Back to all methods

Report Creation and Recommendation Development

Summary

In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices and documents the possible actions the organization could take on to address the vulnerabilities found during the audit, the difficulty of taking on those actions, and the resources that the host may be able to leverage to address them. Resources can include, but are not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resrouces they can use to support their up-skilling.

Purpose

The host needs to be able to take action after an audit. The recommendations that an auditor provides to address vulnerabilities must cover a range that allows an organization to address them in both the short-term and more comprehensively in the long-term. Knowing an organization's strengths and weaknesses will allow the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. In doing this the SAFETAG auditor has an opportunity to act as a trusted conduit between civil society organizations in need and organizations providing digital security training, technological support, legal assistance, and incident response.

Guiding Questions

    • What are the organizational areas of strength (expertise, finance, willingness to learn, staff time, etc.) that the organization can leverage when engaging in technological adoption/change?
    • What are the organizational areas of weakness (expertise, finance, willingness to learn, staff time, etc.) that need to be taken into consideration when engaging in technological adoption/change?
    • What are the organizational barriers to adoption?
    • Are the recommendations you are providing directly related to the security audit? If not, do they support the organization in accomplishing their security tasks, or distract from them?

Operational Security

  • Treat the data and analyses of this step with the utmost security.
  • Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization's country, or is known to surveil.
  • Do not share any organization information or data when reaching out to possible resources.

Outputs

    • Short-term recommendations to address each vulnerability.
    • Long-term recommendations to address each vulnerability.
    • Summaries of why recommendations were not given for any vulnerabilities or adversaries.
    • Lists of organizations that can assist the host accomplish their task.
    • Lists of educational resources the organization can use for training.
    • Contact information for recommended trainers who can help with digital security training.

References

Activities