Report Creation and Recommendation Development
Summary
In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices and documents the possible actions the organization could take on to address the vulnerabilities found during the audit, the difficulty of taking on those actions, and the resources that the host may be able to leverage to address them. Resources can include, but are not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resrouces they can use to support their up-skilling.
Purpose
The host needs to be able to take action after an audit. The recommendations that an auditor provides to address vulnerabilities must cover a range that allows an organization to address them in both the short-term and more comprehensively in the long-term. Knowing an organization's strengths and weaknesses will allow the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. In doing this the SAFETAG auditor has an opportunity to act as a trusted conduit between civil society organizations in need and organizations providing digital security training, technological support, legal assistance, and incident response.
Guiding Questions
- What are the organizational areas of strength (expertise, finance, willingness to learn, staff time, etc.) that the organization can leverage when engaging in technological adoption/change?
- What are the organizational areas of weakness (expertise, finance, willingness to learn, staff time, etc.) that need to be taken into consideration when engaging in technological adoption/change?
- What are the organizational barriers to adoption?
- Are the recommendations you are providing directly related to the security audit? If not, do they support the organization in accomplishing their security tasks, or distract from them?
Operational Security
- Treat the data and analyses of this step with the utmost security.
- Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization's country, or is known to surveil.
- Do not share any organization information or data when reaching out to possible resources.
Outputs
- Short-term recommendations to address each vulnerability.
- Long-term recommendations to address each vulnerability.
- Summaries of why recommendations were not given for any vulnerabilities or adversaries.
- Lists of organizations that can assist the host accomplish their task.
- Lists of educational resources the organization can use for training.
- Contact information for recommended trainers who can help with digital security training.
Activities
Creating a Risk Matrix_
As part of SAFETAG's dedication to building agency and supporting organizational adoption of safer practices, a careful prioritization of…Roadmap Development_
This component consists of an auditor sorting their recommendations in relation to the organizations threats and capacity. The auditor…Resource Identification_
In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational…Report Creation_
This component consists of an auditor compiling their audit notes and recommendations into a comprehensive set of documents the shows the…
References and resources for Report Creation and Recommendation Development
- Directory: "Selected International and Regional Organisations providing support to HRD" (Workbook on Security: Practical Steps for Human Rights Defenders at Risk)
- Directory: "Security Training Firms" (CPJ)
- Digital Emergency Contacts: "Seeking Remote Help" (The Digital First Aid Kit)
- Directory: "Resource Handbook" (Center for Investigative Journalism)
- Guide: "Additional Resources: p. 298" (Operational Security Management in Violent Environments (Revised Edition))
- Multi-lingual Guides: Security in a Box
- Resource: Front Line Defenders
- Guide: "Surveillance Self-Defense" (EFF)
- Guide: "The Digital First Aid Kit" (RaReNet)
- Guides: "Protektor Services Manuals" (Protektor Services)
- Guide: "Cryptoparty Handbook" (CryptoParty)
- Guide: "Bypassing Internet Censorship" (Floss Manuals)
- Multi-lingual Guides: Security in a Box
- Resource: Front Line Defenders
- Guide: "Surveillance Self-Defense" (EFF)
- Guide: "The Digital First Aid Kit" (RaReNet)
- Guides: "Protektor Services Manuals" (Protektor Services)
- Guide: "Cryptoparty Handbook" (CryptoParty)
- Guide: "Bypassing Internet Censorship" (Floss Manuals)
- Directory: "Security Training Firms" (CPJ)
- Directory: "Resource Handbook" (Center for Investigative Journalism)
- Directory: "Selected International and Regional Organisations providing support to HRD" (Workbook on Security: Practical Steps for Human Rights Defenders at Risk)
- Guide: "Additional Resources: p. 298" (Operational Security Management in Violent Environments (Revised Edition))
- Database: "A Collaborative Knowledge Base for Netizens" (Tasharuk)
- Guidelines: "Microsoft nonprofit discount eligibility guidelines per country" (Microsoft)
- Organization: "TechSoup, nonprofits and libraries can access donated and discounted products and services from partners like Microsoft, Adobe, Cisco, Intuit, and Symantec." (TechSoup)
- Guide: "Mitigation Recommendation" (NIST SP 800-115)
- Overview: "How Is Risk Managed?" (An Introduction to Information System Risk Management)
- Book: "Digging Deeper into Mitigations - p. 130" (Threat Modeling - Adam Shostack)shostack
Resource Identification:
Digital Security Guides:
Digital Security Guides:
Possible Financial Resources for Host Organizations:
International organisations that may provide security grants
Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page
Digital Defenders Digital Security Emergency and Support Grants
Training Resources:
Emergency Resources:
International protection mechanisms for human rights defenders
What Protection Can The United Nations Field Presences Provide?
24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC
CiviCERT - a coordination of rapid response organizations. CiviCERT members offering emergency support are listed in the Digital First Aid Kit
Resource Lists:
Recommendation Development:
Identifying Recommendations: