An organization is requesting assistance on digital security, but their request is not clear; an organization would like to receive help to improve their practices, but we are unsure what their needs are; an organization is asking for a lightweight security assessment; an incident handler is looking for guidance to better evaluate the risks for an organization
Edit me

Lightweight Security Assessment

Basic framework to better understand the client’s digital security needs

Problem

Organizations don’t always know exactly what their main risks are. In other situations, what an organization considers to be the highest risk is not actually their main issue. Understanding what is important for an organization, and what their risks are, is key to successfully improving their digital security.

Through this article, we aim to provide guidance to incident handlers in performing a light risk assessment for Helpline clients.

Solution

In order to prioritize the digital security work that needs to be done, there are important questions that must be answered. However, obtaining responses to these questions is not usually as simple as asking directly.

Clients will not always understand what we are asking. You should form appropriate questions uniquely for each client. Keep in mind that you are looking for the necessary information to reply to all of the questions. Try to make this a conversation rather than only a question and answer session.

Before arranging a call with the client, do your own investigation. Look for information on their website, try to understand what work the organization is doing. The more prepared you are before talking directly with the client, the more important details you will be able to obtain. Make sure you take detailed notes during the call or meeting.

Questions for you and the client to consider

Actors
  • What staff does the organization have?
  • Are there volunteers, maintenance, cleaning, security, or other non-critical staff who have access to the office/s?
  • How do they manage new hires, visitors, contractors, or interns?
  • If the organization has a website, who manages it? Is it staff, an external service, or volunteers?
  • Do they have IT support? If so, who provides it?
  • Who does the organization serve?
  • Does the organization have any partners?
  • Who are the organization’s beneficiaries?
Assets
  • How many offices does the organization have?
  • What are the critical organizational activities?
  • What data do they store and where do they store it? (reports, HR violations, campaign information, documents, affiliations, list of members, list of donors etc.)
  • What communication tools does the organization use? (email, phone, chat…)
  • On what email provider or providers do staff have their email accounts? [When you have the answer, check that these accounts work with TLS.]
  • What kind of hardware, operating systems and services are being hosted or used by the organization? (websites, social media accounts…)
  • How do they connect to the internet? Do they have their own network?
  • If the organization has a website, is TLS/SSH implemented?
  • What would the impact of the identified threats be if they were to occur?
  • What is the client most concerned about?
Threat History
  • Who might object to the work the organization is doing? (Who might be their adversaries?)
  • What history of attacks does the threat actor have?
  • What techniques have they used? Have they targeted vulnerabilities that the organization currently has?
  • Have they targeted similar organizations? Have they targeted actors similar to the organization’s partners or beneficiaries?
  • What is known about the types of threats used by a threat actor to attack similar organizations?
Threat Capability
  • Does the threat actor have the means to exploit a vulnerability that the organization currently has?
  • Does the threat actor have the means to leverage widespread threats against all similar organizations, or will they have to prioritize their targets?
Threat Intent
  • Does the threat actor currently have the desire to conduct an attack against this type of organization?
  • Is the organization a priority threat target for the threat actor?
Context Research
  • What infrastructural barriers exist in the region?
  • What are the top, non-targeted digital threats in this region?
  • What are the top targeted digital threats facing organizations doing this work in this region / country?
  • Are there legal ramifications to digital security in the country? (e.g. legality of encryption, anonymity tools, etc.)
  • Has any organization or individual made specific threats, or demonstrated intention or mindset to attack the organization or similar organizations?
Capacity Assessment
  • What is the organization’s ability to adopt new technologies or practices?
  • What resources does the organization have available to them?
  • What is the environment that the organization works within like? What barriers, threat actors, and other aspects influence their work?
  • Do they currently have any information (formal or informal) security policies implemented?
  • Have the organization’s staff received digital security training in the past? If so, was it effective? What did it cover?
  • Do they encrypt their communications? What tools do they use?
  • Are there any specific considerations for the audit that would require modifying the overall approach, tools, preparation steps, or timeline?

Questions for direct interventions (for incident handlers)

To decide if the Helpline should provide the required direct intervention (like trainings, audits, or digital security clinics), or refer the client to others, we should ask the following questions.

  • Can we tackle these issues remotely, or do we need to travel? If so, do we have the capacity to travel?
  • Is the requested direct intervention the solution to the client’s needs?
  • Do we have the capacity? Do we have a local partner?
  • Do we have opportunity for input into agenda, content, length, date, location?
  • Will the direct intervention have long-term positive effects for the client’s project/activity?

After gathering all of this information from the client, you should have enough details to understand what threats are more likely for the organization to face. These most likely threats will serve as a starting point for you to draft a remediation plan solving the most critical issues first.

Coordinate with your contact from the organization to decide how to best work with them for the remediation phase.

Comments

For high-risk organizations, please consider adding questions on advanced threats based on Article #262: Guiding Questions for High-Risk Organisations. Reference materials can be found in SAFETAG - Security Auditing Framework and Evaluation Template.

Tags: organization_security articles