Preparation
Summary
This component consists of audit preparation activities that are needed to ensure the components of the audit are able to be conducted effectively and within the on-site time-frame.
Purpose
A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditor's systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. Preparatory discussions with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.
Guiding Questions
- Does the organization have existing digital security practices or has it attempted to implement them in the past?
- What agreements will govern the audit?
- What will be the procedure for incident handling in the event that the auditor causes or uncovers an incident during the course of the assessment?
- What are the legal, physical, or social risks for the auditor & organization associated with conducting the audit or having audit results leak? [1]
- Does the security situation of the location or organization require additional planning? Are your software tools up to date and working as expected?
Operational Security
- Prepare Systems: Update and test your systems, A/V and audit tools[4], prepare storage devices and systems to reflect the required operational security, and ensure you have power supply adapters, cables and relevant adapters, usb drives, external wireless cards and any other equipment needed for testing.
- Prepare for Travel: Check travel logistics if needed -- visa, letter of invitation, travel tickets and hotel reservations. Note that some visas can take significant effort and may require the auditor to be without a passport while they are being processed.
- Carefully consider packing needs and explanations [3] [2]
Outputs
- An agreement with the organisation to receive the audit including scope, timeframe, confidentiality clauses, operational security measures or minimums, and points of contact.
- Systems updated and ready for testing.
- Risks to host and auditor conducting a SAFETAG audit.
- Modifications to the audit plan as necessary.
In case audit involves travel:
Activities
Assessment Plan_
This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits…Confidentiality Agreement_
Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of…Incident Response and Emergency Contact_
Incident Response within the context of an audit refers to setting up a procedure for handling incidents during an audit in the event the…Regional Context Research_
This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety…Technical Context Research_
Research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity.Audit Timeline and Planning_
This section provides guidance on creating a realistic audit timeline for your assessment plan.
Footnotes
- 1 " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."
- 2 "Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."
- 3 APPENDIX A - Auditor travel kit checklist
- 4 See the auditor trainee resource list
References and resources for Preparation
- Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
- Resource List: Password Dictionary Creation Resources (SAFETAG)
- Resource List: Social Engineering Resources (SAFETAG)
- Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
- Guidelines: "Facilitator Guidelines" (Aspiration Tech)
- Guide: "Session_Design" (Aspiration Tech)
- Kit: "Resource Kit" (eQualit.ie)
- Questions: "Pre-Event_Questions" (Aspiration Tech)
- Guide: "Break Outs" (Aspiration Tech)
- Resources: "Be a Better Trainer" (Level-up)
- Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
- Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
- Template: "Rules of Engagement Template" (NIST SP 800-115)
- Article: "The Difference Between a Vulnerability Assessment and a Penetration Test" (Daniel Miessler)
- Article: "Vulnerability Assessment and Penetration Testing" (gosafe)
- Article: "Legal Issues in Penetration Testing"
- Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
- Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
- Guide: "Six Stages of Incident Response" (CSO Online: Anthony Caruana)
- Guide: "Threat Hunting Project" (http://www.threathunting.net)
- Resource: "Media Legal Defense Initiative" (Media Legal Defense Initiative)
- Guide: "Security Incident Information Management Handbook" (RedR UK)
- Guide: "Six Stages of Incident Response" (CSO Online: Anthony Caruana)
- Guide: "Threat Hunting Project" (http://www.threathunting.net)
Preparation:
Facilitation Preparation:
Creating Agreements and Rules of Engagement:
Other Pre-Engagement Resources:
Incident Handling Resources:
Legal Considerations:
Data Security Standards:
Sensitive Data & Information Guides:
Incident Handling Resources: