Planning
79
4. Standards
The final aspect of developing the scope is deciding on standards to use. Standards
could mean internal standards such as company security policies and procedures or
external standards such as ISO 17799. With this client, no security policies and
procedures are in place. You should talk about best practice standards such as ISO
17799 and technical standards such as the National Institute of Standards and
Technology (NIST) standards. In this case, the client is probably expecting you to
make some suggestions about standards to use. As an independent party, you should
suggest what standard would be appropriate to use for the assessment.
At this point, the scope of work for this security assessment is defined. You
should also have a fairly good sense for the timing and skill sets required to do the
assessment. Keep in mind that this is an estimate at this point. It is very possible
that some things might change as a result of information you uncover during the
assessment. Minor changes should be expected. For more significant changes, there
should be a process for changing the scope.
P
OTENTIAL
S
COPE
I
SSUES
Arguably, properly defining the scope is the most critical aspect of a security
assessment. This is especially the case in large environments, where there is poten-
tially so much to review. Because scope definition is very important, it is valuable
to go through some of the common problems you might face when you go through
the exercise of defining the scope and as you conduct the security assessment.
Scope Creep
Scope creep is a typical problem in consulting engagements where the original
agreed-upon scope is significantly changed or expanded. As you discover security
problems, they will naturally lead you to other areas that you did not necessarily
plan for or have the right skill sets for. Scope creep is managed by sticking to the
agreed-upon scope of work to the extent possible. Through the regular status meet-
ings, you must educate the client right from the beginning about staying within the
scope. Clients must understand that any significant changes to the scope will be
handled through a change control process to allow for the potential changes in timing
and resources. As a security consultant (or internal employee) performing the assess-
ment, if you do not manage scope creep, you run the risk of not having the time or
the appropriate skill sets to handle the security assessment and thereby not meeting
the client’s expectations. As you go through the evaluation, it is important to keep
referring to the scope so you can stay focused.
Incorrect Assumptions
As you plan the work based on the scope, you make certain assumptions about the
company based on what the client is telling you. There will be cases where certain
key assumptions will be made that are incorrect and will impact your work. For
example, the client might tell you that there is a network topology diagram that can
be reviewed. During the assessment, however, you may discover that the diagram
AU1706_book.fm Page 79 Tuesday, August 17, 2004 11:02 AM