Responsive Support

Summary

The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an incident response.

Purpose

In-audit activities and training are used to increase an organization's agency to seek out and address immediate security challenges within their organization, as well as enabling the organization to securely receive and store the audit report.

Guiding Questions

Are there any critical vulnerabilities or remediation activities that the organization needs a deeper understanding to give proper weight to in the report?
How can you prepare the staff and management for aspects of the audit process might lead to alienation or inhibit the process?
What is the organization's readiness and likelihood to succeed in engaging with security technology? What factors will complicate or inhibit the effective and safe uptake and use?
Is the support you want to provide (troubleshooting, fixes, upgrades, training, etc.) critical to the security of the organization? If not, can you provide that support without taking away from the audit?
Will you have the capacity to support software or hardware that you provided while providing support?

Operational Security

If you are providing software tools, make sure to check file signatures (and explain the process) - do not be the weak link or introduce malware into the organization!
Do not attempt to train on any topic that you are not knowledgeable on.
For any targeted training, especially on new tools, ensure that key personnel at the organization successfully use these tools during the audit timeline. This is especially important for secure communications tools the auditor hopes to use to follow-up with the organization.
For any specific fixes or upgrades to the system, make sure that backups exist and to test extensively and with staff involvement after your intervention.

Preparation

Baseline Skills

Experience giving digital security training
Each training guide has detailed lists of materials needed and trainer preparation - preview and prepare for any training you plan to give.

Outputs

Organizational capacity to communicate and store data securely
Enhanced organizational capacity
Mitigation of critical risks.
Contacts and/or next steps for any direct support or training needs of the organization

References

Facilitation Preparation:

Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
Guidelines: "Facilitator Guidelines" (Aspiration Tech)
Guide: "Session_Design" (Aspiration Tech)
Kit: "Resource Kit" (eQualit.ie)
Questions: "Pre-Event_Questions" (Aspiration Tech)
Guide: "Break Outs" (Aspiration Tech)
Resources: "Be a Better Trainer" (Level-up)

Digital Security Trainings:

Curricula: Level-Up: Resources for the global digital safety training community.
Curricula: eQualit.ie's Trainer's Curricula (also in Russian)
Training Manual: Workbook on Security: Practical Steps for Human Rights Defenders at Risk
Trainer Handbook: "SaferJourno" (Internews)

Digital Security Guides:

Multi-lingual Guides: Security in a Box
Resource: Front Line Defenders
Guide: "Surveillance Self-Defense" (EFF)
Guide: "The Digital First Aid Kit" (RaReNet)
Guides: "Protektor Services Manuals" (Protektor Services)
Guide: "Cryptoparty Handbook" (CryptoParty)
Guide: "Bypassing Internet Censorship" (Floss Manuals)

Training Resources: