Seamus Tuohy

Doing the entire process can possibly seem bureaucratic to host organizations. This would help auditors ID the essentials in that situation.

an example or mini case study will help picture how an output would look like in practice; what is currently under example is an operationalisation of regional context research

It may make sense to state a minimum (encrypted hard drive, border precautions) and some best practices/strategies (travel with an empty laptop, access info offsite, miniSDs etc)

Great to see existing audits from different vendors. Concertizing this section into the curricula will make it available to other trainers than the SAFETAG team.

Great to see existing audits from different vendors. As a good exercise, perhaps having participants write an executive summary for a director, a funder, a board of directors, and a...

Re: the instability of OpenVAS: Really interesting to see what is possible with vulnerability scanning, but would have been great to unpack, step-by-step, a canned experience so we weren’t relying...

E.g.: Wifi-Cracking is a really cool exercise and was exciting to learn how to do. Given that it might play a small part in an audit, perhaps we should spend...

Mapping of adversaries, threats, likelihood, and damage level to understand priorities was super helpful. Including a final output as an example would have been very useful to understand how to...

Add guidance on why we use tools, and the alternative methods needs to be added.

1

Keeping the role of each tool in perspective is important so we don’t get lost in the testing of each other them but lose sight of objectives. E.g. Recon-ng is...

We should practice managing expectations (how do you explain an audit without freaking someone out or making them think it will solve everything?) and explaining how an audit fits into...