82
A Practical Guide to Security Assessments
As a result, you will notice throughout the rest of the book references to “client,”
which will be the company being assessed. In this section, however, we will discuss
staffing from both the consultant’s perspective (i.e., gathering the right skill sets)
and the client’s perspective (i.e., internal versus third-party consultant). Clearly, the
client would have made their decision well before this stage of the assessment.
C
ONSULTANT
’
S
P
ERSPECTIVE
From a consultant’s viewpoint, assembling the right resources is critical in having
a successful assessment. You will need to determine the staff based on what you
have defined in the scope in the last section. At this point, you should have done a
fair amount of pre-sales activity to give you a good sense for what the company is
all about.
The first step is to inventory all of the different skill sets you need to conduct
the security assessment. Use your knowledge to write down the different skill sets
with a rating of how strong the resource has to be in a given area. When creating
this inventory, consider the industry, technology in use, and what tools you might
use in conducting the assessment.
Based on that knowledge and how you defined the scope, you must assemble a
staff. Some considerations to think about when putting a staff together are as follows:
•
Maturity
— Assessments by their nature find weaknesses, and at times
this can become sensitive with clients. People conducting these assess-
ments should have a certain maturity level to handle adverse situations,
uncooperative clients, etc. and get the job done. If you turn off a client
once or offend them, it can make the entire assessment difficult.
•
Industry experience
— Different industries have their own nuances (e.g.,
regulations, unique business processes), which are useful to know about.
For example, if you are doing an assessment on a company in an industry
with regulations, you may want to find someone with that particular
experience. Note that not everyone on the team needs to have that expe-
rience. As long as there is one person, that is of great help.
•
Process experience
— As you will see in this methodology, security is
very much about process and the nuts and bolts of how things are done.
A person with process experience can be helpful in interviewing business
process owners (this will be discussed in Chapter 6 — Business Process
Review).
•
Technology experience
— You should get a sense of the technology that
the client has in place and ensure that you have people on the team who
are familiar with those technologies. Depending on how critical a particular
technology is, you may want to find someone with significant experience
in a given technology. The other aspect of technical experience is based
on what tools you think you might run on the client’s IT environment.
•
Ensuring that all areas are adequately covered
— This consideration is
really a catch-all. Go back and look at the inventory of skill sets and make
sure that all the skill sets are covered.
AU1706_book.fm Page 82 Tuesday, August 17, 2004 11:02 AM
Planning
83
Staffing is somewhat dynamic, and you may need to make some changes as you go
further into the assessment. However, if the staffing exercise at this stage is thorough,
the modifications you will need to make later will be minimal at best.
C
LIENT
’
S
P
ERSPECTIVE
The client must choose between going to an outside firm to conduct the assessment
or using internal resources. The client’s choice of who does the assessment is driven
by a number of factors including:
•
Funding allocated for the project —
Money always plays a big part in
these projects and depending on the funding or lack thereof, this can have
an impact on this decision. If funds are used for an assessment, they must
be justified, particularly if there are internal resources that can do the job.
•
Business driver for the assessment —
As discussed in the previous section,
the business driver for the assessment will play a part in determining who
will ultimately perform it. For example, when dealing with an assessment
prompted by a disgruntled employee situation, it might be a good idea to
have outside consultants involved because of the sensitivity. The client
might not want people inside the company to know too much, and the
use of internal resources might involve a conflict of interests.
•
Resource availability —
If the decision is made to have internal employees
perform the assessment, they must be able to take time away from their
regular jobs. For example, if everyone is stretched to the limit and cannot
afford the time, it might be difficult to have internal employees conduct
the assessment. On the other hand, if the decision is made to go to a third
party, you might find that the third party you want does not have avail-
ability for a significant period of time. In either case, the client must look
at availability for qualified people to come in and do the assessment.
Besides the considerations above, a number of advantages and disadvantages
should be considered when determining who does the assessment. The client has to
choose between using internal resources or outside consultants. In smaller compa-
nies, it will probably be an outside firm because it is difficult to find any internal
employees who would not have some conflict of interest. In large companies, how-
ever, there are independent groups such as the internal audit group.
The next sections discuss the advantages and disadvantages of using internal
resources versus outside consulting firms.
Internal Employees
When using internal resources, the employees’ knowledge of the company can be
leveraged. Internal employees, especially those who have had exposure to many
areas of the business, can provide a significant amount of the knowledge required
in a security assessment. One of the main points in this book is that the foundation
of an effective security assessment is that security must be evaluated in the context
AU1706_book.fm Page 83 Tuesday, August 17, 2004 11:02 AM
84
A Practical Guide to Security Assessments
of the company’s business. The security assessment methodology must begin with
understanding the business. To take it one step further, it is also important to know
how the various business processes tie together and ultimately, how these processes
accomplish the goals of the company. Employees may know how they tie together
and what dependencies exist among the different processes. In addition, employees
may also have knowledge of some of the company’s security issues based on their
experience. These issues may be process related, technology related or both. All of
this knowledge is critical when performing a security assessment; with an employee
conducting the security assessment, this knowledge can be leveraged.
In addition to the business process, employees on the technology side are also
intimately familiar with the systems in place and how they support critical business
processes. Some internal IT professionals might have a good knowledge of the
infrastructure, the information flows between systems, and what security issues exist
(if any). Their knowledge of the technology supporting the business processes can
be wide ranging and can include many aspects including functionality, performance,
and security. Similar to the process owners, technology owners have a significant
amount of knowledge that can be very useful in the context of a security assessment.
The main problem with internal employees conducting a security assessment is
the potential lack of independence. Aside from groups such as internal audit, it is
difficult to find employees who can be independent when conducting a security
assessment. If the internal audit staff has the expertise to conduct a security assess-
ment, they are a good choice because of their combination of independence and
knowledge of the business. If any other group does the assessment, their indepen-
dence must be scrutinized; otherwise, the results of the assessment may lose cred-
ibility with management. Independence is a tricky concept in that it is all about
perception — i.e., if the perception is that someone is not independent, it does not
matter whether or not the person is independent because the perception is already
set. For a security assessment to be taken seriously, management has to believe that
it came from a credible source.
Another potential issue with internal employees conducting a security assess-
ment is that they potentially lack new ideas that a third party might be able to
provide. Qualified third-party consultants have the advantage that they work with a
variety of companies in different industries, which allows them to learn about what
works, what does not work, best practices, and new ideas that the company might
not necessarily consider. Internal employees may or may not have that kind of
experience; it is something to consider when assembling the team to conduct the
security assessment.
Third-Party Consultants
Many companies prefer to work with third-party consultants when doing any type
of assessment or study. In terms of a security assessment, consultants bring a few
important items to the table.
First, qualified consultants bring a wide variety of experience as a result of
working with many clients and knowledge of security best practices. Qualified and
AU1706_book.fm Page 84 Tuesday, August 17, 2004 11:02 AM
Planning
85
experienced consultants have typically done security assessments and/or security-
related consulting work at other companies. These experiences have allowed them
to see a variety of methods for securing a company’s assets and as a result, they
have a good idea of what works and what does not work. If they have worked with
companies across many industries, they have a breadth of experience that internal
employees might not have. The experience of conducting security assessments in a
variety of environments trains them to find security weaknesses that are not apparent,
which could be significant when evaluating the overall security posture. This expe-
rience includes knowledge of information security best practices.
Having said that, consultants do not always have more knowledge or better
recommendations. Companies must evaluate and screen consultants to ensure that
they hire the right type of experience and skill set. The quality of the assessment
and the final deliverable are only as good as the people who conduct it and the
information they receive from the client’s personnel.
When hiring consultants, besides finding people through word-of-mouth refer-
ence, there are some aspects of consultants you should think about during the
selection process that will help you in making the right choice:
•
How much industry experience do they have?
Depending on what industry
a company is in, industry experience can be very important. Consultants
with industry experience can add tremendous value to an assessment. In
the case of highly regulated industries, it is critical to hire a consultant
who is familiar with the relevant laws and regulations. For companies that
have to adhere to federal laws such as HIPAA and GLBA, significant risks
are associated with not being compliant with security requirements. Con-
sultants with HIPAA or GLBA knowledge not only know the industry but
also are familiar with the requirements. They can evaluate security in light
of the legal requirements and offer recommendations that can help the
company achieve compliance. Consultants without industry experience
may not have a good idea of the industry-level risks facing a company.
Depending on the company and how unique their industry and business
processes are, there may be significant value in having a consultant with
industry knowledge.
•
How much technical experience do they have?
The technical component
of an assessment is very important. Ensuring that security vulnerabilities
from a technical perspective are uncovered is an important aspect of the
security assessment. Depending on how sophisticated the company’s IT
environment is, a consultant’s technical competency in a given area may
be important. Without technical expertise, the value of a consulting team
diminishes. The consulting team should have people versed in the tech-
nologies that the company uses. You will find that depending on the
technology in use, it may or may not be easy to find consultants with the
right expertise. For example, if a company is a heavy user of Microsoft,
it may not be difficult to find consultants with the right expertise. This
AU1706_book.fm Page 85 Tuesday, August 17, 2004 11:02 AM
86
A Practical Guide to Security Assessments
might not be the case if you are looking for expertise in mainframes
or
UNIX.
•
Do they have a methodology?
Any consulting firm that is hired should
have some type of methodology they use to perform the assessment. They
should be able to articulate the methodology and translate it into a project
plan. The risk of not having a methodology is that the assessment might
become a “free for all.” Interviews with company personnel might not be
fruitful because the consulting team performing the assessment does not
have a methodology guiding them on what they need to do. The result is
that the client’s expectations are not met and people’s time is wasted. A
proven methodology that makes sense provides some assurance that the
security assessment process will be efficient and complete.
•
Who will ultimately do the work?
When consulting firms sell security
assessment services (or any services for that matter), this should be one
of the first questions asked. Although highly qualified individuals may be
there during the selling process, they may not be there when it comes
time to deliver the services. Before agreeing to have a consulting firm
perform a security assessment, it behooves companies to know exactly
who will be doing the work and what skills they bring to the table.
•
What is their reputation?
It is critical to find out about a consultant’s
reputation by checking references and looking at sample deliverables that
they have provided to other clients. A consulting firm hired to conduct a
security assessment should be subject to the same level of scrutiny as an
employee being screened. The quality of the assessment is directly depen-
dent on the qualifications of the people conducting the assessment.
•
What is the final deliverable going to look like?
Regardless of what
consulting firms say during the selling process, reviewing sample deliv-
erables is important. The final deliverable is one of the most important
components of the assessment. If its done correctly, the deliverable should
be the “security roadmap” to be used in planning security initiatives for
short and long term. One of the pitfalls a company might face with a
security assessment is not receiving a quality deliverable once the assess-
ment has been completed. The last thing you want to do is to receive some
computer-generated report that is either not very readable or has infor-
mation that is not relevant or on the flip side, a high-level document that
does not provide any meaningful details. Ideally, a consultant should be
able to give you a report that can be given to multiple levels of individuals
in the organization. The deliverable should contain a range of information
from an executive-level summary, which management can read to under-
stand high-level results, to technical-level details, which business process
and technology owners can use. The deliverable should also contain spe-
cific recommendations that have sufficient detail and can be implemented.
The considerations above are very important when evaluating consulting firms.
Remember that the security assessment and the recommendations resulting from it
will act as the foundation for improving the information security program. The
AU1706_book.fm Page 86 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.