For the past several years, the SAFETAG community has explored what remote support could be provided to organizations in situations where the auditor cannot travel to the organization or meet with staff in-person. There are also organizations which have distributed teams operating fully remotely or from multiple physical locations, making it difficult or impossible to conduct in-person audits. Though these conversations around remote audits began years ago, the recent COVID-19 pandemic has reignited discussions and led to a dramatic increase in the need for remote audits and other virtual digital security interventions. Civil society organizations around the world have been forced to migrate to a fully-remote workflow. This transition, in addition to creating new security challenges, has also required auditors to adapt the way in which they are providing support.
Internews, in coordination Digital Security Lab Ukraine, Defend Defenders, and Conexo, along with other partners around the globe, has developed a remote audit playlist, or collection of activities that can be performed remotely under varying conditions from low-bandwidth to distributed team scenarios. Some activities (such as reconnaissance) were already remote-friendly and do not require the auditor to be in-person. Other activities (such as device assessments) have been adapted to fit the remote context.
While the remote audit playlist includes a multitude of activities that can be done remotely, it is important to consider SAFETAG’s Minimal Viable Audit, designed as the starting point for an assessment to be considered viable under the SAFETAG framework.
Initial groundbreaking work to build a remote-friendly SAFETAG audit approach was first developed by the SAFETAG community during a 2017 content sprint. In 2020, however, remote-first audits have gone from being the exception to the rule, to driving the creation and refinement of approaches by Internews staff and partners in recent months.
This blog highlights some considerations auditors should keep in mind when organizing and facilitating a remote audit. We’ve also highlighted below where to find existing content for your next virtual audit.
General considerations when conducting a remote audit
Prepare for the audit to take more time than normal. When conducting remote audits, there are various factors to take into consideration in addition to those you would need to consider during in-person audits. A remote audit for example, almost certainly will require additional time due to scheduling, coordination, and remote logistics management. Be prepared for additional mishaps and factor in slow internet connections in any remote engagement.
Prepare to be flexible. Given we’re in the time of COVID, it is also wise to prepare to be flexible. Scheduling a team for a group exercise was difficult before the pandemic. Now it's even more challenging with alternate schedules and balancing life both in and outside of work. Think about smaller meetings and be intentional with who you invite. Don’t require the entire organization if you don’t really need every single person at the organization.
Build trust as best you can. This is an important factor to consider during remote audits, as your opportunity to ensure staff feel comfortable with you the auditor will be dependent on how you present yourself to them in a virtual setting. Remote meetings, particularly with individuals you are meeting for the first time, may require more effort to begin building that trust relationship with the individuals. Whereas in-person meetings allow for human connection and understanding through body language, remote meetings make nonverbal interactions more difficult. As such, it is helpful to use video meetings whenever possible.
There is no perfect virtual replacement for in-person activities. Auditors conducting a remote assessment must also accept this reality and be sure to communicate the limitations to the organization you are working with. Remote audits have additional constraints and we must live within this reality for the moment or circumstance. A remote audit may require a combination of tactics and ultimately some compromises. When meeting in-person with an organization, it is easier to gain buy-in and encourage participation. If individuals are working remotely, it may be more difficult to maintain engagement. Replacing a two-hour in-person meeting to map behaviors and workflows with a 50-question survey requesting the same information will likely not yield the same results.
Be prepared to not have all the information. Sometimes the very nature of the remote audit where you can’t check the office’s network or don’t have access to all the staff you need during the assessment process can leave you with information gaps that can be difficult to fill. Be creative in finding ways to connect the dots and look for the information as best you can.
Consider the size and structure of the organization. A smaller organization, or one that is already remote, is easier to assess since staff members typically have a better internet connection and are more comfortable with virtual meetings. Large organizations who are used to working together in an office setting may have more challenges with remote working and may make it more difficult to assess virtually.
While remote audits require additional considerations and are not a perfect replacement for in-person audits, they can be done effectively. In upcoming posts we will provide a step-by-step guide for conducting remote assessments, as well as an introduction to the new SAFETAG web interface, which will allow users to customize a playlist based on the specific needs of the organization being audited.