This component allows the auditor to identify the relevant regional and technological context needed to provide a safe and informed SAFETAG audit. This component consists of desk research that is collected and analyzed by the auditor, as well as inputs from the Interview component.
Analysis of context is the foundation of effective risk management. Both at-risk organizations and auditors will develop assumptions based upon their experience. It is important that an audit is based on information that is current and accurate.
Checking the assumptions both of the organization and of the auditor by researching the current regional and technological context will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations.
Other Context Analysis Methodologies
Article: "Section 2.3 Context analysis p. 30" (Operational Security Management in Violent Environments: (Revised Edition))
Guide: "Vulnerability Assessment: Training module for NGOs operating in Conflict Zones and High-Crime Areas" (Jonathan T. Dworken)
Threats to the Auditor
Have aid workers faced retribution for their work in the region?
Is it safe to do digital security work in the region?
Survey: "This is a survey of existing and proposed laws and regulations on cryptography - systems used for protecting information against unauthorized access.
" (The Crypto Law Survey)
Article: "Legal Issues in Penetration Testing" (Security Current)
Guide: "Encryption and International Travel" (Princeton University)
Is the area safe to travel to?
List: "Foreign travel advice" (GOV.UK)
Alerts: "Travel Alerts & Warnings" (US Department of State)
List: "List of airlines banned within the EU" (European Commission)
List: "A list of aircraft operators that have that have suffered an accident, serious incident or hijacking." (Aviation Safety Network)
List: "Travel Advice" (Australian Government)
Targeted Threats for the organization
Is the group facing any legal threats because of its work?
Does the organization face any targeted threats because of their work?
General Threats for the organization
What general non-governmental threats does the organization face?
Map: "A global display of Terrorism and Other Suspicious Events" (Global Incident Map)
Organization: "ReliefWeb has been the leading source for reliable and timely humanitarian information on global crises and disasters since 1996." (ReliefWeb)
Reports: International NGO Safety (NGO proof, subscription required, covers Afghanistan, CAR, DRC, Kenya, Mali, and Syria currently)
What cyber-security practices is the government using?
Reports: Privacy International's in-depth country reports and submissions to the United Nations. (Privacy International)
List: "National Cyber Security Policy and Legal Documents" (NATO Cooperative Cyber Defence Centre of Excellence)
Reports: "Country Reports" (Open Network Inititiative)
Portal: "Country Level Information security threats" (The ISC Project)
Country Profiles: "Current cybersecurity landscape based on the five pillars of the Global Cybersecurity Agenda namely Legal Measures, Technical Measures, Organisation Measures, Capacity Building and Cooperation." (Global Cybersecurity Index (GCI))
Organization: "The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security." (The Citizen Lab)
Map: "Cyber-Censorship Map" (Alkasir)
Dashboard: "At-A-Glance Web-Blockage Dashboard" (Herdict)
List: "Who publishes Transparency Reports?" (James Losey)
Overviews:"Cyberwellness Profiles" (ITU)
What general cyber-security threats is the organization facing?
Report: "The Internet Annual Security Threat Report" (Symantec)
Report: "Annual threat report" (Mandiant)
Reports: "APWG Phishing Attack Trends Reports" (Anti-Phishing Working Group)
Reports: "Secunia Country Reports" (Secunia)
Reports: "McAfee Threat Trends Papers" (McAfee)
Report: "Monthly intelligence report" (Symantec)
What level of technology is available in the region?
Database: "World Telecommunication/ICT Indicators database 2014" (WT-ICT)
Comparisons: "Country Comparisons" (CIA fact-book)
undefined