Back to

Responsive Support

Summary

The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an incident response.

Purpose

In-audit activities and training are used to increase an organization's agency to seek out and address immediate security challenges within their organization, as well as enabling the organization to securely receive and store the audit report.

Guiding Questions

    • Are there any critical vulnerabilities or remediation activities that the organization needs a deeper understanding to give proper weight to in the report?
    • How can you prepare the staff and management for aspects of the audit process might lead to alienation or inhibit the process?
    • What is the organization's readiness and likelihood to succeed in engaging with security technology? What factors will complicate or inhibit the effective and safe uptake and use?
    • Is the support you want to provide (troubleshooting, fixes, upgrades, training, etc.) critical to the security of the organization? If not, can you provide that support without taking away from the audit?
    • Will you have the capacity to support software or hardware that you provided while providing support?

Operational Security

  • If you are providing software tools, make sure to check file signatures (and explain the process) - do not be the weak link or introduce malware into the organization!
  • Do not attempt to train on any topic that you are not knowledgeable on.
  • For any targeted training, especially on new tools, ensure that key personnel at the organization successfully use these tools during the audit timeline. This is especially important for secure communications tools the auditor hopes to use to follow-up with the organization.
  • For any specific fixes or upgrades to the system, make sure that backups exist and to test extensively and with staff involvement after your intervention.

Preparation

    Baseline Skills

    • Experience giving digital security training
    • Each training guide has detailed lists of materials needed and trainer preparation - preview and prepare for any training you plan to give.

Outputs

    • Organizational capacity to communicate and store data securely
    • Enhanced organizational capacity
    • Mitigation of critical risks.
    • Contacts and/or next steps for any direct support or training needs of the organization

Activities

    References and resources for Responsive Support