Introduction The Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG) is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to small, non-profit, human rights organizations based or operating in the developing world. SAFETAG is based upon a set of principles, activities, and best practices to allow digital security auditors to best support at-risk organizations by working with them to identify the risks they face, the next steps they need to take to address them, and guidance on how to seek out support in the future. SAFETAG audits are targeted at serving small scale civil society organizations or independent media houses who have strong digital security concerns but do not have the funds to afford a traditional digital security audit. The traditional security-audit framework is based upon the assumption that an organization has the time, money, and capacity to aim for as close to perfect security as possible. Low-income at-risk groups have none of these luxuries. These audits are both far too expensive, and produce output that is too complex for these organizations to act upon. SAFETAG uses a customized combination of selected assessment activities derived from standards in the security auditing world and best-practices for working with small scale atrisk organizations to provide organization driven risk assessment and mitigation consultation. SAFETAG auditors lead an organizational risk modeling process that helps staff and leadership take an institutional lens on their digital security problems, conduct a targeted digital security audit to expose vulnerabilities that impact the vital processes and assets identified, and provide post-audit reporting and follow up that helps the organization and staff identify the training and technical support that they need to address needs identified in the audit, and in the future. info@safetag.org | https://safetag.org Page 3 of 240

Select target paragraph3