Planning
91
are available and having access to phones or a meeting area. For example,
conference rooms or some place to meet sometimes need to be scheduled
far in advance. Another task is providing access to phones and the Internet
so that you can check e-mail and make phone calls as necessary. Tremen-
dous amounts of time can be wasted if these things are not coordinated.
If meetings are not properly coordinated, clients run the risk of the assess-
ment being done in a rushed manner to meet a deadline. Client represen-
tatives may not be as forthright as they should be if it appears that the
assessment is being done in a haphazard manner. It is important to note
that the quality of the assessment and the related findings is directly
dependent on the quality of the information received. The value of having
someone in this role cannot be stressed too much. One way to ensure that
there is a single point of contact is to make that one of the assumptions
going into the assessment — i.e., the client must provide a single point
of contact as part of the assessment. In most cases, as with other consulting
projects, clients are happy to provide someone in this role because it is a
win-win situation for everyone.
•
Identification of key business and technology owners — As stated earlier,
the quality of the assessment is directly dependent on the information
received from the client’s subject matter experts. Therefore, it is critical
to identify who the key business and technology owners are who should
be interviewed as part of the security assessment. In smaller organizations,
this is not as critical because the number of people is small and most of
those people are likely to be involved in the assessment. In larger orga-
nizations, such as a multinational corporation or a company with many
different sites and departments at scattered locations, identifying the right
people for a security assessment can be a daunting task. The main risk of
not finding the right people is that it is possible to receive inaccurate
information or just not receive information necessary to perform the
security assessment. For example, a business process owner who is
involved in only an ancillary capacity to a given business process may
give information that is not totally accurate or relevant to the assessment.
Based on the information gathered in the initial preparation phase and at
the kickoff meeting, you should work with the SPOC to identify who
should be interviewed as part of the assessment. For your part, you should
be able to tell the client the specific items you want to discuss and based
on that, the client should be able to identify the subject matter experts.
The sooner these individuals are identified, the better it is. Scheduling in
a security assessment can be difficult, so getting an early jump on this
will make the whole assessment process much more efficient. You do not
want the assessment process to be long and drawn out, as one of the
selling points of an assessment is that it is a relatively quick effort. As
for scheduling the meetings, one organized way of having the meetings
with the subject matter experts is to have them over a concentrated period
of days (depending on the number of people to meet). The advantage of
this method is that most of the information, other than the detailed system
AU1706_book.fm Page 91 Tuesday, August 17, 2004 11:02 AM