Introduction

JOSA Audit is a tailored audit framework designed to meet the unique needs of small and medium non-profit organizations operating in the developing world. Our framework combines traditional penetration testing and risk assessment methodologies with best-practices for working with at-risk organizations, taking into account capacity constraints and specific threats. The JOSA Audit framework is a comprehensive approach to digital security risk assessment and mitigation. The audit process involves a series of key steps that help organizations identify vulnerabilities, threats, and opportunities for improvement.

Based on the SafeTag framework, JOSA Audit provides a customized approach to digital security risk assessment and mitigation. By using the JOSA Audit framework, organizations can:

  • Conduct a comprehensive digital security risk assessment
  • Identify vulnerabilities and threats
  • Develop a customized plan for mitigation and capacity-building
  • Enhance their overall digital security posture

This framework is designed to be adaptable and flexible, allowing auditors to tailor their approach to the specific needs of each organization.

Key Concepts

The JOSA Audit framework relies on a set of key concepts to help organizations assess and manage their digital security risks. Below are definitions for each of these concepts:

  • Actors: People connected to an organization, including staff, board members, contractors, partners, volunteers, and family members of principle actors.
  • Activities: Actions and processes of an organization, including program-based concepts, payroll, and other operational tasks.
  • Capacity: Staff skills and resources, including funding, networks, institutional processes, and policies that an organization can draw upon to affect change.
  • Barriers: Specific challenges an organization faces that might limit or block its capacity, such as budget constraints or lack of expertise.
  • Assets: Computer systems, data, and services, including laptops, servers, remote file storage, hosted websites, applications, webmail, and other digital resources.
  • Vulnerabilities: Flaws or attributes of assets susceptible to attack, such as weak passwords or outdated software.
  • Threats: Possible attacks or occurrences that could harm the organization, such as malware, phishing, or physical theft.
  • Mitigations: Strategies to reduce vulnerabilities and threats, such as implementing firewalls, conducting regular backups, or providing security awareness training.
  • Digital Security Risks: Digital security risks refer to the potential threats to an organization’s digital assets, such as data breaches, cyber attacks, and unauthorized access.
  • Capacity Building: Capacity building refers to the process of building an organization’s capacity to manage digital security risks, including training, awareness, and infrastructure development.
  • Risk Assessment: Risk assessment is the process of identifying, assessing, and prioritizing digital security risks to an organization.

Methodologies

The JOSA Audit framework consists of a collection of high-level methodologies and approaches that contribute to the overall goals of the audit. These methodologies are organized into three broad categories:

  • Technical Methods - This approach involves using technical tools and techniques to gather and analyze data related to an organization’s digital infrastructure, including network configurations, system vulnerabilities, and security controls.

  • Research Methods - This approach involves conducting research to gather and analyze data related to an organization’s digital security risks, including threat intelligence, industry benchmarks, and best practices.

  • Interpersonal Methods - This approach involves gathering and analyzing data related to an organization’s people, processes, and culture, including staff skills and resources, policies, and procedures.

Data Flow

The JOSA Audit framework involves a cyclical process of data collection and analysis. Below is an overview of how data is collected and used in the audit process:

  • Data Collection: Data is collected through a variety of methods, including technical assessments, research, and interpersonal interviews.
  • Data Analysis: Collected data is analyzed to identify vulnerabilities, threats, and opportunities for improvement.
  • Reporting: Results are presented to the organization in a clear and actionable format.
  • Follow-up: The organization implements recommendations and provides ongoing support to ensure successful implementation.

Next Steps

To learn more about the JOSA Audit process, consdier the following next steps:

  • Explore the audit process: Outline the scope, objectives, and methodology of the audit.

    Read more about the audit process.