Seamus Tuohy
Seamus Tuohy
Like fixing networking issues or other non-audit components that can cloud the audit outputs and tasks with other tasks for the organization and possibly get in the way of adoption.
This has been reported as difficult by nearly all auditors, and guidance should be gathered from all auditors and built in to safetag.
As an extension of being mindful of an "Auditors Role" in the hosts community (see https://github.com/OpenInternet/SAFETAG/issues/204) an audtior needs to be mindful of how they are perceived during the audit....
Connecting technical vulnerabilities to the everyday priorities of an organization with little technical capacity is difficult. We need more information in the road-mapping section on how auditors can build overarching...
This is essentially our triad of information verification piece that we need to add in (facilitative, technical, research) as well as how an auditor prioritizes risks and mitigations based upon...
Creating a cohesive narrative is difficult, especially with multiple auditors with different skill sets and backgrounds. But, a solid narrative based on what the host cares about is critical for...
It should cover - creating the initial plan - identifying staff availability during an audit and revising the plan - identifying who needs to be in the room when running...
Talk about the implications of multi-organizational groups and auditors connecting them in the pre-audit section. The auditors connection to the hosts funding organization or partners can have a substantial impact...
This should cover what types of questions to ask which members of the organization. (e/g. dont ask the IT person about physical security, or the head of the organization about...
We need better documentation for explaining SAFETAG to organizations who will be subject to audits. This should give an organization an idea of the scope of the audit.