about this effort on the Global Technology Blog

    RightsCon, the world’s leading event on human rights in the digital age, was held online this year during the month of July 2020. Digital Security Lab Ukraine, Media Diversity Institute Armenia, and Internews led a session entitled “What happens between SAFETAG-based audits and NGOs? Long-term tech support.” This session explored how audit findings and risk reduction plans can be converted into post-audit change; how long-term support and engagement with organizations can significantly boost both accuracy of security modeling and adoption of the best and context-relevant security practices; and the successes and failures they have experienced in practicing long-term organizational security. Lessons and best practices shared during the session can be found below.

    The panel was comprised of the following individuals:

    • Maksym Lunochkin, Security Auditor and Tech Support Specialist for Digital Security Lab Ukraine
    • Anton Koushnir, Security Auditor and Trainer, Digital Security Lab Ukraine
    • Vadym Gudyma, Security Auditor and Trainer, Digital Security Lab Ukraine
    • Iryna Chulivska, Executive Director, Digital Security Lab Ukraine
    • Mykola Kostynyan, Community Engagement Manager, Internews
    • Artur Papyan, Director, Media Diversity Institute Armenia

    What is SAFETAG?

    SAFETAG is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to smaller non-profit organizations based or operating in the developing world. SAFETAG audits serve small scale civil society organizations and independent media houses who have digital security concerns by working with them to identify the risks they face and providing capacity-aware, pragmatic next steps to address them.

    How can your team prepare to provide long-term support?

    All trainers and auditors have their own opinions on best practices, but it is critical to maintain humility and work with the organization to make sure that as an auditor, you are meeting them where they are and giving them what will be most useful for them - not what is most comfortable for you.

    One way to prepare your team to provide support is to build a high-level checklist to think through prior to engagements. This checklist can include questions to consider prior to an audit, such as:

    • How many people will provide support?
    • Who will coordinate the team and serve as the main point of contact for the organization?
    • How will the team securely communicate with each other?
    • Which organizations are we willing to support? Which are we not?
    • How much time are we willing to dedicate to support?
    • How will we measure the success of our support?
    • How and what will we document?
    • How can we as a team create interchangeable roles and back each other up?

    What approaches should we consider when implementing long-term support?

    It is important to emphasize that organizations MUST own their own approach to risk and safety. As an auditor, you cannot push an organization to do one thing or another. You must explain, teach, support, and guide. Help implement as needed. If the organization cannot adopt and implement their own choices, their safety will not improve. If you are conducting an audit or monitoring incidents of digital security attacks, which are common against journalists and human rights defenders, your job is not only to respond to the attack - it is also to make sure the organization understands what has happened and what risks they are facing.

    It is also important to avoid fear mongering. Too many digital security experts approach organizations by lecturing them on the risks they are facing and try to scare or pressure them into taking security measures. That is a really bad approach. Those facing risk are the best suited to understand it, navigate it, and mitigate it. You cannot force safety. You need to listen, provide guidance, and work with them to develop a plan and approach that makes sense for them. Threat models vary, and one is not like the other. Digital security is not a one size fits all approach, and one organization’s approach to safety will not be the same as the other. When providing support, your job is to make sure that both you and the organization have the information and support needed to make informed choices.

    Can we provide support remotely?

    Oftentimes, organizations’ websites are poorly maintained and no one within an organization takes on the role of maintaining security updates and recommendations. Through a project in Eastern Europe, Internews helps support the web development and digital security needs of media outlets and CSOs across the region. A particular dynamic of supporting websites is that, if an organization gives you login credentials, you can provide remote support. This is different from providing infrastructural support to the organization, which may require physical access to servers, machines, etc. However, providing remote support also means that you must establish clear ethical lines - with credentials and remote access, you need to be very clear with the organization on roles and rules throughout the process.

    How has Digital Security Lab Ukraine contextualized SAFETAG to the needs of their specific region?

    SAFETAG is an incredibly flexible framework and the similar technical infrastructure in many media outlets and CSOs means that some approaches to infrastructure can be streamlined. Additionally, DSLU pays a lot of attention to social media accounts and messaging apps, and often teaches on topics such as phishing because that is where they see a lot of risk being generated. They also focus on secure passwords, two-factor authentication (2fa), and developing best practices for how accounts are used. Additionally, DSLU hosts parties at their office to build community and will often join events where organizations who may need help will gather.

    What does long-term support look like in practice?

    When talking about long term support - it’s not three months; it’s not six months; it’s not even a year. Long-term support requires years of commitment to support in auditing, providing guidance, and helping with necessary fixes. DSLU points out that while this requires an additional level of support and funding, it is important and effective when supporting organizations after an audit.

    The panelists shared the following tips for providing long-term support to organizations after they have received a SAFETAG security audit:

    • Consistent follow-up is key. Periodically ask how things are going in the organizations you support.
    • Build internal processes within your team in order to improve your own capacity to provide support.
    • Maintain flexibility. In the long-term, organizations and people in them may change. Be flexible and willing to support them through those changes.
    • Make the process of getting, receiving, and finding help as simple and easy as possible for the organization.
    • From the beginning of the process, explain your role clearly and let the organization know what support you can offer now and in the long-term.

    Read more

  • From Usability to Threat Modeling

    Stylized photo of puzzle pieces

    Across our portfolio of technology, training, and advocacy to support a free and open Internet that protects and advances human rights, we are assembling a wide array of foundational resources (all released under Creative Commons licenses!).

    Threat Modeling in Internet Freedom Projects

    It's important to underline that this is not a new concept -- certainly there are many security tools which already carefully consider threat models during development; there is much written on using use cases and "misuse cases" to expose the security and usability requirements for tools -- this paper provides a good overview, and EFF's Security Education Companion coverage of Threat Models introduces the concept for use in training.

    These include user personas with community-built lists of needs, and information about the threats or adversaries they face. This collection of different resources is not coincidental – it builds a space in the middle to create detailed threat models around specific tools and practices and paves the way to more expansive and cohesive long term digital safety strategies for resilient communities.

    What we have

    At-Risk User Personas

    Contextual Digital Risk Assessments

    Our project has a user persona library with 30+ user personas from around the world, representing LGBTQI activists, persons with disabilities, human rights defenders in closed states, and many more. These are not simply idealized stereotypes, however - they are created by the at-risk users themselves to provide authentic insight into the lived experiences, needs, and threats of these communities without putting any specific members of their community at risk. These personas provide critical insights into the needs and threats real people face in challenging environments. Tools for these communities need to be resilient against a wide variety of technical, physical, and legal attacks while also being easy to use, with little or no training. Risk Assessments are a core of Internews' internal risk management process, and we also strongly encourage auditors using the SAFETAG framework to leverage a similar approach to research the technical and social context that they are working in when assessing an organization's security. The framework provides a guide to research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to also look at focal areas and trends.

    What we’re building

    Under the next phase of USABLE’s work, we will be building two new resources - “personas” which represent the needs of organizations and communities and “personas” which capture the capabilities and motivations of realistic but generalized adversaries.

    Organizational Archetypes

    Adversary Personas

    Organizational Archetypes capture the complex needs of organizations and communities, spanning from grassroots communities all the way up to donors in the space facing state-level adversaries. What are the more complex needs and different threats faced when collaborating? Secure messaging, calls, and document collaboration are all significantly more complex when you have multiple people or organizations involved, and tools which are relatively easy to swap in and out at a personal level become incredibly more complex if an entire organization depends upon them as a core part of their workflow. Adversary Personas will contain realistic details of generalized adversaries’ capacities and what issues these actors are willing to expend resources and build capacity to undermine. Organizations will be able to use these resources to anticipate potential threats and malicious actions and proactively develop practices and responses to realistic situations. This will enable developers, trainers, policymakers, funders, and others to contextualize their work against a wider variety of threat actors without having to rely on any one specific nation-state as a "bogeyman." I specifically hope this enables richer conversation around actual threats while removing cultural stereotypes and prejudices.

    From Resources to Practice

    These are collectively designed to enable unbiased discussions and strategy development around the serious challenges and threats users, organizations, and entire communities face, the tools we use to help, and tools, practices, or policies we wish we had.

    • Responses focused on threats, not just threat actors Threat actors change and evolve, and often have more capacity than is publicly confirmed (but perhaps less than is presumed through rumor). By extracting and de-personalizing aspects of this, we can have clearer discussions. Further, specifying current existing actors, especially in open source tools, can overly complicate the public profile of the tool as well as those using it. If a tool is clearly built to combat a specific actor, then users of that tool can be seen as inherently being aligned against that actor. This has resulted already in excessive targeting and jailing of activists based on their tool choice.
    • Identification of common, cross-regional threats What attacks, specific techniques, and even malicious tools are being used and re-used globally? Are there patterns we can detect and build proactive defenses against?
    • Gap identification What gaps remain when we look at this data mapped out? Is anyone working to address them? What solutions (tools, training, policy changes) could be used? How do we sustainably build these resources?
    • More dynamic responses, more resilient communities By tackling the inputs into this process separately, we can update our models more agilely and plan against a wider variety of attacks to build tools and guidance that are more resilient to more types of threat actors as well as changes in any specific actor.
    • Future-looking strategies With these fictional personas and archetypes, we do not have to be as limited to current actors and their capacities. We can (within reason) consider possible future threats that activists may face by remixing and extrapolating from current threats. Anticipating these risks will allow us to build tools to mitigate sooner, rather than later. Dystopian cyberpunk scenarios welcome!
    • These resources can be used to develop tabletop scenarios to explore current and emerging threats and build creative responses to them. These scenarios are useful in advanced trainings, tool development, and strategy building exercises. Fictional but realistic adversaries and personas can get into detail around specific threats and mitigations without being as personal, risking bias, and helping reduce potential of trauma involved in these discussions.

    We are just getting started and would love to hear from you on what data you hope to find in these resources, how you would use and adapt them, and more! You can reach us at [email protected].

    Read more

  • Introducing ADOPTABLE

    This is a cross-posted blog from Internews’ project which is advancing usable organizational security tools, including SAFETAG. Read more about this effort on the Global Technology Blog

    Equipping at-risk organizations with localized expertise, resources, and tools to mitigate digital attacks

    Human rights organizations around the globe continue to face ongoing and increasing digital security threats from state and non-state actors. ADOPTABLE (Adaptable Digital and Organizational Protections by Transforming and Building Long-term Ecosystems) is an Internews project designed to help these at-risk organizations access relevant resources (human, financial, and technical tools) that will allow them to continue to operate safely. Without access to local organizational security experts, usable security and privacy tools, buy-in from decision-makers, and support from funders to adopt stronger safety practices, the organizations and their beneficiaries remain at risk, as does their crucial work.

    The project consists of four core components:

    Expanding the capacity of regional and local partners to address organizational security risks

    Internews will support experienced partners in Latin America, Sub-Saharan Africa, and Eastern Europe to become regionally recognized centers of expertise on organizational security and build out local and regional ecosystems of organizational security auditors. Partners will conduct Trainings of Auditors (ToA’s) to train and/or upskill local security auditors in their regions on the SAFETAG framework. These newly trained auditors will work with experienced auditors to gain first-hand experience in conducting audits, while also collecting feedback on organizational security tools being used by at-risk organizations. To improve the scalability of this localization of expertise, Internews is also working to improve the SAFETAG onboarding and training process and make the framework more accessible by developing a new interface. More on that process here.

    Improving the adoption of organizational security practices within at-risk organizations

    Internews will fund at least 5 audits or engagements in each of the three target regions. At-risk organizations will undergo a full security audit and receive a detailed Risk Reduction Plan (RRP), which outlines tangible steps they can take to mitigate their risks. Even after a security audit, Internews has found that many organizations lack the resources needed to implement the recommendations provided by an expert. Without the ability to implement these changes, organizations are no more secure than they were before an audit. Internews will ensure that these organizations are able to implement the recommended changes by providing direct financial support after the audits. A variety of mitigation efforts may be eligible for support, including trainings for organization staff, facilitation of a security service by a third party, or the purchase of software and hardware.

    Developing and enhancing feedback collection mechanisms to ensure at-risk users have a voice in the design and development of open source privacy and security tools

    As part of the USABLE approach, Internews created feedback loops between at-risk users, digital security trainers, and open source tool developers. Internews will continue to collect feedback from at-risk individual users, while also expanding to capture organization-wide feedback on security and privacy tools. Most notably, the USABLE approach will be integrated into the SAFETAG framework, allowing SAFETAG auditors to identify gaps and usability issues with privacy tools being used at the organizational level. Through virtual Cross-Regional Convenings, Internews will work with partners to update the activities in the UX Feedback Collection Guidebook, develop organizational archetypes to further build out our library of user personas, and map the current landscape of open source tools being used by at-risk communities around the globe. Following the virtual convenings, Internews will launch a pool of funding for trainers and auditors to integrate feedback collection activities into their digital security trainings or organizational audits. The high-quality feedback collected during these engagements will be shared with developers through their preferred channels. Key communities will convene once more at the end of the project for the third UXForum to continue devising ways to scale and sustain feedback loops.

    Enhancing the usability and accessibility of open source privacy and security tools

    Internews will launch the third round of the UX Fund. This funding pool will provide support to privacy and security tool teams, enabling them to work with UX and accessibility experts to implement human-centered, usability-focused tool improvements. These changes will ultimately strengthen the tools, making them more secure for the at-risk individuals and organizations who need them the most.

    Ultimately, we believe that with more localized tools and stronger local support, at-risk organizations will be better equipped to withstand the digital attacks and surveillance they currently face.

    Read more

  • IFF Organizational Security Village Day 5

    Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

    Sessions on Day 5 focused on funding OrgSec work and Monitoring & Evaluation.

    Highlights from Day 5 of the OrgSec village included:

    • A discussion around how small, local digital support initiatives can fund digital security assistance for nonprofits through strategic networking.
    • A brainstorm around ways to better support digital security programs through informing and coordinating with donors.
    • An open dialogue on evaluating audit success from an auditor’s perspective.
    • A presentation of frameworks to measure the impact of organizational security work.

    Key takeaways from the discussions included:

    • Securing funding is a challenge for OrgSec practitioners. Organizations need to better incorporate digital and organizational security into their budgets and marketing and communications plans. More broadly, there is a need for coordination within the local and international OrgSec community to promote knowledge sharing and establish partnerships in order to educate and coordinate with donors more effectively. Donors also need to adopt digital security practices that allow them to engage with organizations and support their work safely.
    • Community members debated the value of establishing certifications or skills qualifications for work in the space in order to reduce the reliance on trust networks. This could reduce barriers to funding and opportunities for work for new practitioners who may be less known to both funders and at-risk organizations seeking support. However, establishing community-wide agreed upon standards and mitigating the substantial additional barriers to entry (e.g. cost, training opportunities and locations, personal and unfunded time) caused by any such certification system pose a formidable challenge.
    • Measuring the impact of OrgSec programs is important in order to evaluate and improve approaches and communicate success to donors. While it is easy to focus on measuring purely digital risk, is it important to bear in mind that effective OrgSec should take a holistic approach also incorporating psychosocial support and physical aspects.
    • Whether to evaluate OrgSec interventions using shared community standards or by measuring change within an organization and against its own threat model continued to inspire debate among community members. The Engine Room shared a Monitoring and Evaluation Framework for Organisational Security - which takes the latter approach - for practitioners to adapt for their own M&E practices.

    Thank you for participating in OrgSec this week! If you’d like to continue the conversation head to We will be posting shared notes from the event on the wiki next week!

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    Read more

  • IFF Organizational Security Village Day 4

    Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

    Sessions on Day 4 focused on responding to advanced threats.

    Highlights from Day 4 of the OrgSec village included:

    • A conversation on community insights to improve automated threat modeling, gathering inputs from a diverse range of individuals and groups regarding the threats they face.
    • A session demonstrating how to build a threat lab with your bare hands … and a laptop.
    • An overview of digital threat information sharing for human rights.

    Key takeaways from the discussions included:

    • Threat detection isn’t only about fancy technology! A lot of endpoint detection is process and practice-oriented. Impressing the importance of antivirus and software updates, teaching partners what abnormal activity looks like, or making sure they know the process for calling first responders takes training, process development, and awareness raising.

    • Trust is a key component of threat information sharing. Knowing who and where to share information about threats requires personal connections and existing trust relationships, which can feel like a barrier to entering the space. But community networks like the Computer Incident Response Center for Civil Society (CiviCERT) and information sharing standards such as the Traffic Light Protocol (TLP) can lower barriers and facilitate sharing through established community standards.

    • Getting started in threat analysis requires trust, skills, and time. Though you will eventually need computers powerful enough to run virtual machines, more advanced skills, and connections to other researchers and communities like CiviCERT, don’t be intimidated by the technical jargon! All it takes to get started is a willingness to learn.

    • Human rights advocates are facing attacks such as phishing and publication of their identifying details by government or state-sponsored adversaries that are based on online open source intelligence (OSINT) gathering. When threat modeling, it is important to identify the types of public data that makes you vulnerable and that adversaries may try to exploit.

    Join us for the last day!

    Join us for the final sessions this Friday, with a focus on on assessing impact and funding organizational security!

    Register at:

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    Read more

  • IFF Organizational Security Village Day 3

    Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

    Sessions on Day 3 continued to explore examples of OrgSec in Practice.

    Highlights from Day 3 of the OrgSec village included:

    • A collective discussion around what we mean as a community when we say OrgSec Crisis Response, and how we can provide comprehensive crisis response support.
    • An informal session sharing practitioners’ experiences conducting Remote Organizational Assessments, Remote Tech Assistance, and other remote interventions.
    • A case study of one organization’s experience launching a Website with Digital Security Instructions and the unexpected ways audiences used it.
    • A presentation on the RAWRR (Risk Assessment Workflow Recommendation Roadmap) tool for documenting security assessments, risk modelling, recommendation development and implementation monitoring.
    • A review of Security Governance in CSOs exploring ways to scale policy development approaches to different sizes, capacities, and complexities of organisations and communities.

    Key takeaways from the discussions included:

    • Remote interventions do work, but require more time and preparation than face-to-face support. Remote interventions can save time and money spent on travel, and can be the right format for rapid response or consultations (especially when trust is already established) as well as for facilitated online learning. However, they require significant time investment, and present numerous additional challenges. For example, remote trust building is tricky, and many people are uncomfortable enabling remote device access. Technical barriers like poor internet connectivity or lack of tech skills among staff may emerge. Finally, it is impossible to provide full technical support if something goes wrong that can’t be fixed remotely.

    • Web-based digital security guides are not dead (but keep them simple)! Websites with complicated interactive guides addressing specific threat models don’t get sustained engagement and are difficult and expensive to maintain long-term. In contrast, sites with a set of searchable, specific, and updated instructions for different tools and cases can be a useful resource for post-audit and training communications and remote support and incident response. In addition, they are easier to keep up-to-date.

    • It’s crucial to tailor security audit reports to the audience in mind. Whether the report is for management or IT staff with technical know-how will dictate the specificity and structure of the report. There was community consensus that risk should be the focus of audit reports. Shorter reports focusing on action steps may be useful for organizations with limited bandwidth and interest in holistic security; in-depth reports detailing the process and connecting recommendations to risk are a more useful resource for organizations wishing to replicate the process down the line or build their own internal digital security expertise.

    • When developing organizational security policies, don’t start from scratch! There are many existing policy frameworks for practitioners to draw upon when assisting civil society organizations. Start with SOAP, SDA, and resources from Access Now and the OrgSec Wiki.

    It’s not too late to register!

    Join us for more sessions throughout the week on OrgSec in Practice, Advanced Threats, Funding Models, and more!

    Register at:

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    Read more

  • IFF Organizational Security Village Day 2

    Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

    Sessions on Day 2 explored examples of OrgSec in Practice.

    Highlights from Day 2 of the OrgSec village included:

    • A collaborative survey of the OrgSec Community’s Response to Emerging Crises.
    • A presentation of work carried out with the Mechanism for the Integral Protection of Human Rights Defenders and Journalists in Mexico City, including a typology and workflow for the diagnosis of digital incidents.
    • A discussion around Non-technical Due Diligence when choosing security tools and services, exploring questions on jurisdiction, open sourcing, and reputation
    • An exploration of alliances as a support mechanism to guarantee the Digital Security of Human Rights Defenders Working in Civic and Internet Repressive Environments.
    • A step-by-step playbook of the OrgSec Audit Process in different contexts.
    • A hard look at how Digital Security Trainings can do More Harm than Good.

    Key takeaways from the discussions included:

    • Cross-sector partnerships can expand OrgSec support. At times, it can be advantageous for organizations providing digital security support to at-risk communities to coordinate with government agencies offering similar support mechanisms. Traditional training methods combined with local and federal protection mechanisms allow for maximum protection for those communities who are most at-risk.

    • Approaches to OrgSec must be adapted to the local context or threat model. What may be a serious threat to one organization, may not be to another. When working with an organization, it is important to understand the threats that are relative to their work and/or location. What are the risks that they face? What has been happening to similar organizations in the region? It is not a one-size-fits-all approach, but rather needs to be tailored to the needs and capacity of each organization.

    • Empower organizations with the knowledge and guidance to understand and mitigate their risks. Security can be overwhelming, particularly for less-technical users. It is critical for an auditor or trainer to focus on the how and why and not just the end result. The more organizations understand, the more confident they will be. This will better equip them to replicate the process in the future. Accessible language and easy to navigate guides and checklists can facilitate this sharing of knowledge.

    • Know when your support does more harm than good. Digital security trainings are helpful – except for when they’re not. As an auditor or trainer, it is often difficult to find the time needed to properly onboard organizations to the security practices they need. Behavior change takes time and cannot be accomplished in a two-hour training session. There is no guarantee that the organization will continue to properly use (or use at all) a tool or software installed or downloaded during the training. OrgSec practitioners must be aware of these limitations, as insufficient training or support may lead to a false sense of security and can ultimately put the organization at a greater risk than they were to begin with.

    • SAFETAG is meant to be a general framework. The SAFETAG framework serves as a toolbox, or collection of relevant tools and activities that can be used to conduct an organizational security audit. When planning for an audit, the auditor must select which tools and activities are most relevant based on the local context, size of the organization, and resources available. Some activities may be too complicated or irrelevant. You do not need to complete every activity in the SAFETAG framework!

    It’s not too late to register!

    Join us for more sessions throughout the week on OrgSec in Practice, Advanced Threats, Funding Models, and more!

    Register at:

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    Read more

  • IFF Organizational Security Village Day 1

    Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

    Sessions on Day 1 centered around diverse approaches to OrgSec adopted by practitioners in the community.

    Highlights from Day 1 of the OrgSec village included:

    • A co-creation session on making Organizational Security Community Spaces more Useful, Inclusive, and Resilient.
    • A discussion on ways to Scale Organizational Security Assistance.
    • A session on Strategies to Avoid Dependency and Deliver Lasting Change through OrgSec interventions.
    • A conversation around the Importance of Long Term Support and Engagement beyond digital security assessments in delivering organizational change.

    Key takeaways from the discussions included:

    • The goal of OrgSec work is to make itself obsolete! While it is easy to focus on tangible outputs like audits or reports, most auditors and trainers prioritize increased internal organizational security expertise and decreased dependence on external security help. Effective strategies include finding digital security champions within organizations and building capacity in the surrounding community. Building the confidence and ability of those in the organizations to put digital security into practice is just as important as hardening their digital security.

    • Organizational Security assistance is not being made available to those who need it the most. In the US and globally marginalized communities facing the greatest threats are also those with least access to critical digital security resources (both human and financial). It is imperative to address this fact when designing programs and change the language we are using to be more inclusive of these communities.

    • A security audit or assessment is just the beginning! Most organizations need long-term support to make an effective change in their practices and harden their defenses against digital security attacks. Despite this, funding structures supporting current OrgSec work are not conducive to long-term engagement. Practitioners need to consider how to bake sustainability and long-term support into program design.

    It’s not too late to register!

    Join us for more sessions throughout the week on OrgSec in Practice, Advanced Threats, Funding Models, and more!

    Register at:

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    Read more

  • Join us for the IFF Organizational Security Village!

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    IFF OrgSec Village

    Internews is excited to announce that we will be hosting a virtual Internet Freedom Festival (IFF) Organizational Security Village from June 8-12. This event will bring together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

    Five OrgSec Village Themes are 1. Approaches to OrgSec 2. OrgSec In Practice 3. Advanced Threats 4. Funding OrgSec Work 5. Monitoring and Evaluation

    Virtual Village Format

    Based on feedback from the community, we have decided to host live sessions during the week, with each day of programming beginning around 12:30 UTC, and ending no later than 20:00 UTC. Each session will last approximately 50 minutes, with a short break in between sessions. We will be sharing a schedule and additional information on each session prior to the event. You are invited to join as many or as few sessions as you would like!

    We recognize that some folks may not be able to join due to timing or prior engagements. To ensure that everyone has the opportunity to contribute in some way, non-attributed, editable notes from each session will be made available. We will also use the IFF Mattermost for asynchronous collaboration and networking. If you do not have an IFF Mattermost account, please email [email protected].

    Registration and CoC

    Please let us know you will be attending by registering here:

    We ask that you register even if you are only able to attend a few days or sessions. Event access details will only be shared with registered participants. Please also complete the registration form if you are not able to join the live sessions but would like to review notes or contribute asynchronously.

    This event will follow the IFF Code of Conduct.

    Read more

  • Community Call for Feedback!!

    Last month, we shared that we would be updating the visual identity of SAFETAG, including the development of a new logo, color-scheme, and iconography. We are excited to share that we will be working with Tafka, a design collective based in Mexico, and are officially starting the re-design process!

    Why re-design SAFETAG?

    We have decided to re-design SAFETAG to provide a more cohesive and recognizable brand. The new digital assets will be used across the website, interface (more details below), and all other SAFETAG documentation. Our hope is that this new design will make content more accessible for users, particularly new auditors that may have previously struggled with navigating through the framework.

    New Interface (coming soon)

    In addition to the re-design, we are working with a development team to build a new SAFETAG interface that is easier to use and more accessible for both new and experienced auditors. The new interface will allow auditors to generate “playlists,” or collections of audit activities, tailored to a specific type of organization or risk environment. These customized and shareable playlists can be stored for future reference or shared with other auditors working in similar contexts. We are expecting to launch the new interface during the late summer or early fall of 2020.

    We need you!

    In order to make sure that the new design reflects the needs of the SAFETAG community, we would like to invite all SAFETAG users, both new and experienced, to share feedback with us. We will be holding two open community calls on May 19, 2020 at 10:30 am ET and another on May 21 at 9:00 am ET. Please let us know you will be attending one of the calls by registering here. We will be sharing details for joining the call directly via email with those who RSVP.

    In addition to the community feedback calls, we would also like to invite community members to complete a short survey. This 20-question survey will allow us to collect any ideas and feedback you may have and provide space for those who may not be able to join one of the community feedback calls to share thoughts asynchronously. We look forward to hearing from you and incorporating your thoughts and feedback into this design process!

    Read more

  • Re-designing SAFETAG: Developing a Brand

    We are currently looking for a designer to help us develop a new, updated brand for our SAFETAG methodology. SAFETAG is an auditing framework, created to work with small-scale media houses and civil society organizations who have digital security concerns by identifying the risks they face and providing capacity-aware, pragmatic next steps to address them. Ultimately, SAFETAG was created to make these small organizations stronger and more resilient to the threats they are up against.

    We are in the process of developing a new interface for the SAFETAG framework, which will be interactive and easier for users (both new and experienced) to navigate. The interface will allow users to create their own playlists comprised of the SAFETAG activities they will be using during an audit. In advance of the launch of this new interface, we are hoping to bring a fresh new face to the SAFETAG methodology, including a new logo. The new brand and imaging will be used across the website, interface, and all other SAFETAG documentation. Our goal is to establish a relevant brand that is both informative and accessible for all who engage with the SAFETAG framework.

    We expect this design process to take a total of 4-6 weeks, including time for interviews with our more experienced SAFETAG partners and the Internews team. See below for an expected timeline and outputs.

    Organizations, companies, or individuals are eligible to apply for this opportunity.

    Please apply using this form if this is an opportunity you are interested in.

    Read more

  • Shape the agenda for the Internet Freedom Festival's OrgSec Village

    UPDATE: IFF has been cancelled!

    Please read the official statement at the IFF website

    We are reviewing the OrgSec Village applications and considering options to revisit this through other conferences later in 2020 or virtually.

    Read more

  • Curricula updates and new approaches for emerging challenges!

    Curricula Updates

    Karisma's  SAFETAG Curriculum

    The SAFETAG Curriculum has also been updated to better match the changes to the SAFETAG methodology over the past 2 years and introduce some of the clarifying context (such as the TRI approach) to selecting activities.

    Based on their work training auditors in Colombia, Fundación Karisma developed a custom curriculum (in Spanish) that adapts the SAFETAG methodology to reflect the needs and context of Colombian civil society organizations. It is included as part of the 0.7.0 release and available directly from Karisma: Currículo para auditores de seguridad digital.

    Emerging Challenges

    SAFETAG Fellows and partners gathered for a 3-day workshop in September 2018 to expand the guidance that the SAFETAG framework has for auditors to assist organizations facing emerging challenges and new technology such as increased reliance on cloud services, the Internet of Things, and more.

    In addition; AccessNow developed two new activities from their work with vulnerable populations which help capture the personal aspects of organizational security.

    Thanks to all the contributions and support from the fellows in creating this!

    This updated content is available in the repository and as pre-compiled PDFs in the 0.7 release

    New Method and Activities for reviewing organizational policies

    While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.

    New and Updated Activities

    “Night in the Life”

    This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.

    Self Doxing

    Doxing (also “doxxing”, or “d0xing”, a word derived from “documents”, or “docs”) consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).

    Doxing is premised on the idea that “The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.

    This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.

    Cloud Provider Assessment

    It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.

    This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.

    Updates to Network Scanning: Assessing IoT devices

    We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it’s worth highlighting an entire activity devoted to working with VOIP systems.

    Work still in draft

    We also began a section called “Fear Mapping” to help identify, quantify, and manage fears. See issue #397 for the status and next steps.

    Read more

  • New Translations of SAFETAG

    SAFETAG's Information flow in Arabic

    We are happy to announce that SAFETAG’s methods are now available in Russian, Arabic, and Spanish (updated)!

    Please give a huge thanks to Localization Lab and their network of expert volunteers.

    Also note that we are very close to connecting the SAFETAG repository directly with the Transifex platform to streamline the translation process moving forward. SAFETAG welcomes new content in any language. If you want to create new content in our current non-English languages or add content in a new language, please contact [email protected] or submit an issue so we can help get it set up.

    Read more

  • The challenges of reporting: Reporting Styles

    This article was written by Carlos Guerra with the input and help of Mario Felaco; of Con-nexo. See part 1: The Challenges of Reporting

    Said this, some of the kind of reports I’ve seen in my evaluations and from others work are:

    1: The magic recipe oriented report

    Simple, short and sometimes effective, usually this kind of reports have a short list of actions the organization needs to do to improve their security, sometimes this list is divided in immediate, short, medium and large term. the actions can be as short or detailed as we want them to be.


    • If the organization gave you only a few days to assess them they will have 5 minutes to read this list

    • If the organization talks the same language as us at the end of the assessment this kind of report will speed up the implementation

    • Is fast to built so we can help the organization to implement security measures right away


    • Recommendations not linked to the threat model so the organization isn’t aware of the importance of the recommendations and the order

    • Does not build the organization’s own agency in understanding or mitigating their risks

    • Could be confusing if the actions are not clear for the reader

    • Communicating technical things can be challenging and can cause the organization to dismiss recommendations just for not understanding them

    • Generally are bad for giving them to third parties giving the lack of detail

    • It’s difficult for the organization to reproduce the results

    2: The asset oriented report

    The organization generally knows what assets they have, so it’s interesting to talk in a language they can understand easily


    • Easy in terms of communication

    • Given the risk of each asset they can assess what kind of recommendations they want to apply first, owning better the security process

    • Is easier to share part of the report with external consultants that usually work with specific types of assets

    • The report is easy to collaborate on when there is more than one person running the assessment.


    • Depending on the structure and detail level could be difficult for the organization to reproduce the results

    • Depending on the structure and detail level could be challenging communicating technical things causing the organization to dismiss recommendations just for not understanding them

    • Could be difficult to organize when similar assets have different threat models

    • Could be difficult to link the specific assessment activities with the assets

    • Could be difficult to organize visually assets vs. risk associated vs. implementation terms

    3: The activity oriented report

    Another way we can order the information of the assessment is in function of the specific activities we run during the assessment. This usually leads to specify well which tools or indicators were used, making it a nice input for IT staff and consultants linked with the organization.


    • Allows us to build the report faster because we can feed this kind of report as a log during the process

    • Could be intuitive for technical audiences. Useful when the organization have IT staff and they are the most involved part during the assessment. With this format is easier for them to reproduce the results

    • If we want to do more activities during the process is more intuitive to add the new information to the report

    • The report is easy to feed by more than one people running the assessment.


    • Generally not the most intuitive format for the organizations given that they could not be familiar with our activities/tools

    • Depending on the structure and detail level could be challenging communicating technical things causing the organization to dismiss recommendations just for not understanding them

    • Could be difficult to organize visually activities vs. assets vs. risk associated vs. implementation terms

    • It doesn’t work as well for assessments that go beyond the more specific technical aspects – it is hard to bring in higher level (policy, practice) problems which do not cleanly “fit” in any one activity.

    4: The super comprehensive (and sometimes dangerously long) risk oriented report

    This approach without doubt is the more complete on this article, it aims to catalogue and develop 4 types of information:

    1. Threats: coming principally from the threat modelling activity

    2. Vulnerabilities: discovered during the execution of the assessment activities

    3. Recommendations: developed to respond to the vulnerabilities discovered

    4. Implementation plan: ordering the recommendations in a way that makes sense for the organization

    We can have better results with this approach when we can link the vulnerabilities with the associated threats and with the correspondent recommendations, so if we are reading a recommendation we can know what vulnerabilities and threats it tries to address. Giving the reader the most important answers she/he needs.

    Given the complexity of this approach is crucial to select a structure and format that makes easy to the reader reach the information he/she wants to get without distracting with noise, this could be particularly challenging when using formats like PDFs or odt/docx.


    • Usually everything you want to know about the assessment is on the report, facilitating the understanding of the organization especially when in the future it will be more difficult to contact us

    • Guarantees that the assessors are linking suggestions to identified threats and organizational priorities

    • It links directly the group exercise made during the assessment with the recommendations, making it easier for the organization to understand the pertinence of them

    • Follows an ordered process, leading an open door to automation (spoiler: working on that :wink: )

    • It helps the organization to keep an eye on the evolution of their threat model while implementing the recommendations, making the organization an active part in the process of follow-up and opens a door to do a better Monitoring and Evaluation of the security implementation process


    • Could be overwhelming to write and overwhelming to read if the format is not clear and ordered

    • Takes a long time to build (Careful with the need of the organization to start working fast on security measures)

    • Could take long time to read (Again careful with formats, if someone needs/wants to read just 5% of the report help her/him to reach quickly and effectively to that 5%)

    • This format requires running the threat modelling activities from SAFETAG (Which in my opinion should be the norm, but it could affect your freedom selecting the activities)

    5: The awesome format that you use and we don’t know… yet

    Understanding that there is no silver bullet for reporting security assessments for NGOs and independent media outlets, we can open the discussion about many other ways to present the information we gather during our assessments. If you know and/or use another approach and want to share it with this community, don’t doubt to


    With all of this options and the potential combinations and variations of them, it’s virtually impossible to not have one kind of report that adapts well to our needs in each case. In our case, we usually aim for the long report in point 4 given that the information gathered for it allows us to rewrite the report to be more like the simpler versions described above. The more experience you have as an auditor, the faster you will become at identifying what type of report the organization will be able to understand the best, even if you yourself are still conceptualizing and seeking out the answers as if you were building the most comprehensive report. For instance: if the organization explicitly wants something short, they are in a bad moment in terms of security and they need to implement fast, we want to give a detailed report for IT/Management and another shorter for the Directors or for some external technical service provider; we already have everything we need. Once again, is up to you (mostly) what kind of report do you want to build and what kind of report the organization you attend needs, just remember that our ultimate goal is that they understand how secure they are and implement measures to improve their security and do a better job

    Read more

  • The challenges of reporting

    *This article was written by Carlos Guerra with the input and help of Mario Felaco; of Con-nexo. *

    We run organizational security training sessions, long term support and security assessments for NGOs (Non-Government Organizations) and independent media outlets at risk in Latin America. We base a lot of of our work on the SAFETAG framework and we like to promote it to new people that want to help organizations improve their security.

    As previously said in the SAFETAG Stories: If you fail – TRI, TRI Again, there isn’t one unique approach on security assessments for organizations and independent media outlets; their unique structures and dynamics make it difficult to assume there is a single way to evaluate security or even a single way they can respond to our recommendations. After a few years doing SAFETAG-based assessments and security interventions, I’ve come across different ways that I and others end up building assessment reports. They can be widely different, without meaning that one report style is wrong or right. It is just a matter of knowing when is more convenient to use one approach or another. Some of the factors that can affect what kind of information and how much of it the organization could digest are:

    Read more

  • SAFETAG Stories: The DDoS Outreach Strategy

    This is the third in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG

    SAFETAG Stories: The DDoS Outreach Strategy The SAFETAG framework emphasizes the importance of putting the organization first, and helping them prioritize their own risks. This often feels at odds with more traditional, prescriptive approaches to security audits.

    SAFETAG itself began as a way to adapt professional “penetration testing” to the NGO world. To say that we learned a lot along the way would be a colossal understatement. Penetration tests are fantastic for, well, organizations with an IT team and a large budget. If your organization’s focus is to support independent media, support vulnerable populations, or advance other social good outcomes, your budget is (sadly) more limited, and your IT support is stretched to capacity in just keeping systems functional and staff supported through some of the most amazingly creative tricks possible.

    To balance the real threats organizations face with the constraints of time, staff and budget they are under, SAFETAG focuses on empowering organizations to explore their own tolerance for risk, where they face risk, and how they might mitigate or reduce it in a way that respects their mission and capacity.

    A simple example would be an organization which depends on individual donations through its website. The reputation of the organization, the safety and reliability of its donation system, and the protection of the identities and credit card or banking information of its donors is paramount to that organization’s ongoing success. They may have many odd, not-perfect systems, but if they have an outdated website with well-known vulnerabilities and no clear website management plan, finding an affordable solution may be the first priority.

    My favorite actual example from an audit was working with a media and transparency organization. Among many challenges they faced, one stood out as unusually simple to fix – their website got reliably DDoSed and taken down every time they released a new, impactful report. We immediately suggested the free DDoS protection provides for media and human rights tools. The organization politely declined, and explained that every time they got DDoS’ed, they would go onto various social media platforms to complain about that, which ended up driving more interest in their reports. Intentionally allowing one’s site to get attacked like that may sound crazy on the surface, but for this organization at the time it was part of their outreach strategy, and it worked.

    The magic of SAFETAG is not technical magic, hacker tools that would be at home in Mr. Robot, Black Mirror, or the Matrix, and it’s not expensive tools. The magic of SAFETAG is listening to the organization you’re working with, understanding the context they operate in, and helping to make sure their practices match the threats they face.

    This work is scary, difficult, impossible, unending, and more – but at the same time, it is also challenging in the best way. Actually listening to an organization and providing pragmatic, achievable next steps for improved organizational security is the most challenging - and rewarding - part of being an auditor.

    It’s easy to simply state that they need professional IT and security support. It’s easy to mandate that they never again open an attachment. It’s unrealistic for this to happen. We do not operate in an ideal, unconstrained world. Budgets are not infinite – if they even exist. Threats are real and have very real impacts where the above example of losing online donations pale in comparison to some of the alternatives, yet there are real limits to what can be done. A five-person journalism outfit is not going to hire a 100k USD infosec expert and an IT team to manage their online presence – and they cannot simply stop opening sketchy attachments people email them promising juicy scoops.

    But. But maybe that outdated website could be protected behind a service like Cloudflare (or better, Deflect), and maybe they can transition their email to Google, and use Google Drive to open attachments first. It may not be a techno-utopia, (and these are not universal recommendations! Your mileage may vary!) but the impact on their security, in a way that respects their needs and their capacity - is worth it. Imperfect but positive first steps can lead to a better culture of security within the organization, and grow their capacity to move to more advanced solutions while keeping them safer in the meantime.

    Read more

  • SAFETAG Stories: The Forgotten Incident

    This is the second in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG

    In the previous SAFETAG Story, we explained the “TRI” approach in choosing activities which take different approaches (Technical, Research, Interpersonal) in order to TRI-angulate (!!!) the reality of what is going on at an organization. That variety is critical, but sometimes not enough.

    Even within one category, sometimes one approach just doesn’t work with the organization. The activity may be geared towards a small group, but the organization is large. It may expect people to be in one room, but the organization is distributed across locations and even time zones. Sometimes, it may just not work for reasons that are not clear.

    The Forgotten incident

    At one audit, the audit team had gone through the normal motions of process mapping, talking about potential adversaries, ranking what risks and their impacts were not acceptable, as well as research around digital challenges faced in their country and around their issue area. After almost a week, we had simply not found any specific concerns beyond the normal outdated computers and network glitches, and were looking forward to a simple and straightforward audit findings and recommendations reporting process. SAFETAG recommends having some form of “debrief” at the end of every audit, to respect concerns and provide one last point of contact and reassurance to staff. During this, someone casually mentioned a theft from a few years back, where only the hard drives of the computers were stolen.

    That… is an odd and very specific thing to steal. We had to have additional conversations to re-scope and re-prioritize some of the recommendations we had planned on providing, as well as re-think what threats this organization was actually facing.

    This is a great example of a situation where multiple activities theoretically should have caught this – from initial interviews with management and technical staff, to idle chatter during “Day in the Life” style direct engagement with staff members, or any of the group activities such as process mapping, data mapping, or in particular some of the risk rating exercises where the organization discusses previous incidents. An important lesson here is that while it can sometimes feel like you are repeating work or returning to questions you think you have the answers to, it can be the only way you uncover critical information.

    Read more

  • SAFETAG Stories: If you fail -- TRI, TRI Again

    This is the first in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG

    One of the most common questions we get about the SAFETAG framework is whether one has to do everything in it for it to “count” as an assessment based on SAFETAG. The answer is absolutely not.

    In describing SAFETAG, I often poke fun at the inevitable result of traditional “penetration tests” against an organization. These tests try every handle, press every button, and push on every closed door of an organization’s digital (and often physical) security to map out every possible vulnerability, resulting in incredibly detailed and overwhelming reports. For many organizations, this report may not even include a clear way to prioritize how to tackle it beyond a gazillion “high” priority issues and countless “medium” and below things to also ponder.

    The secret follow-up punchline however, is that SAFETAG itself is, well, an overwhelming, detailed, 300+ page behemoth itself, and will continue to grow.

    Choose your own SAFETAG Adventure: Try out the “TRI” model

    We are working to make working with SAFETAG feel as flexible as it was built to be. It has always been a modular, “choose-your-own-adventure” style approach to working closely with organizations to assess the risks they face, and the best path for addressing their top priorities. One important way we are doing this is by adding metadata into each activity to help auditors build a comprehensive audit plan (follow the metadata branch at and the issue at! Initially, we are focusing on the time each activity takes, specific skills it requires, and what “type” of activity it is.

    In SAFETAG, the various activities we suggest to learn about an organization tend to fall in three broad approaches: Technical, Research, and Interpersonal. It is tempting to focus on the style of approach you as the auditor are most comfortable with - people with backgrounds in digital security training tend towards the interpersonal, people with pentesting backgrounds the technical. However, by using a combination of these, you get a clearer understanding of not only the organization’s setup and infrastructure, but how decisions are made, how policies are enforced (or not), and where there are opportunities for organizational change.

    The Dropbox Effect

    An illustrative story from my own auditing experience is what I call the “dropbox effect”. This story, with small changes, has come out of … many audits I’ve been a part of. It starts during the initial scoping and interviewing stage (Interpersonal!), where management and/or any technical staff will say something to the effect that the organization has made a decision to not use dropbox (or google drive, etc.), so no one is using it. Digging through provided policy documents (Research!), there may even be a section on correct storage and backup / filesharing for the organization which specifically bans dropbox. Once you start scanning networks (Technical!) and talking 1:1 with end users (Interpersonal again!) as you sit with them and look at their desktop systems (Technical again!) – a different picture emerges. Dropbox is everywhere.

    So, research and initial interpersonal approaches lead you to expect that staff members are not using dropbox. Additional activities (in this case, mostly technical) reveal the exact opposite. The combination of this work will reveal the why. Perhaps the communications lead needs to regularly send very large files to a print shop, and dropbox works where email doesn’t and SBs are unsafe. Perhaps people are using it to sync family or pet photos from their home account to have as a screensaver. Perhaps some people simply never uninstalled it after the policy change, but aren’t actively using it. Any or all of these can provide a hint towards what a recommendation to resolve this difference between the organization’s policies and its actual practices. Based on the specific risks and priorities of the organization, it may be relaxing the “dropbox ban” and improving information controls and entry/exit policies instead, or actually enforcing it but finding workable, policy-compliant solutions for these specific cases.

    Does the TRI concept make sense? Sound even more confusing? Let us know on the issue queue or at [email protected]

    Read more

  • Updates from the Advanced Threats Workshop!

    SAFETAG Fellows and partners gathered for a 3-day workshop to expand the guidance that the SAFETAG framework has for auditors to respond to advanced threats - organizations receiving phishing emails or with active malware in their systems. This will all be included in a release going live later today. Thanks to all the contributions and support from the fellows in creating this!

    Responding to Advanced Threats Method

    In advance of the workshop, Dlshad Othman put together a new SAFETAG method for advanced threat response paired with an analysis activity. At the workshop, we expanded this into a full-on triage approach for responding to attacks, paired with “hooks” across the framework to better identify signs of active attacks. This collection of changes makes heavy use of the activity “variant” approach to combine very similar or parallel approaches in one single activity.

    The majority of the work can be found in the new “Responding to Advanced Threats” method and its related activities, detailed below.

    It is important to underline that this is focused on identifying malicious activity and doing the minimal possible analysis to responsibly triage it. Deeper analysis of the specifics may happen during the report-writing phase, but it is important to not be easily derailed from completing the SAFETAG audit process. This drives home the importance of having an agreed-upon incident response plan with the organization to determine how they would prefer to respond if something that is potentially serious occurs.

    New and Updated Activities

    Identifying and Analyzing Suspicious Activities

    Malware is a common tactic to target organizations, Malwares like RAT (Remote Access Trojan) can provide an attacker with a back-door access to a targeted machine which enables the attacker to steal information, record audio and video and run commands on the infected machine. This component provides an overview for analyzing different types of suspicious emails, files, active processes, and network traffic.

    Evidence Capture

    This component briefs the tools and procedures required to acquire the image (live or dead, depending on the situation) and securely handle data from a device (laptop, desktop, HDD, memory stick, USB stick, etc.) that is needed to later perform a malware analysis or forensic evidence process.

    Digital Forensics

    This component describes how to perform an analysis on captured evidence (e.g. hard drive image or memory dump) without altering the evidence. Any alteration, or even an environment or situation that creates the possibility of alteration, could lead to rejection of the evidence in a court of law or to malware analysis failures.

    In most cases, reach out for help, there are multiple organizations which coordinate and can support malware analysis targeting NGOs. The Digital First Aid Kit has a list of organizations and in most cases secure contact details to seek support in doing advanced analysis. The Rapid Response Network, a project of CiviCERT is a consortia of these organizations who may be able to help. Citizen Lab is also well known for their analysis and research.

    Technical Context Research

    An important cornerstone in working with high-risk organizations is having an expansive understanding of their potential adversaries and their capabilities. This has long been guidance in SAFETAG, and at the workshop we pushed out a more structured approach to tackle this research based on Internews’ internal digital country risk assessment methodology.

    Changes to Incident Response

    Since its inception, SAFETAG has had a section instructing auditors to create an agreed-upon incident response plan with the organization. During the Advanced Threats workshop, we expanded on this in parallel with the overall “triage” approach.

    Changes to the Interview activity and creation of a High-Risk Interview activity

    For the pre-audit interview process, we have improved the formatting of the overall section and added more questions to help identify potential attacks, and added a specific “Guiding Questions for High-Risk Organisations” to dive deeper where the auditor and/or organization already suspects they are under active attack. This additional interview activity is to identify if there are any indicators that the organization may have already been attacked and/or compromised, or if someone they know has faced advanced threats. It should help identify what threats / threat actors they are dealing with, and their intent. This will help the auditor prioritize work with the organisation during the audit and follow up and understand whether the auditor has the expertise to address or understand the threat or if outside expertise is needed.

    Changes to Network Scanning and Traffic Analysis

    We have added some guidance to help auditors judge whether open ports and network traffic is out of the ordinary for office environments. Naturally, every office set up is different, and this will rely on the auditor conducting on-site research and analysis. These changes are in the Network Scanning and Traffic Analysis activities.

    Read more

  • SAFETAG Contribution Templates!

    Thanks to some feedback, we’ve updated the contribution guide at with clearer, step-by-step guides, a reminder to post an issue to the issue queue first, and - most usefully - templates to use to get started crafting new SAFETAG methods and activities. Those can be found in the templates folder.

    Read more

  • REMINDER: Nov 17 deadline for SAFETAG Fellowship Grants

    Internews is launching a funding pool to diversify and scale SAFETAG across the broader human rights and digital security community. Internews is seeking to fund 10-12 individuals or teams embedded in organizations to customize SAFETAG to meet their needs, conduct SAFETAG-based assessments integrating these customizations, and share these approaches back with the SAFETAG community. Grant amounts are expected to vary based on local costs and scope, but the average grant is expected to be $25,000 USD and approximately 4 months in duration.

    Winning applications must support at least two SAFETAG-based assessments of at-risk organizations working with vulnerable or marginalized communities. These assessments should be in parallel with the creation and documentation of customized approaches – new activities which work better for the applicant’s region/community/specific threats and/or a “playlist” of existing (and custom-created or modified) SAFETAG activities which best work for this community. Grantees will be expected to responsibly share the non-identifying context research (e.g. high-level country risk assessments) within the SAFETAG community and to coordinate on peer-training events to share their approach. Following each assessment, the grantee will help the recipient organization develop risk mitigation plans to address weaknesses, and either provide direct support through existing organizational programming or connect the organization to external services, goods, or funding support as needed to address their security vulnerabilities.

    Throughout this entire process, the grantee will have ongoing access and mentoring from Internews’ SAFETAG team and access to the combination of skills and implementation expertise of the entire fellowship pool. Internews will work to “match-make” grantees working on similar or related challenges for peer-training opportunities.

    Preference will be towards individuals embedded in organizations working in the human rights and digital security space. Individuals may also apply, but the funding mechanism may be different. Winning applications will demonstrate continued post-funding usage of and contribution to SAFETAG as a community project.

    Applications are due November 17 and will be evaluated by Internews’ SAFETAG team, the SAFETAG Community Advisory Board, and in consultation with SAFETAG funders according to the criteria (and regulations) in the submission form. If funds permit a second round will be opened in 2018.

    Please submit your applications via this Google Form

    If you would prefer to submit this information via PGP, please send to [email protected] and [email protected], encrypting to these keys: and .

    Read more

  • SAFETAG Agreement Generator

    Seamus Tuohy of Prudent Innovation has completed an in-depth decision tree program for auditors/assessors to answer questions and builds a detailed, plain language agreement for you to use in your engagements. It’s built in Python on Debian/Ubuntu, and available in the SAFETAG community github.

    It allows auditors to provide custom fee schedules and has specific call-outs for parts of the agreement which are the most critical to have local legal advice on. Given that SAFETAG auditors operate in legal jurisdictions all over the world and in a variety of languages, the template text will focused on clarity and conciseness instead of legalese. By clearly articulating the scope and intent of the each component lawyers in different regions will be able to evaluate and update the language to support their legal code. The repository comes with an example plain language template. It includes a “base” outline template and a fine-grained template file that extends this base. By editing the base template a assessor can add/remove large sections of the agreement without searching through the fine-grained template for the text they wish to remove, which also customizes the interactive agreement process, enabling auditors to quickly re-generate new agreements with small modifications.

    The project’s README file includes both an installation guide as well as usage and advance customization documentation.

    Agreement Generator Screenshot

    Please test it out and send in feedback via the issue queue, as this will be replacing the existing “draft engagement agreement” currently in SAFETAG.

    Read more

  • Contributing to SAFETAG -- and an Updated Guide!

    As more and more contributors are helping build SAFETAG, we realized that the existing guidance on the structure had fallen out of line with the current setup, and how the SAFETAG content is getting mapped into the Content as Code framework.

    We have now updated and combined our disparate documentation on the structure of SAFETAG in light of recent feedback and (in the ongoing effort to polish the repository) have uploaded it as a file

    Finally, there’s an updated release (ironically not including the above documents yet) which rolls up the changes from the recent write-sprint.

    Read more

  • Remote SAFETAG Assessments?

    An ongoing interest in the SAFETAG community has been how to use the SAFETAG framework in situations where the auditor cannot travel to the organization at all, or cannot travel to remote or multiple office locations – what can be done remotely, what can be done with help, and what gaps remain that must be accommodated? Thanks to coordination and co-funding with multiple organizations, a SAFETAG peer-training and content sprint answered these questions with new approaches and adaptations to support a variety of remote-only SAFETAG assessment work.

    Content created from this training and content sprint is included with summaries below and has been compiled into an updated SAFETAG release. The content sprint approach taken with this event took advantage of the existing expertise and experience of the attendees to co-create new approaches as a peer training approach. This has the exciting add-on benefit of supporting community-sourced contributions on the SAFETAG github repository, which can be seen via the github commit and pull history

    Operational Security (expanded from Physical Security)

    The thought process for dealing with “remote” audits - as well as the multiple scenarios they would be most likely - also led to improved clarity on the future of the “Physical Security” module for SAFETAG. It has been transformed into an “Operational Security” section to also include activities to determine staff traveling, working remotely or from home, and the security impacts of multiple offices, especially in situations where the auditor can only assess a subset of an organization’s offices.

    The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world – how secure are the devices at an organization’s office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?

    Pull #282, Issue #268

    This also enabled the movement of some odd pieces of the framework inside of this, such as hands off discovery of wifi networks and device beacons/probes ( – transforming an awkward “module” into an activity underneath this module that fits more naturally.

    Office Mapping (New)

    This activity seeks to identify potential physical vulnerabilities to an organization’s information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential “external” risks such as nearby/shared office spaces. This can be done in person independently or alongside the “Guided Tour” activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.

    Guided Tour (Adapted to include remote support)

    During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location. This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily. Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

    Pull #286

    Scavenger Hunt (New)

    This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the “Risk Hunting” exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.

    Remote Local Network Scanning and Device Assessment (Adapted)

    This allows the auditor to work remotely to identify the devices on a host’s network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.

    Pull #283

    Remote Facilitation (New)

    Suggested approaches and methods to use if in-person facilitation for activities such as process mapping and data assessment is not possible. This may not provide as deep results as in-person facilitation, but should provide adequate level of expansion and verification needed.

    Pull #288

    Read more

  • Shape the Future of SAFETAG

    We are exploring how to better present the SAFETAG content and enable auditors to explore, build and share audit plans, and contribute back to SAFETAG.

    Please fill out this survey and inform the next steps of converting the content of SAFETAG into a more interactive and usable structure:

    Read more

  • Code of Conduct and Community Governance

    Based on the work from Berlin and revisions and feedback since, we have an updated and streamlined SAFETAG community governance document!

    You can find it, alongside the Code of Conduct in the Code of Conduct file in the github repository, which contains the mission, community standards, and community governance structure.

    This makes the code of conduct to better more specific, revised the community standards to reflect that the SAFETAG community is living within the world, and simplified the Advisory Board language to get things rolling sooner. As this becomes a self-sustained consortia, we can expand and codify additional items as necessary.

    Read more

  • Meet us at the Internet Freedom Festival next week!

    SAFETAG continues to expand its adoption among groups doing organizational security work. Towards this, we joined with a group of 15 practitioners recently in Prague who are working on all aspects of organizational security, from the audit/assessment piece through to implementation and follow-up support. We all shared experiences, resources and approaches to address our collective challenges by coalescing our understanding of what organizational security is, and how we can grow and hone our practice.

    We were all very encouraged and buoyed by the depth and breadth of the collective knowledge to be tapped, and resolved to use this as a launching pad towards a larger knowledge space and a community of practice.

    If you are attending the Internet Freedom Festival, we invite you to join the discussion, hear our outline of how to grow as an independent, open, and collaborative community; and if you are interested, to join efforts.

    There is an initial session Thursday March 3 Noon-1 focused on building a more collaborative assessment framework based out of SAFETAG, followed up by an all-morning session scheduled for Friday 10–1, March 4. We want to hear from you about the challenges you face implementing organizational security support and your solutions; about your own organizational security systems and practices; and how you could benefit and contribute as an active member of this growing community.

    Dubrovnik Lock CC-BY Jon Camfield

    This comment has been adapted from a cross-organizational posting which has included the below people and organizations:

    • Ali G. Ravi, Confabium - post
    • Alix Dunn, the engine room - post
    • CC, EngageMedia - post
    • Friedhelm Weinberg, HURIDOCS - post
    • Jon Camfield, SAFETAG/Internews - post
    • Karel Novotný, APC - post
    • Kody Leonard, The ISC Project - post
    • Kristin Antin, the engine room - post
    • Maya Richman, the engine room - post
    • Michael Carbone, Access Now - post
    • Natasha Msonza, Digital Society of Zimbabwe
    • Niels ten Oever, Article 19
    • Pablo Zavala, Front Line Defenders
    • Peter Steudtner, HIVOS-DIF / pantraining
    • Wojtek Bogusz, Front Line Defenders

    Read more

  • Meet SAFETAG: Helping Non-Profits Focus on Digital Security

    Padlock CC-BY Rachel Titiriga/Flickr

    I’d be willing to wager that you, like me, have been offered “credit monitoring services” more than once in the past few years, because a place you’ve done business with or a past employer was hacked, potentially putting your personal data out on the market.

    Corporations and governments, while they are struggling to keep up with hacks, do have resources and teams devoted to the battle. But smaller, much more vulnerable victims of attacks deserve our attention too.

    Non-profit organizations around the world are also targeted by cybercrime, and don’t have the benefit of expensive services or personnel monitoring or protecting their systems.

    And it’s not as if these small organizations don’t have valuable information — from pre-published research to healthcare data, records of environmental transgressions to election monitoring procedures — development and civil society work around the world collects reams of information that, in the wrong hands, can put an organization or its beneficiaries at risk. Even a lost smartphone or laptop will contain contracts, financial data, and private conversations embedded in the constant steam of emails.

    Organizational security can feel like an impossible task, and many security audits or “penetration tests” are expensive and can be too aggressive for most small organizations. Vulnerabilities exist but fixing them are not necessarily high-priority for the organization.

    Over the past two years, Internews has developed SAFETAG™ (Security Auditing Framework and Evaluation Template for Advocacy Groups) to address this challenge.

    What is SAFETAG?

    SAFETAG provides a framework that a digital security expert can use to help organizations identify and prioritize the risks they face and suggest a tightly-focused path to mitigating them. This path to increased safety is designed to be responsive to the actual capacity of an organization. This last element is critical. We have learned that even the best-laid plans will go to waste if the organization is not capable of implementation.

    Audits based on the SAFETAG methodology start by working with the organization to explore the information and processes that they consider the most valuable.

    For a media or journalism organization, for example, there might be calls and emails between a writer and confidential sources, which then turn into a working draft that is emailed between the author and editors before being sent to a webmaster to be added to the website. Are the phone calls sensitive? Should they be made over an encrypted connection? Where are the emails being stored? Work laptops? Personal smartphones? Email servers hosted by the organization?

    The answers to each of these questions help the auditor and the organization think about where vulnerabilities that actually matter to the organization might be hiding. The process mixes interviews, exercises and technical verification and scanning, including documenting what the organization thinks it does versus what it actually does. The goal is to make all the organization’s processes and practices — not just the official ones — safe.

    At the end of the day, SAFETAG is like the stone soup parable — the deepest impact comes from the organization taking the time to reflect on the threats they realistically face, the danger this puts them in, and their capacity to reduce these risks over time. The auditor is a catalyst with the resources to make it happen.

    Radical Openness

    Another way that SAFETAG differs from more traditional security audits is that the entire framework is open source and licensed for reuse and re-mixing. Even the trademark on the name “SAFETAG” is meant to encourage organizations to adapt and build on SAFETAG — it requires auditors to avoid calling their work a “SAFETAG audit” but instead use phrases more like “based on SAFETAG.”

    SAFETAG continues to evolve — as of today, Internews has trained 13 digital security auditors around the world and performed audits and risk assessments based upon the SAFETAG methodology for 20 at-risk organizations. More exciting than that, however, is organic uptake of the SAFETAG methodology. Other organizations are conducting their own versions of audits based upon SAFETAG.

    The entire methodology is open and available on github, with active conversations around the future of the framework visible in the issues queue. “Compiled” versions of SAFETAG are available at .

    The future of SAFETAG is to drive — and be driven by — this cross-organizational adoption. Working with this community, Internews is creating a set of practices and a common language that make up the SAFETAG “core activities,” along with with a “plug-in” type approach for advanced SAFETAG topics that auditors can provide to help organizations work through not only digital security risks, but also financial, reputational, or even legal risks.

    Interested? We’d love to see you over in our issue queue!

    (Image credit: Padlock: Plovdiv, Bulgaria – Rachel Titiriga/CC-BY)

    Read more