Responsive Support
Summary
The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an incident response.
Purpose
In-audit activities and training are used to increase an organization's agency to seek out and address immediate security challenges within their organization, as well as enabling the organization to securely receive and store the audit report.
The Flow of Information
Guiding Questions
- Are there any critical vulnerabilities or remediation activities that the organization needs a deeper understanding to give proper weight to in the report?
- How can you prepare the staff and management for aspects of the audit process might lead to alienation or inhibit the process?
- What is the organization's readiness and likelihood to succeed in engaging with security technology? What factors will complicate or inhibit the effective and safe uptake and use?
- Is the support you want to provide (troubleshooting, fixes, upgrades, training, etc.) critical to the security of the organization? If not, can you provide that support without taking away from the audit?
- Will you have the capacity to support software or hardware that you provided while providing support?
Approaches
- Targeted Training: Educational components can be introduced in order to cover the digital security basics, satisfy the team's expectations and motivate the target group to include digital security practices in their everyday lives.
- Targeted Support: The auditor can provide small targeted technical/policy development support where there expertise overlaps and the audit time-line allows.
Outputs
- Organizational capacity to communicate and store data securely
- Enhanced organizational capacity
- Mitigation of critical risks.
Operational Security
- If you are providing software tools, make sure to check file signatures (and explain the process) - do not be the weak link or introduce malware into the organization!
- Do not attempt to train on any topic that you are not knowledgeable on.
- For any targeted training, especially on new tools, ensure that key personnel at the organization successfully use these tools during the audit timeline. This is especially important for secure communications tools the auditor hopes to use to follow-up with the organization.
- For any specific fixes or upgrades to the system, make sure that backups exist and to test extensively and with staff involvement after your intervention.
Preparation
Baseline Skills
- Experience giving digital security training
- Each training guide has detailed lists of materials needed and trainer preparation - preview and prepare for any training you plan to give.
Resources
Facilitation Preparation
Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
Guidelines: "Facilitator Guidelines" (Aspiration Tech)
Guide: "Session_Design" (Aspiration Tech)
Kit: "Resource Kit" (eQualit.ie)
Questions: "Pre-Event_Questions" (Aspiration Tech)
Guide: "Break Outs" (Aspiration Tech)
Resources: "Be a Better Trainer" (Level-up)
Digital Security Trainings
- Curricula: Level-Up: Resources for the global digital safety training community.
- Curricula: eQualit.ie's Trainer's Curricula (also in Russian)
- Training Manual: Workbook on Security: Practical Steps for Human Rights Defenders at Risk
- Trainer Handbook: "SaferJourno" (Internews)
Digital Security Guides
Multi-lingual Guides: Security in a Box
Guide: "Surveillance Self-Defense" (EFF)
Guide: "The Digital First Aid Kit" (Digital Defenders Partnership)
Guides: "Protektor Services Manuals" (Protektor Services)
Guide: "Cryptoparty Handbook" (CryptoParty)
Guide: "Bypassing Internet Censorship" (Floss Manuals)
Training Resources
- Directory: "Security Training Firms" (CPJ)
Activities
undefined
