Non-profit organizations around the world are targeted by cybercrime, and don’t have the benefit of expensive services or personnel monitoring or protecting their systems.
These small organizations have valuable information – from pre-published research to healthcare data, records of environmental transgressions to election monitoring procedures – development and civil society work around the world collects reams of information that, in the wrong hands, can put an organization or its beneficiaries at risk.
Even a lost smartphone or laptop will contain contracts, financial data, and private conversations embedded in the constant steam of emails. Yet organizational security can feel like an impossible task, and many security audits or “penetration tests” are expensive and can be too aggressive for most small organizations. Vulnerabilities exist but fixing them is not necessarily high-priority for the organization.
Over the past two years, Internews has developed SAFETAG™ (Security Auditing Framework and Evaluation Template for Advocacy Groups) to address this challenge.
What is SAFETAG?
SAFETAG provides a framework that a digital security expert can use to help organizations identify and prioritize the risks they face and suggest a tightly-focused path to mitigating them. This path to increased safety is designed to be responsive to the actual capacity of an organization. This last element is critical. We have learned that even the best-laid plans will go to waste if the organization is not capable of implementation.
Audits based on the SAFETAG methodology start by working with the organization to explore the information and processes that they consider the most valuable.
For a media or journalism organization, for example, there might be calls and emails between a writer and confidential sources, which then turn into a working draft that is emailed between the author and editors before being sent to a webmaster to be added to the website. Are the phone calls sensitive? Should they be made over an encrypted connection? Where are the emails being stored? Work laptops? Personal smartphones? Email servers hosted by the organization?
The answers to each of these questions help the auditor and the organization think about where vulnerabilities that actually matter to the organization might be hiding. The process mixes interviews, exercises and technical verification and scanning, including documenting what the organization thinks it does versus what it actually does. The goal is to make all the organization’s processes and practices – not just the official ones – safe.
At the end of the day, SAFETAG is like the stone soup parable – the deepest impact comes from the organization taking the time to reflect on the threats they realistically face, the danger this puts them in, and their capacity to reduce these risks over time. The auditor is a catalyst with the resources to make it happen.
Radical Openness
Another way that SAFETAG differs from more traditional security audits is that the entire framework is open source and licensed for reuse and re-mixing. Even the trademark on the name “SAFETAG” is meant to encourage organizations to adapt and build on SAFETAG – it requires auditors to avoid calling their work a “SAFETAG audit” but instead use phrases more like “based on SAFETAG.”
SAFETAG continues to evolve – as of today, Internews has trained 13 digital security auditors around the world and performed audits and risk assessments based upon the SAFETAG methodology for 20 at-risk organizations. More exciting than that, however, is organic uptake of the SAFETAG methodology. Other organizations are conducting their own versions of audits based upon SAFETAG.
The entire methodology is open and available on github, with active conversations around the future of the framework visible in the issues queue. “Compiled” versions of SAFETAG are available at https://www.SAFETAG.org .
Jon Camfield is Senior Technologist and Digital Security Program Liason for Internews and this post was originally published as Meet SAFETAG: Helping Non-Profits Focus on Digital Security
As mentioned in the comments over on the original Medium post on SAFETAG (https://medium.com/local-voices-global-change/meet-safetag-helping-non-profits-focus-on-digital-security-6dec65b75d8a#.5jq880y2l), we’ll be at the Internet Freedom Festival next week, collaborating with a growing group of organizational security experts to build out this work further: https://medium.com/@joncamfield/a-quick-update-meet-us-at-the-internet-freedom-festival-next-week-d04d1d54727b#.two60uknt