The SAFETAG Curriculum has also been updated to better match the changes to the SAFETAG methodology over the past 2 years and introduce some of the clarifying context (such as the TRI approach) to selecting activities.
Based on their work training auditors in Colombia, Fundación Karisma developed a custom curriculum (in Spanish) that adapts the SAFETAG methodology to reflect the needs and context of Colombian civil society organizations. It is included as part of the 0.7.0 release and available directly from Karisma: Currículo para auditores de seguridad digital.
SAFETAG Fellows and partners gathered for a 3-day workshop in September 2018 to expand the guidance that the SAFETAG framework has for auditors to assist organizations facing emerging challenges and new technology such as increased reliance on cloud services, the Internet of Things, and more.
In addition; AccessNow developed two new activities from their work with vulnerable populations which help capture the personal aspects of organizational security.
Thanks to all the contributions and support from the fellows in creating this!
This updated content is available in the repository and as pre-compiled PDFs in the 0.7 release
New Method and Activities for reviewing organizational policies
While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.
New and Updated Activities
"Night in the Life"
This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.
Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).
Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.
This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.
Cloud Provider Assessment
It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.
This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.
Updates to Network Scanning: Assessing IoT devices
We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it's worth highlighting an entire activity devoted to working with VOIP systems.
Work still in draft
We also began a section called "Fear Mapping" to help identify, quantify, and manage fears. See issue #397 for the status and next steps.