This is the second in a series of blog posts sharing some stories gleaned from audits over the years (often combined from multiple experiences and with all identifying information removed). The goal is to share experiences and approaches to help new auditors get into the mindset of SAFETAG
In the previous SAFETAG Story, we explained the “TRI” approach in choosing activities which take different approaches (Technical, Research, Interpersonal) in order to TRI-angulate (!!!) the reality of what is going on at an organization. That variety is critical, but sometimes not enough.
Even within one category, sometimes one approach just doesn’t work with the organization. The activity may be geared towards a small group, but the organization is large. It may expect people to be in one room, but the organization is distributed across locations and even time zones. Sometimes, it may just not work for reasons that are not clear.
The Forgotten incident
At one audit, the audit team had gone through the normal motions of process mapping, talking about potential adversaries, ranking what risks and their impacts were not acceptable, as well as research around digital challenges faced in their country and around their issue area. After almost a week, we had simply not found any specific concerns beyond the normal outdated computers and network glitches, and were looking forward to a simple and straightforward audit findings and recommendations reporting process. SAFETAG recommends having some form of “debrief” at the end of every audit, to respect concerns and provide one last point of contact and reassurance to staff. During this, someone casually mentioned a theft from a few years back, where only the hard drives of the computers were stolen.
That… is an odd and very specific thing to steal. We had to have additional conversations to re-scope and re-prioritize some of the recommendations we had planned on providing, as well as re-think what threats this organization was actually facing.
This is a great example of a situation where multiple activities theoretically should have caught this -- from initial interviews with management and technical staff, to idle chatter during "Day in the Life" style direct engagement with staff members, or any of the group activities such as process mapping, data mapping, or in particular some of the risk rating exercises where the organization discusses previous incidents. An important lesson here is that while it can sometimes feel like you are repeating work or returning to questions you think you have the answers to, it can be the only way you uncover critical information.