Back to

Preparation

Summary

This component consists of audit preparation activities that are needed to ensure the components of the audit are able to be conducted effectively and within the on-site time-frame.

Purpose

A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditor's systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. Preparatory discussions with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.

Guiding Questions

    • Does the organization have existing digital security practices or has it attempted to implement them in the past?
    • What agreements will govern the audit?
    • What will be the procedure for incident handling in the event that the auditor causes or uncovers an incident during the course of the assessment?
    • What are the legal, physical, or social risks for the auditor & organization associated with conducting the audit or having audit results leak? [1]
    • Does the security situation of the location or organization require additional planning? Are your software tools up to date and working as expected?

Operational Security

  • Prepare Systems: Update and test your systems, A/V and audit tools[4], prepare storage devices and systems to reflect the required operational security, and ensure you have power supply adapters, cables and relevant adapters, usb drives, external wireless cards and any other equipment needed for testing.
  • Prepare for Travel: Check travel logistics if needed -- visa, letter of invitation, travel tickets and hotel reservations. Note that some visas can take significant effort and may require the auditor to be without a passport while they are being processed.
  • Carefully consider packing needs and explanations [3] [2]

Outputs

    • An agreement with the organisation to receive the audit including scope, timeframe, confidentiality clauses, operational security measures or minimums, and points of contact.
    • Systems updated and ready for testing.
    • Risks to host and auditor conducting a SAFETAG audit.
    • Modifications to the audit plan as necessary.

    In case audit involves travel:

    • Any Visas or paperwork needed, plus travel arragements (tickets, hotels) for auditor travel.
    • A travel kit. [3] [2]

References and resources for Preparation