92 A Practical Guide to Security Assessments
testing, is gathered at one time, which facilitates easier and better analysis
of the information. One thing you will find is that if meetings with subject
matter experts are spread out over a long period of time, you will con-
stantly have to refresh your knowledge, making the process inefficient
and drawn out.
DEVELOP PROJECT PLAN
As a result of the kickoff meeting, you will have a good understanding of the subject
matter experts you will need to talk to and a sense of how the timing will work.
Based on this information, you should develop a project plan to help manage the
project (Figure 4.4). The longer the timeline for the project, the more important it
is to have a project plan in place. For smaller projects where time tends to be limited,
the project plan may be a simple list of tasks.
One thing to note is that developing the timing of the assessment is a joint effort
between the client and yourself. The input from the kickoff meeting will help in
developing a reasonable project plan that satisfies everyone. It is important that the
project plan is reasonable so that people will take it seriously and it will be used as
a tool to manage the assessment. If the project plan has unrealistic timelines, no one
will take it seriously. You then run the risk of the project not being managed properly
and not being completed on a timely basis.
Some of the key elements that should be included in a project plan are:
Specific tasks
Documentation
Meetings with process and technology owners
Hands-on system testing
Status meetings
Deliverable presentation
The list above represents some of the high-level tasks. The specific tasks for
each of the phases will be discussed in detail in subsequent chapters. For each of
the tasks, you should also include the resources that are assigned to it. The resources
should include both the members of the team conducting the security assessment
and the specific subject matter experts from the client. This type of information can
be captured in a simple spreadsheet format such as Microsoft Excel or using more
advanced software such as Microsoft Project.
Having this type of information in a project plan creates accountability for all
parties involved. With the responsibilities documented in the project plan, people
understand the importance of ensuring that they fulfill their responsibilities.
Once the specific tasks are developed in the project plan, you should work with
the SPOC to put dates around the meetings with business process and technology
owners as well as the other tasks. It is critical that the SPOC share the project plan
with the client personnel so that they also understand their responsibilities and that
they are accountable. Once the plan has been communicated, it should be used to
manage the project. Ideally, the project plan should be a tool that is used to facilitate
AU1706_book.fm Page 92 Tuesday, August 17, 2004 11:02 AM
Planning 93
FIGURE 4.4
Develop project plan.
Planning
Define scope
Staffing
Kickoff meeting
Develop
project plan
Set client
expectations
AU1706_book.fm Page 93 Tuesday, August 17, 2004 11:02 AM
94 A Practical Guide to Security Assessments
status meetings and ensure that the assessment is on track. The plan will help you
identify any areas where progress might be slipping. In addition, as you discuss the
findings (this is discussed in depth in later chapters), you may uncover information
that might prompt you to do further investigation into an area.
Also, someone from the project team must own the responsibility of updating
the project plan so that it remains an effective tool. The project plan is an evolving
document. If it is not kept up to date, its value will diminish considerably.
SET CLIENT EXPECTATIONS
What will happen in the security assessment and what can a client expect once it is
all over? To ensure that the answers to these questions do not surprise clients, you
must set clear expectations of what the security assessment is (and is not) and what
they will receive at the end of it. Keep in mind that this is something that you are
doing throughout the assessment. At this point, however, it is important for you to
make sure that the client understands what comes with the security assessment
(Figure 4.5). Even though you have discussed the methodology and gone through a
scoping exercise, it is a good idea to clear up any potential confusion before the
fieldwork phase begins. If the client’s expectations are not properly set and managed,
even the best security assessment will be deemed a failure. This concept is not
specific to security assessments; it applies to any consulting engagement. The gap
between the client’s perception of what is being done and what is actually being
done should be minimized.
The purpose of setting the expectations at this stage is to ensure that the following
is communicated with the client:
Meaning of a security assessment — what a security assessment is and
is not
Communications during the security assessment — via status meetings
•Format of the final deliverable
The list above will bring final clarity to what the assessment is and is not and also
provide some insight about the client communications aspect of the security assessment.
Communication with the client is very important because it will make the client
much more comfortable with the whole security assessment process. Many clients
who deal with consultants complain, “I don’t exactly know what they are doing” or
“They never explained exactly what they are doing.” By providing clarity about the
assessment and regular communications, you can avoid these comments.
UNDERSTANDING THE MEANING OF A SECURITY ASSESSMENT
One of the reasons for clarifying the meaning of a security assessment is that different
people have different ideas of what it is. Based on the methodology this book is
suggesting, a security assessment is defined as an evaluation of a company’s infor-
mation security program to determine how well information security measures are
AU1706_book.fm Page 94 Tuesday, August 17, 2004 11:02 AM
Planning 95
FIGURE 4.5
Set client expectations.
Planning
Define scope
Staffing
Kickoff meeting
Develop project
plan
Set client
expectations
AU1706_book.fm Page 95 Tuesday, August 17, 2004 11:02 AM
96 A Practical Guide to Security Assessments
aligned with the security risks facing the company. Equally important as this defi-
nition is what a security assessment is not. Some other types of services that a
security assessment should not be confused with include:
Network assessment — A network assessment focuses on how well a
network (local area networks and wide area networks) is meeting business
requirements. A network assessment looks at network performance, net-
work traffic patterns, usage patterns, and other metrics such as downtime
to determine whether a network is functioning as it should be. In a network
assessment, business requirements are reviewed from a different perspective
than in a security assessment. Besides focusing on network performance,
a person performing a network assessment would also determine whether
the current network infrastructure could handle future business require-
ments. A security assessment might have some commonalities with a
network assessment, but the focus is very different.
Vulnerability assessment — A vulnerability assessment is a technical
assessment, where the goal is to discover vulnerabilities in the IT envi-
ronment, what kind of risk they pose, and how the risk can be mitigated.
Unlike with a security assessment, the scope of a vulnerability assessment
does not include a review of the overall information security program or
how security measures are aligned with security risks. Vulnerability
assessments are more technical in nature and do not have as strong a focus
on the business as a security assessment does. These assessments are
typically done using tools that can examine security settings and configu-
rations very quickly and generate vulnerability reports. The reports must
then be interpreted by qualified personnel to determine which vulnerabilities
are legitimate for the environment. Some of the tools used in vulnerability
assessments generate “false positives” that must be weeded out. For legit-
imate vulnerabilities, risks and mitigation strategies are typically developed.
Before conducting vulnerability assessments, companies should ensure that they
have already taken appropriate security measures such as applying patches and
closing ports that are not used. It is important to remember that a vulnerability
assessment is only part of an overall information security strategy and is another
layer of security that should be integrated with security policies and procedures and
other information security measures. In fact, there are firms that now offer managed
vulnerability assessments where a network perimeter, a demilitarized zone, or some
other part of the IT infrastructure can be scanned for vulnerabilities automatically
on a regular basis.
Although security assessments differ from network and vulnerability assess-
ments, there are similarities between them as well. They are related and synergies
exist that can be capitalized upon to add more value to a security assessment. When
conducting a security assessment, information from a network or vulnerability
assessment can be invaluable. One example is the concept of availability, which is
one of the three key objectives of security (confidentiality, integrity, and availability).
If during a security assessment, you discover that personnel are suffering from
AU1706_book.fm Page 96 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.5.68