Chapter 4. Planning (3/8)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Planning

Based on the information above, the scope of work involves a general review of the

entire business and associated security exposures.

Deﬁne the Scope of Work

From an organization/business perspective, the scope will cover the company’s entire

operation. The next step is to deﬁne the activities that will be performed during the

course of the assessment based on the information obtained. This process, which is

in line with the methodology discussed in this book, is a way to help us plan the work

and determine what type of resources will be required to complete the assessment.

As you will see when we start discussing the assessment process at the client

site in subsequent phases, the main items that drive the work effort include interviews

with key individuals to gain an understanding of business processes and associated

security exposures and the detailed technology testing. The technology you actually

test will be determined from interviews with the business process owners, which

will primarily happen in the Business Process Evaluation phase.

During this process of deﬁning the scope and determining the work effort, some

guesswork is necessary. Keep in mind that this process is for estimation purposes for

determining the appropriate time and resources to complete the assessment. Because

this scope will be shared with the client, this process will also help set expectations

with the client about the speciﬁc activities to take place in the assessment.

The four items to work through during the scope deﬁnition process include:

• Interviews with management and process owners

• Interviews with security personnel

•Technical testing

• Determination of standards

1. Interviews with Management and Process Owners

The purpose of these interviews is to gain a good understanding of business processes

and identify potential security risks. The list of individuals below is based on the

initial discussion of the company, what it does, and how it is organized. The time

spent for each interview is an estimation based on a number of factors including

how much information was gained during the initial preparation and how compli-

cated you think the processes will be. As a standard estimate, you should try to

budget approximately one to two hours with each interviewee to make sure you have

enough time to obtain the necessary information. For each of these individuals, you

will have to prepare the appropriate question sets, as discussed in the next phase.

In this example, the people to meet include the following:

• IT manager

• One system administrator

• IT help desk personnel

• Order entry process owner

• Shipping process owner

• Manufacturing application owner

AU1706_book.fm Page 77 Tuesday, August 17, 2004 11:02 AM

A Practical Guide to Security Assessments

• Finance application owner

• B2B application owner

• System administrator for servers running ﬁnance and manufacturing appli-

cations and database(s)

• Human resources personnel handling addition of new users, termination

of users, and orientation-type issues such as educating users about accept-

able use

The list above represents the key areas of the business to help us understand the

business and determine where some of the security vulnerabilities might be. From

a time perspective, you can estimate that these interviews will take probably 18 to

24 hours total to be safe.

2. Security Personnel

As part of this effort, you must cover the essential areas of security that might not

be covered with the appropriate process owners such as the following:

• User ID administration

•Physical security

• Backup and recovery

• Change management

• Incident handling

3. Technical Testing

The technical testing in this case includes a combination of automated testing using

tools and manual testing. The client has identiﬁed the critical systems, which include

the network, the ﬁnance and manufacturing systems, and the B2B application, which

requires Internet connectivity. The time estimate for this work depends on the skill

sets you have in place (or will get for the assessment) and the tools you have in

place. For this particular assessment, you should perform some combination of scans

on the network, running speciﬁc tools on the database and the B2B application, and

some manual testing. Note that this is a preliminary list of technologies to test, which

is all right for scope purposes. The list will be ﬁnalized after business processes are

analyzed and critical technologies to be tested are identiﬁed. Below is the preliminary

list:

• Network

• Finance application

• Manufacturing application

• Database

• B2B application

Time estimates for doing the technology evaluation will vary based on what you

can do using automated tools and what you will have to do manually. Someone

technical should probably estimate the time for doing this testing.

AU1706_book.fm Page 78 Tuesday, August 17, 2004 11:02 AM

Planning

4. Standards

The ﬁnal aspect of developing the scope is deciding on standards to use. Standards

could mean internal standards such as company security policies and procedures or

external standards such as ISO 17799. With this client, no security policies and

procedures are in place. You should talk about best practice standards such as ISO

17799 and technical standards such as the National Institute of Standards and

Technology (NIST) standards. In this case, the client is probably expecting you to

make some suggestions about standards to use. As an independent party, you should

suggest what standard would be appropriate to use for the assessment.

At this point, the scope of work for this security assessment is deﬁned. You

should also have a fairly good sense for the timing and skill sets required to do the

assessment. Keep in mind that this is an estimate at this point. It is very possible

that some things might change as a result of information you uncover during the

assessment. Minor changes should be expected. For more signiﬁcant changes, there

should be a process for changing the scope.

OTENTIAL

COPE

SSUES

Arguably, properly deﬁning the scope is the most critical aspect of a security

assessment. This is especially the case in large environments, where there is poten-

tially so much to review. Because scope deﬁnition is very important, it is valuable

to go through some of the common problems you might face when you go through

the exercise of deﬁning the scope and as you conduct the security assessment.

Scope Creep

Scope creep is a typical problem in consulting engagements where the original

agreed-upon scope is signiﬁcantly changed or expanded. As you discover security

problems, they will naturally lead you to other areas that you did not necessarily

plan for or have the right skill sets for. Scope creep is managed by sticking to the

agreed-upon scope of work to the extent possible. Through the regular status meet-

ings, you must educate the client right from the beginning about staying within the

scope. Clients must understand that any signiﬁcant changes to the scope will be

handled through a change control process to allow for the potential changes in timing

and resources. As a security consultant (or internal employee) performing the assess-

ment, if you do not manage scope creep, you run the risk of not having the time or

the appropriate skill sets to handle the security assessment and thereby not meeting

the client’s expectations. As you go through the evaluation, it is important to keep

referring to the scope so you can stay focused.

Incorrect Assumptions

As you plan the work based on the scope, you make certain assumptions about the

company based on what the client is telling you. There will be cases where certain

key assumptions will be made that are incorrect and will impact your work. For

example, the client might tell you that there is a network topology diagram that can

be reviewed. During the assessment, however, you may discover that the diagram

AU1706_book.fm Page 79 Tuesday, August 17, 2004 11:02 AM

A Practical Guide to Security Assessments

is two years old and was not updated to reﬂect signiﬁcant changes made during the

last six months. In this case, because the network diagram is essentially useless, you

will be forced to spend time mapping the network to understand what is on the

network and what it looks like. Depending on the size of the network, this can take

a signiﬁcant amount of time.

Another example is where the client has taken on the responsibility of arranging

interviews with the business process owners. You are completely dependent on the

client to set up these meetings, but you still are accountable for certain work to be

completed in a given time frame. If the client does not handle these logistical

responsibilities properly, your work will be impacted.

The point is that key assumptions that can impact your work should be docu-

mented and agreed to up front. These assumptions should be discussed in detail with

clients, who should understand their role and the dependencies.

Lack of Standards

The client might tell you that the company has security policies and procedures in

place and that they should be used as standards. When you start conducting the

assessment, you might realize that the policies are so high level that they really

cannot be used as a standard and the procedures are mostly nonexistent. You are

now faced with a situation where you have nothing to use as a standard. In this case,

you must talk to the client about using another standard or trying to “interpret” the

existing security policies with enough detail so that they can be used as a standard.

If you take the route of interpreting the high-level policies, it can involve a very

signiﬁcant amount of additional work. You must agree to a standard at the outset of

the assessment in any case. As a security practitioner, you should present the client

with options for standards. Chapter 9 of this book discusses some of the more

recognized information security standards.

Stafﬁng

At this point, the scope of the security assessment is deﬁned and the type of skill

sets required is known for the most part. You are ready to start thinking about stafﬁng

(Figure 4.2).

There are two aspects to stafﬁng. First, the party performing the assessment

must assemble their team. Second, the client has to decide whether to use internal

employees or a third party.

Note:

For purposes of this methodology, we will generally assume that a third-

party consultant is conducting the security assessment. If there are differences

in how an internal resource and a third-party consultant might approach some-

thing, the difference is stated.

AU1706_book.fm Page 80 Tuesday, August 17, 2004 11:02 AM

Planning

FIGURE 4.2

Stafﬁng.

Planning

Define scope

Staffing

Kickoff meeting

Develop project

plan

Set client

expectations

AU1706_book.fm Page 81 Tuesday, August 17, 2004 11:02 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4. Planning (3/8)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 4. Planning (3/8)