Building a shared framework for organizational security assessments

From IFF Wiki
Jump to: navigation, search

Session Description

There is a growing demand in the security-for-civil-society community for security audit/assessment guided organizational interventions has highlighted the need and opportunity to build a shared framework for organizational security auditing. A shared framework is needed. A shared framework would provide a foundation which can be built upon as context and technology changes.This framework would also allow the security-for-civil-society community to quickly train teams of auditors with various subject matter expertise (technical, facilitative, legal, etc.), and create an overall more agile organizational security auditing and support community. The session will focus on sharing positive experiences and challenges from auditors who have used both SAFETAG and other audit approaches. To create a shared approach for organizational security, the session will capitalize on the close, collaborative, and trusted working environment to enable the exchange of sensitive topics surrounding the successes and failures in organizational security. The specific security topics that the session will discuss will emerge from the threats faced by the community, but are expected to include advanced malware analytics, physical and operational security, and server hardening, but will also include legal and reputational risks which are often used in tandem.

Building a shared framework for organizational security assessments
Presenter/s Seamus Tuohy & Jon Camfield
Bio/s Jon Camfield is Senior Technologist at Internews, with over a decade of experience in using technology for social change spanning public, private, non-profit, and social enterprise sectors. He is one of the chief architects of the SAFETAG digital security risk assessment system. Seamus Tuohy is a Senior Technologist and Risk Advisor for Internews. He is one of the chief architects of the SAFETAG digital security risk assessment system and the designer and developer of the CoPilot censorship simulating trainer toolkit.
Language English

Session Comments

See a "web" version of the open SAFETAG assessment framework at ; built almost automagically from the github source at Download the guide PDF (in English and Spanish) at

We love comments, issues, suggestions for changes and new resources at !

Shared Gaps in Org Security Assessment work

  • Organizational Structure
  • Distribution vs Centralization
  • Tech Capacity
  • Access to developers
  • Emotional capacity
  • Compliance Management
  • Resources (Cost + Time)
  • Knowledge gaps / changes
  • Is there a champion? How do we include them?
  • Risk tolerance (including non-digital, legal, physical...)
  • Willingness to change
  • Net access / infrastructure
  • Org culture - are there open discussions?
  • Training and learning in the org
  • Link between auditors and implementers

Actors and Inputs (group blue/orange group)


Trainers Auditors Audit facilitators Peer orgs Issue raisers / researchers / media

Org / target groups

Audit funders Donors

Org decision makers deciders on doing it staff more technical less technical champions & previous examples

Other support orgs Outside providers Hosting tech support email cloud hardware providers software providers Legal context


What's wrong / missing - staff behavior parallel processes Resources (time, effort, trust) needed for assessment Knowledge transfer transparent formal and informal policies Costs involved; what's "right" Resources and willingness to change Resources needed for fixes How does the goal relate to our assessment structure? legal and ethical assessment

Actors and Inputs (orange/blue group)

Regional and thematic context -> Funders, trainers, iNGOs, rapid response support

Design, functionality, feedback (bug reports) Real "personas" Willingness and capacity to implement feedback (auditors) -> Tool devs

Evidence the audit was passed -> champions - awareness raising / ripple effect -> grassroots / individual stakeholders -> Lawyers

Holisitic understanding of messaging risks for orgs -> communication plans / people

Assurance of security of the auditor (org need) -> Recommender / introducer

(no needs associated) -> 3rd party IT