Planning
87
recommendations will drive the security initiatives that a company undertakes to
secure the company’s information assets. Therefore, it is critical that qualified per-
sonnel perform the assessment.
The second important aspect of having a consultant perform the security assess-
ment is independence. Because a consultant is not a part of the company, the
consultant is in a position to provide management with an independent view of
security. Similar to internal audits being performed by employees who do not have
any ties to what they are auditing, consultants also do not have ties to what they are
reviewing. One thing to look out for is working with a consulting firm that has
performed consulting services for the client in the past. Depending on what they
did, there might be a conflict of interest. For example, if a consulting firm designed
and implemented the current network, it probably is not a good idea for that firm
to do an assessment on something they designed, as that will be a conflict of interest.
For internal employees who are directly involved with security-related functions, it
is virtually impossible for them to be completely objective and independent.
There is great value in having an independent party conduct the security assess-
ment, but you must have qualified people conduct it, otherwise it is a waste of time.
The time taken in selecting the right consulting firm is more than worth it.
KICKOFF MEETING
At this point in the process, you have defined the scope and determined who is going
to do the work. From a time perspective, it is now from a few days to a few weeks
before the start of the actual fieldwork, depending on the client. Until now, there
has been involvement from only a few people from the client for scope development
and staffing. The next step is to begin the security assessment with a kickoff meeting
(Figure 4.3).
The kickoff meeting is the beginning of the assessment. It is the first opportunity
for the team conducting the assessment and the key stakeholders from the client to
get together and discuss the engagement. This meeting covers logistical items such
as scheduling and goes over how the assessment process is going to work. For the
key stakeholders, it is an opportunity to ask any questions and meet some of the
people who will conduct the assessment.
The kickoff meeting should be scheduled before the commencement of inter-
views and the technology review. There should be enough of a gap between the
kickoff meeting and the interviews to allow the client time to schedule the interviews.
As long as it is before the on-site interviews, it is acceptable.
To ensure a successful kickoff meeting, the following key players should be
present at the meeting:
•
Executive sponsor for the assessment —
Executive support for a security
assessment gives it credibility and value. Having the executive who cham-
pioned the security assessment present shows that management is taking
it seriously. It helps set the right tone for the assessment, where everyone
understands the importance of supporting the effort to determine where
the security gaps are. The value of executive sponsorship will become
AU1706_book.fm Page 87 Tuesday, August 17, 2004 11:02 AM
88
A Practical Guide to Security Assessments
FIGURE 4.3
Kickoff meeting.
Planning
Define scope
Staffing
Kickoff
meeting
Develop project
plan
Set client
expectations
AU1706_book.fm Page 88 Tuesday, August 17, 2004 11:02 AM
Planning
89
evident during the interviews with client personnel. Executive support for
the assessment will help ensure that client personnel are forthright and
take the process seriously, which makes the assessment go much more
smoothly. On the other hand, if executive support is lacking, personnel
may not be cooperative or take the assessment seriously enough. For
example, you might walk into a meeting where someone starts by saying
that he or she does not have much time because of a need to go to another
meeting or the person’s mannerisms clearly indicate that this individual
does not want anything to do with the assessment. As part of the group
conducting the assessment, you must work with the executive sponsor to
show the importance of the assessment so that the same attitude trickles
down. It should also be clear that you have the ability to escalate any
issues to the executive sponsor if you are not getting the cooperation you
need.
•
Key stakeholders —
The key stakeholders include people who have an
interest in the security assessment. These people should include high-level
business process owners and technology owners who will potentially be
affected by the findings and recommendations of the security assessment.
As these individuals have an interest in the assessment, they should have
a good understanding of the nature of the assessment, how it will be
conducted, and the importance of their support in the process. During the
kickoff meeting, you can set their expectations of what is to come and
how they fit in. These stakeholders will be instrumental in helping to
identify the subject matter experts to interview during the assessment. The
advantage of having them at the kickoff meeting is it gives you a chance
to explain what is happening so you can avoid the comment, “What is
the purpose of the assessment? Why are we doing this?” The stakeholders’
support is critical to the success of the security assessment.
•
Personnel or consultants who will conduct the assessment —
It might
seem obvious that the personnel conducting the assessment should be at
the kickoff meeting. The reason for highlighting these individuals sepa-
rately is that the kickoff meeting is probably the first time when all
members of the team conducting the assessment will have a chance to
meet the client. Until an assessment becomes final, it is typically being
discussed at a senior level and as a result, the entire team is never intro-
duced. Keep in mind that some portion of the team from a technical
perspective may change based on what you determine to be the critical
technologies. These introductions are important so that the client and the
consultants (or internal personnel) conducting the assessment can meet
face to face and understand what some of the specific roles and respon-
sibilities are. It is also an icebreaker for everyone so they can become
more comfortable with each other.
Each of the parties listed above has an interest in the security assessment. It is
important to ensure that they are all on the “same page” when conducting the
assessment.
AU1706_book.fm Page 89 Tuesday, August 17, 2004 11:02 AM
90
A Practical Guide to Security Assessments
Once you round up the key parties for the kickoff meeting, you must decide
what to cover in this meeting. Depending on the client, there may be a range of
topics you want to cover. Key topics that should be covered at a minimum are:
•
Introductions —
This is the first time that all of the key players are together.
To make everyone feel comfortable, it is worthwhile to introduce everyone
and talk about roles and responsibilities. This is a good icebreaker and
allows you to begin the fieldwork phase smoothly.
•
High-level assessment process —
You should also take the opportunity to
stress that the security assessment process will be as nonintrusive as
possible and that you are reviewing the information security posture of
the company to find opportunities for improvement. You should go over
the methodology from a high level and discuss how you will first review
business processes and supporting technologies and then perform a risk
analysis. You should also talk a little about the final deliverable and what
the client can expect. You should stress the consultative approach you are
taking in assessing the security posture of the company. The interviews
during a security assessment delve into what people do in their jobs, and
for some people, this can make them nervous. You must work with the
client to allay any fears they might have regarding what you are doing.
•
Scope —
By the time the kickoff meeting takes place, the scope should be
fairly well documented and some time and resource allocations would
have already been made. During the kickoff meeting, the scope should be
discussed and the client should be given the opportunity to ask questions
and clear up any confusion about what the assessment will cover. The
scope discussion should include the boundaries around what is going to
be done and what type of deliverable the client can expect at the conclusion
of the assessment. You should also discuss change control — i.e., changes
in scope should be handled through a change process where clients and
the group conducting the assessment can determine if the change is appro-
priate and what effect it will have on the project from a timing and pricing
perspective.
•
Logistics —
Logistics refers to potential meeting schedules with client
personnel and housekeeping details such as having proper access to facil-
ities and most importantly, having a single point of contact (SPOC) from
the client side. Up until now, you have been working with someone from
the client on an informal basis to set up the kickoff meeting. Going
forward, you will need a SPOC to ensure that the assessment runs in a
smooth and efficient manner. The SPOC is a tremendous help because
this person is your interface with the client. Depending on the size of the
company and familiarity with the people in the organization, a SPOC can
make life a lot easier for the people conducting the assessments. The
SPOC can make sure that meetings are happening per the schedule and
that any other logistical matters are given the attention required. Some of
the logistical matters that are often taken for granted but that can waste
time if not done properly include ensuring that the appropriate facilities
AU1706_book.fm Page 90 Tuesday, August 17, 2004 11:02 AM
Planning
91
are available and having access to phones or a meeting area. For example,
conference rooms or some place to meet sometimes need to be scheduled
far in advance. Another task is providing access to phones and the Internet
so that you can check e-mail and make phone calls as necessary. Tremen-
dous amounts of time can be wasted if these things are not coordinated.
If meetings are not properly coordinated, clients run the risk of the assess-
ment being done in a rushed manner to meet a deadline. Client represen-
tatives may not be as forthright as they should be if it appears that the
assessment is being done in a haphazard manner. It is important to note
that the quality of the assessment and the related findings is directly
dependent on the quality of the information received. The value of having
someone in this role cannot be stressed too much. One way to ensure that
there is a single point of contact is to make that one of the assumptions
going into the assessment — i.e., the client must provide a single point
of contact as part of the assessment. In most cases, as with other consulting
projects, clients are happy to provide someone in this role because it is a
win-win situation for everyone.
•
Identification of key business and technology owners — As stated earlier,
the quality of the assessment is directly dependent on the information
received from the client’s subject matter experts. Therefore, it is critical
to identify who the key business and technology owners are who should
be interviewed as part of the security assessment. In smaller organizations,
this is not as critical because the number of people is small and most of
those people are likely to be involved in the assessment. In larger orga-
nizations, such as a multinational corporation or a company with many
different sites and departments at scattered locations, identifying the right
people for a security assessment can be a daunting task. The main risk of
not finding the right people is that it is possible to receive inaccurate
information or just not receive information necessary to perform the
security assessment. For example, a business process owner who is
involved in only an ancillary capacity to a given business process may
give information that is not totally accurate or relevant to the assessment.
Based on the information gathered in the initial preparation phase and at
the kickoff meeting, you should work with the SPOC to identify who
should be interviewed as part of the assessment. For your part, you should
be able to tell the client the specific items you want to discuss and based
on that, the client should be able to identify the subject matter experts.
The sooner these individuals are identified, the better it is. Scheduling in
a security assessment can be difficult, so getting an early jump on this
will make the whole assessment process much more efficient. You do not
want the assessment process to be long and drawn out, as one of the
selling points of an assessment is that it is a relatively quick effort. As
for scheduling the meetings, one organized way of having the meetings
with the subject matter experts is to have them over a concentrated period
of days (depending on the number of people to meet). The advantage of
this method is that most of the information, other than the detailed system
AU1706_book.fm Page 91 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.