Planning
71
these requirements are not adequately addressed. With the breadth of some of these
requirements, companies often do not know where to start, so an assessment is
performed to determine what needs to be done to become compliant with a given
law or regulation. In fact, for both HIPAA and GLBA, part of the legislation includes
a requirement to conduct a risk analysis. Clients having an assessment conducted
based on regulatory concerns want to know the specific steps to take to achieve
compliance. You will definitely use the law or regulation to help define scope and
as a standard against which to measure the information security program.
The deliverable resulting from this type of security assessment should be a set
of findings, risks, and recommendations that will identify security initiatives to help
achieve compliance with the law or regulation that is relevant to the client’s industry.
Because the client is most concerned with achieving compliance, the findings should
map back to specific parts of the law or regulation and the recommendations should
help ensure compliance. This type of document is also useful to show to government
auditors who audit for compliance with a given law or regulation.
Justification for Additional Funds for Information Security Initiatives
In companies today, budgets are very tight and most expenditures are questioned,
particularly those for which a solid return on investment (ROI) cannot be shown.
With information security, it is sometimes difficult to justify money because of the
perception that information security initiatives are not necessary. The attitude “noth-
ing has happened, so why spend money for security” often prevails.
Management does not always understand the risks associated with a security
weakness and that spending money proactively to fix something is far cheaper than
letting a security incident take place and dealing with the aftermath. In these cases,
a security assessment can highlight areas of concern and demonstrate what risks are
present in a given environment. The security assessment can also look at the risks
in aggregate and show management the potential impacts of potential security
incidents. This type of exercise helps management see where it might be smart to
invest in securing the assets of the company. Clients who are looking to justify
funding probably have an idea of where they want to spend the money. In these
cases, the assessment may be focused on one or a small set of areas. One thing to
keep in mind is that you should always provide input on where it makes sense to
include or not include items in the scope of work.
Security Incident Has Occurred
For some companies, the importance of information security is not always apparent.
For these companies, if security is not tied to avoiding something tangible, such as
loss of revenue, additional cost, or negative publicity, they do not necessarily see
the value of information security. It sometimes takes a security incident to make them
notice the importance of information security. An incident such as a Web site being
defaced or a network being compromised can immediately raise security awareness.
After the realization that a security incident took place, the next questions from
management are “what other security weaknesses do we have and how do we prevent
AU1706_book.fm Page 71 Tuesday, August 17, 2004 11:02 AM