Back to all methods

Capacity Assessment

Summary

In this component the auditor engages with staff through both formal interviews and informal conversations to identify the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices. The auditor uses this information to modify the audit scope and recommendations accordingly.

Purpose

Knowing an organization's strengths and weaknesses allows the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. The auditor will use this assessment in preparing for the audit itself as well as when evaluating the difficulty of a recommendation. This information also provides a starting place for understanding the organization's current use and understanding of technology, digital security, and current threat landscape, as well as revealing elements of an organization's workflow, infrastructure and even vulnerabilities that you might otherwise have overlooked.

Guiding Questions

    • What is the organization's ability to adopt new technologies or practices?
    • What resources does the organization have available to them?
    • What is the environment that the organization works within like? What barriers, threat actors, and other aspects influence their work?
    • Are there any specific considerations for the audit that would require modifying the overall approach, tools, preparation steps, or timeline?

Operational Security

  • You may be interacting with many staff members. Avoid reporting the comments from other staff members to their peers or supervisors unless you clarify that this is agreeable with the source of the information.
  • Consider the security of your modes of communication if carrying out interviews remotely. Remember that your interviewees may be connecting from devices of unknown security status.
  • Follow a plan when taking notes - as physical notes can be a risk in case they are seized and digital notes need to be consolidated in a secure location.

Preparation

    • Review or create a set of interview questions to keep you on track
    • Have a secure note-taking process ready

Outputs

    Assessment data of:

    • Organization's ability to:

      • Adopt new technology
      • Learn from others
    • Organization's resources (financial, time, buy-in, expertise...) available for technological adoption
    • The availability and quality of communications and electronic infrastructure.
    • Threats posed to the digital and physical security of the organization and its staff, and past security issues encountered by the organization and its partners.
    • Priority security concerns.
    • Technological hardware and software in use for protecting the physical and digital security of organizations and their staff.
    • Past, current, or desired use of websites, blogs, social media and other web-based tools and platforms to conduct outreach, manage information, advocate or engage with specific groups.
    • Past, current, or desired use of mobile telephony and related software and hardware for activities such as sms management and data collection.