LAST REVISION: 10 JUNE 2019
Purpose of vetting
The purpose of vetting beneficiaries is an exercise in reducing risk for CiviCERT members and for users at risk.
Some of the risks mitigated by vetting include the risk to CiviCERT members of reputation damage resulting from working with organizations that themselves do not uphold basic human rights, or are controversial for any other reason. There is the risk of being socially engineered by our adversaries into releasing information, or allowing our adversaries into getting a foothold onto our platforms, that would then allow them to perpetrate effective attacks on our operation. There is also the risk of adversaries consuming our resources in fake incidents, thus denying capability to the people and organizations that really require our assistance.
Vetting is an exercise of doing adequate due diligence with the beneficiaries we assist, to ensure they are truly users at risk.
CiviCERT’s Vetting Process
The process used by CiviCERT members to vet all new beneficiaries consists in the following steps:
- Initial evaluation
- Identify/contact potential vettors
- Evaluation of responses
- Sign off and recording
1. Initial evaluation
A certain amount of groundwork can be done initially via information sources such as Google, Wikipedia, the organization’s own website, Whois, PGP keyservers, etc., to make a determination of the validity of the organization and individual/s in question. None of these sources alone should be considered reliable, but together it is possible to get some sense of the legitimacy of the organization/individual.
2. Identify/contact potential vettors
Identifying who are potential vettors is the next step. We need to find someone we already know and trust that is prepared to vouch for the potential new beneficiary.
A good place to start is to look at the organization’s website, particularly any pages identifying members of the organization’s board. Board members are often high-profile people in the NGO space, so this presents an excellent way to identify potential vettors.
3. Evaluation of responses
What we are trying to establish is that the beneficiary is who they claim they are, and that they act rationally and with safety and respect for others.
This is never going to be a hard and fast ruling of “adequacy”, as the nature of the trust relationships are always going to be somewhat subjective. However as a general heuristic rule we can consider that if someone we trust implicitly vouches for a new beneficiary we can consider them vetted. If we cannot find someone that we trust implicitly, then we would need two acquaintances whose reputations we trust, that both vouch for the new beneficiary before we would consider the vetting adequate.
4. Sign off and recording
Each vetting process needs to be signed off by the team leader. The fact that the client has been through the vetting process and either been declined or successfully vetted is recorded in the organization’s ticketing system.
Changes to this policy
This policy can be changed during the annual CiviCERT meetings. Changes will be submitted in advance to the encrypted mailing list and discussed during the meetings.