64
A Practical Guide to Security Assessments
Many readers of this book have probably carried out some or most of this
methodology. The presentation here will put that methodology into a structured
format, where each step of the assessment is clear and where it is easy to see exactly
where you are in the process at any given time. The discussion of the methodology
will also show why each of the steps is important. As you go through the next five
chapters and read the details of the methodology, keep these key points to in mind:
•
The methodology is flexible.
Security assessments will rarely go exactly
the way the methodology is laid out, so you need to be flexible. The
methodology is meant to be flexible to allow for such things as scheduling
conflicts or resource issues. For example, the client may ask you to do
the first two phases, Planning and Initial Information Gathering, in a
compressed time frame in which some steps may not be performed as
thoroughly as you like (or maybe not at all). In this case, the other phases
might take longer because you were not able to do as much preparation
as you would have liked. The methodology is meant to provide a frame-
work within which you can work, and at times you will have to be flexible
with the steps, which is acceptable, as long as you stay within the general
framework of this methodology.
•
Steps can be combined.
In some cases, you may be able to combine steps.
If this can be done and it makes the process more efficient, then it should
be done. For example, consider a security assessment for a small company,
where you only conduct a handful of interviews. In this case, the last three
steps of the planning phase — holding the kickoff meeting, developing
the project plan, and setting client expectations — might all be performed
together because the scope of work might be very limited. Part of the
kickoff meeting can be used to go over a rough project plan consisting
of interviews and system testing. You can also set the client’s expectations
regarding the assessment in the same meeting. The point is that each of
the steps should be addressed. You should take advantage of opportunities
to combine steps and make the process more efficient.
•
Understanding the business is fundamental.
The basis for this methodol-
ogy is that a security assessment starts with having a solid understanding
of the business. You will read this time and again in this book. A funda-
mental aspect of this methodology is that you cannot understand the
criticality of security risks without understanding the business and the
mission-critical business processes. The methodology stresses the point
that the business drives security and not the other way around.
•
Communication with clients should be emphasized.
One of the common
steps in each of the phases of the methodology is communication with
the client. Clients should always be kept aware of the progress of the
assessment and of the findings that have been uncovered. This is important
for two reasons. First, clients have the opportunity to provide additional
information that might change the nature of a finding. Second, the client
is prepared to talk about it when the final report is presented to management.
AU1706_book.fm Page 64 Wednesday, July 28, 2004 11:06 AM