The COVID-19 pandemic has led to a dramatic increase in the need for remote audits and other virtual digital security interventions. Auditors are having to adapt their approaches and respond to new security threats and landscapes. In coordination with auditors across the globe, Internews has developed a Remote Audit Playlist, a collection of SAFETAG activities that can be performed remotely under varying conditions from low bandwidth to distributed team scenarios. While remote audits are new for some practitioners, others have been implementing them for years. Below are some of the lessons Internews and our partners have learned while conducting remote SAFETAG audits.

1. Building trust is critical, but comes less naturally during remote audits. Accept that you will need to address this ‘confidence gap’. Establish trust relationships with senior people or ‘champions’ of the audit in the organization and allow them to introduce you to other participants and interviewees. Use video during online calls (if possible) to make up for the loss of in-person body language. During group calls schedule strategic breaks in the programming or meeting for ice breakers. Sharing your own style and personal way of reporting with participants is also important. This helps to establish a better connection and mutual level of trust. Frequent check-ins can also help you gauge how participants are feeling at any given moment.

2. Get organized with your remote tooling and processes. Start with clear communication and planning with the organization. Ensure they understand what to expect and when. Practice your remote facilitation with the tools and activities you plan to run in your audit. Templatize your data assessment exercise, your semi-structured interviews, your risk mapping activities. Whatever you can do to make things easier to repeat is great to have in your toolbox for next time and helps with keeping things organized.

3. Allow extra time for the full engagement. While you may be able to carry out all interviews, group discussions, and technical investigations over the course of a few days when engaging in-person, expect remote engagements to take longer. Most people have a limit to the amount of time they can commit to online calls and may already be overwhelmed with them. Leave sufficient breathing room in your audit schedule.

4. Share a pre-audit survey with staff members. An online survey sent to all staff members can help you, as an auditor, find out which members of the organization are most interested in knowing about the security gaps and mitigation strategies. It can also help you identify different user experiences, levels of security practice, and levels of awareness within the organization. Send reminders and enlist the help of senior management or leadership to encourage respondents to complete the survey. Know that not all staff will respond but seek to obtain a key sample of staff such as IT personnel, a mix of technical and non-technical staff, management, and staff in high-risk programmatic positions. Getting a variety of user views and experiences is important.

5. When sharing an online form or survey related to baseline best practices, closed-ended questions work best. This will keep the survey short and more people are likely to respond. Save the open-ended questions for the interview.

6. Resist the urge to only do the technical pentesting exercises. SAFETAG is made up of a variety of different components, of which only some are technical. The Interpersonal methods are very important to help build your understanding of what the organization values and how they protect them.

7. Interweave group, one-on-one, and technical activities. Plan an audit strategy which combines key moments of group engagement (for instance an audit kick-off call, risk assessments, team/department meetings, and presentation of preliminary findings) with one-on-one interviews, and technical assessment activities (such as vulnerability assessment, open source intelligence, and network scanning). Remember that the audit process is iterative - as you discover new information from group calls, you will uncover new assets to scan, and add questions to discuss with individual team members.

8. Schedule interviews with key staff members to follow-up on survey responses and ask clarifying questions. It is best to limit these interviews to one hour, as anything longer than this can feel overwhelming and can be difficult to schedule. Agree on the logistics in advance (i.e. the platform you will use to connect, etc.).

9. Familiarize yourself with the technology that the organization uses prior to the remote audit. If you are not yet familiar with the platforms or tools that they use, do some research prior to the audit so that learning about the technology does not take up your limited interview time. Also spend time using the SAFETAG reconnaissance activities to form an independent understanding of their digital footprint and technology used.

10. It can be helpful to share the interview questions and/or checklists prior to the interview. This can help staff members understand what to expect and prepare for the interview. Since time is limited, this can help eliminate the need for staff to spend interview time finding answers to your questions.

11. Have a script and an agenda ready to go prior to the meeting. In person, it is easier to go with the flow and dive into topics as they come up, but unstructured conversations online are much more difficult to navigate. It is helpful to have a plan and a structure to follow during the remote assessment.

12. Prepare for internet connectivity issues. At times there will be challenges with internet connectivity from both the interviewee and the auditor. In order to set yourself up for a successful remote audit interview and user device assessment, consider the internet connection available before proceeding with the task. Also, have a clear plan of action established in case you are disconnected. For example, specify what communication channel you will follow-up on.

13. Give staff members an indication of what to expect. Before remote interactions, let them know you will be looking into their device and browser. This will give participants the opportunity to close out of any windows they do not want to share. Also be sure to flag any tools you may be using during the interview (such as TeamViewer). Explain what the tool is capable of and provide instructions for installation before the interview and deinstallation once the interview is complete.

14. Different organizations will have different challenges. Online assessments are easier for smaller organizations. Simpler infrastructures have fewer potential issues and are typically easier to manage. For organizations that are already accustomed to a remote-work culture, online assessments come more naturally. For larger organizations with customized systems, remote audits can be more complicated, and in some cases impossible.

15. Make it fun! Use interactive approaches to engage participants especially in group calls. Consider using shared pads, polls, quizzes, whiteboards, and other visual simultaneous collaboration tools.