84
A Practical Guide to Security Assessments
of the company’s business. The security assessment methodology must begin with
understanding the business. To take it one step further, it is also important to know
how the various business processes tie together and ultimately, how these processes
accomplish the goals of the company. Employees may know how they tie together
and what dependencies exist among the different processes. In addition, employees
may also have knowledge of some of the company’s security issues based on their
experience. These issues may be process related, technology related or both. All of
this knowledge is critical when performing a security assessment; with an employee
conducting the security assessment, this knowledge can be leveraged.
In addition to the business process, employees on the technology side are also
intimately familiar with the systems in place and how they support critical business
processes. Some internal IT professionals might have a good knowledge of the
infrastructure, the information flows between systems, and what security issues exist
(if any). Their knowledge of the technology supporting the business processes can
be wide ranging and can include many aspects including functionality, performance,
and security. Similar to the process owners, technology owners have a significant
amount of knowledge that can be very useful in the context of a security assessment.
The main problem with internal employees conducting a security assessment is
the potential lack of independence. Aside from groups such as internal audit, it is
difficult to find employees who can be independent when conducting a security
assessment. If the internal audit staff has the expertise to conduct a security assess-
ment, they are a good choice because of their combination of independence and
knowledge of the business. If any other group does the assessment, their indepen-
dence must be scrutinized; otherwise, the results of the assessment may lose cred-
ibility with management. Independence is a tricky concept in that it is all about
perception — i.e., if the perception is that someone is not independent, it does not
matter whether or not the person is independent because the perception is already
set. For a security assessment to be taken seriously, management has to believe that
it came from a credible source.
Another potential issue with internal employees conducting a security assess-
ment is that they potentially lack new ideas that a third party might be able to
provide. Qualified third-party consultants have the advantage that they work with a
variety of companies in different industries, which allows them to learn about what
works, what does not work, best practices, and new ideas that the company might
not necessarily consider. Internal employees may or may not have that kind of
experience; it is something to consider when assembling the team to conduct the
security assessment.
Third-Party Consultants
Many companies prefer to work with third-party consultants when doing any type
of assessment or study. In terms of a security assessment, consultants bring a few
important items to the table.
First, qualified consultants bring a wide variety of experience as a result of
working with many clients and knowledge of security best practices. Qualified and
AU1706_book.fm Page 84 Tuesday, August 17, 2004 11:02 AM