Process Mapping and Risk Modeling
Summary
This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the organization to carry out its work. These activities will also reveal the consequences if those critical processes were interrupted or exposed to a malicious actor. This results in the staff creating a risk matrix which is used as the foundation of the auditor's recommendations.
Purpose
Having the host organization central to the risk assessment process allows the auditor to put their threats and recommendations into the host's own narrative. With greater ownership of the process the staff will be more engaged in addressing the threats identified when the audit is complete. 1 By engaging as many staff as possible the auditor also is providing a framework for staff to examine future concerns when the auditor is gone. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.
The Flow of Information
Guiding Questions
- What are the critical organizational activities?
- What threats does the organization, its programs, partners, and beneficiaries face?
- What would the impact of these threats be if they were to occur?
- What adversaries (people or groups) may attempt to carry out threats?
- Are those adversaries capable of carrying out these threats?
Approaches
- Process and/or data mapping exercises
- One-on-One interviews with staff to supplement other group activities.
- Risk identification based on process or data mappings
- A classic group Risk Assessment Activity.
Note: Risk modeling will require a mixed approach of exercises, and the order which you identify each component will vary depending upon the organization.
If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.
Outputs
- Maps of critical processes.
- A list of organizational assets.
Operational Security
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
Preparation
- Risk Modeling and Proccess Mapping exercises can be intense and challenging to facilitate. Prepare and review your exercises, and plan for how they will flow together. Note your specific desired outcomes to easily recover or re-direct the activity based on emergent needs.
Resources
Overview: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Guide: "Risk Assessment" (Workbook on Security: Practical Steps for Human Rights Defenders at Risk - Chapter 2)
Guide: "Threat Assessment: Chapter 2.5 p. 38" (Operational Security Management in Violent Environments (Revised Edition))
Guide: "Defining The Threshold Of Acceptable Risk" (Integrated Security)
Guide: "Guide for Conducting Risk Assessments" (NIST 800-30)
Report: "Risk Thresholds in Humanitarian Assistance" (European Interagency Security Forum)
Threat Modeling Resources (General)
Book: "Threat Modeling: Designing for Security" (Adam Shostack)
Website: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Article: "Security for Journalists, Part Two: Threat Modeling" (Jonathan Stray)
Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST)
Guide: "Guide for Conducting Risk Assessments" (NIST)
Activity: "Threat Model Activity" (Tow Center )
Risk Assessment Activities
Guide: "Risk Assessment" (Operational Security Management in Violent Environments (Revised Edition) - Chapter 2)
Guide: Risk Assessment (Workbook on Security: Practical Steps for Human Rights Defenders at Risk - Chapter 2)
Book: "Pre-Mortum Strategy" (Sources of Power: How People Make Decisions - p.71)
Threat Assessment Activities
- Guide: "Threat Assessment: Chapter 2.5 p. 38" (Operational Security Management in Violent Environments (Revised Edition))
Example text for introducing threats - Integrated Security
Written exercise: Threats assessment - Integrated Security
- manual: Establishing the threat level of direct attacks (targeting) (Protection Manual for Human Rights Defenders)
Risk Matrix Activities
Guide: "Defining The Threshold Of Acceptable Risk" (Integrated Security)
Guide: "Risk Analysis: Chapter 2.7 - Operational Security Management in Violent Environments (Revised Edition)" (HPN - Humanitarian Practice Network)
Alternative Risk Modeling Activities
- Article: ["Operational Security Management in Violent Environments (Revised Edition)
- Chapter 2 Risk assessment"](http://www.odihpn.org/index.php?option=com_k2&view=item&layout=item&id=3159) (HPN - Humanitarian Practice Network)
Workbook on Security: Practical Steps for Human Rights Defenders at Risk
Guide: "Risk Assessment For Personal Security" (CPNI - Centre for the Protection of National Infrastructure)s
Guide: "Threat Assessment & the Security Circle" (Frontline Defenders)
Case Study: "Case Study 1 Creating a Security Policy" (Frontline Defenders)
Activities
undefined
"CSOs should gradually build a culture in which all staff, regardless of technical background, feel some responsibility for their own digital hygiene. While staff need not become technical experts, CSOs should attempt to raise the awareness of every staff member, from executive directors to interns - groups are only as strong as their weakest link—so that they can spot issues, reduce vulnerabilities, know where to go for further help, and educate others."↩
