Open hackatom opened 6 years ago
For this and #336 , these could fit into what we currently have as "recommendations" under each exercise. One project we hope to improve under an upcoming project is better tracking of effective mitigations (e.g. an org with these attributes (large, decentralized, some funding for IT/sec) faced these threats (APT-level actors with a history of attacking this org) and these mitigations were recommended (policy changes, tools x, y, and z, training, etc.) -- this is where SAFETAG itself ends. With Risk Reduction Plans, we are taking those recommendations and implementing them while taking in to account their impact on security and their ease of adoption.
That's a long intro to the fact that "recommendations" are currently embedded in exercises, and face many of the same "1:many" relationship problems as exercises and methods. (I've long dreamed that an "exercise" should have a clear result which can be "fixed" with one or more recommendations, but this may be a level of simplicity which is not possible.
All of this is to say that these two ideas definitely fit in what we currently have as "recommendations," but perhaps that data structure itself will need to change and be more flexible.
A set of recommendations that is focused directly to advocacy groups needs seems a good path. The recommendations embedded within most of the activities are more of a "general" approach, usually what you'll find in along with the vulnerability details (e.g., OWASP, NVD etc). Also, with the "ease of adoption" often being one of the greatest challenge. We may implement or deploy "these" technologies but sooner, it will require support more than the "usual" support/training we provide during the handoff of these projects. That also is something to be considered.
Coming back this discussion (via #332) - Currently the Recommendations and Roadmap Development method doesn't contain much specifics on approaches and tools to fix many of the problems identified in the audit. So either we (a) consider consistently building better content in Recommendations sections, (b) build more centalised content in the Recommendations method, or (c) consider some kind of techy relational approach raised by @joncamfield above
I've been using OwnCloud as my personal backup and cloud data storage. I have it setup in a way I can access it my local cloud storage remotely via VPN. A lot of features may be helpful in building technological capacity for small organizations that needs backup, Mattermost, mail server, PABX etc.
https://owncloud.com/features