Back to all methods

Organizational Device Usage

Summary

This component allows the auditor to discover and assess the security of the devices on the network and/or used in the organization. This component consists of interviews, surveys, network mapping, and inspection of devices.

Purpose

Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security updates/upgrades and what core protections exist against unauthorized access is vital to designing a strategy to make the host more secure. Because the SAFETAG framework is focused on the security of data, it's also crucial that the physicality of devices on which this data resides, including the hard-wired networks through which it's exchanged, be not overlooked.

Guiding Questions

    • What work and personal devices do staff use to accomplish their work, store work related files, or engage in work communications?
    • What organizational and external/personal services do staff use to accomplish their work, store work related files, or engage in work communications?
    • How do staff communicate internal and external? What tools do they use?
    • What are the existing in/formal security practices that the participants use to address risks.
    • Who has physical access to what? Who has remote access to what?
    • When are devices not monitored by trusted staff?
    • How could adversaries gain access? (forced entry, theft, social engineering, seizure)
    • Are there mitigation procedures if devices are lost or taken by adversaries? (e.g.: encrypted drives, offsite backups?)

Operational Security

  • Treat the information learned/collected with the utmost sensitivity and security. Physical notes should be destroyed immediately after use and digital notes should be kept in line with overall SAFETAG standards.

Preparation

    Baseline Skills

    • Basic systems administration experience for common operating systems

Outputs

    • List of all assets in the organization and whom they belong to.
    • Notes on un/documented access controls measures for the office
    • List of software running on staff devices and date of last update
    • List of known vulnerabilities, and identifiable malware, that the office is vulnerable to.
    • List of malware found by running updated anti-virus on office computers (if anti-virus installed during device inspection.)
    • List of specific unsecured servers, workstations, external hard drives and any other digital resources
    • Notes on existing security measures for all digital systems
    • Written-down passwords

References

Activities