Planning 97
significant outages where the network and shared resources are not available, results
of a network assessment may be valuable in determining what the reasons might
be. You may be able to review some of those same network assessment reports for
the security assessment.
In the case of a vulnerability assessment, there are significant overlaps with
security assessments. As stated earlier, vulnerability assessments are basically tech-
nical reviews using some automated scanning tools and some manual hands-on
testing of critical components of the IT environment. You can think of a vulnerability
assessment being a subset of a security assessment. In almost any security assess-
ment, some level of vulnerability testing is done on critical systems.
KEY COMMUNICATIONS
To continuously keep the client informed and manage the expectations of the client,
communication is critical before and during the engagement. The essential commu-
nications, aside from the kickoff meeting, at this stage and once the fieldwork has
commenced can be characterized as follows:
Status meetings — during the engagement
Deliverable template — sets client’s expectations for what the final doc-
ument is going to look like
Status Meetings
Status meetings are a standard part of any consulting project. The purpose of these
meetings is to go over status and discuss findings during the assessment. Status
meetings should be held on a regular basis to keep clients informed. Keeping clients
informed entails going over basic logistic information such as whether meetings are
happening as scheduled, whether the assessment timing is on track, and whether
any changes in the scope are anticipated. However, the most important piece of
communication during status meetings is what issues have been uncovered. This is
important for a couple of reasons.
First, the client may have additional information about an issue that could change
your opinion of it. For example, an internal control issue might be uncovered, but
there might be mitigating controls that you were not aware of — this would surface
during a status meeting. Discussion of issues during a status meeting allows the
client to follow up on findings so that all relevant information is considered. Remem-
ber that most of the information gathered during the assessment is through conver-
sations with various individuals in the client’s organization. The assessment is not
a perfect process and you may not always receive all the information necessary for
a number of reasons. It is possible that the questions were not asked correctly or
the person from the client’s organization did not understand them correctly. It is also
possible that you spoke to the wrong person. By sharing the issues with the client
early in the process, you cover your bases in terms of seeking all of the relevant
facts before coming to a conclusion on a given finding.
Second, as issues are presented to the client in the status meetings, the deliverable
is actually being shared with the client as it is developed because the bulk of the
AU1706_book.fm Page 97 Tuesday, August 17, 2004 11:02 AM
98 A Practical Guide to Security Assessments
final deliverable consists of the issues that are uncovered. Although there will
certainly be cosmetic changes to wording in the final deliverable, the issues will
mostly remain the same. The advantage of sharing this information throughout the
course of the assessment is that when final document is presented, there are no
surprises. The last thing you want to do is blindside the client with issues that have
not been discussed before. By doing this, there are risks to the client as well as to
the people performing the assessment. For the client, it can be an embarrassing
situation in the final meeting, where all of the key players are assembled, if they
cannot effectively talk about the issue. For the group conducting the assessment, it
can be embarrassing if it turns out that there was some critical piece of information
that was overlooked and the finding is really not legitimate. Either of these situations
reduces the credibility of the security assessment process and the resulting information.
Note that status meetings do not have to be a formal process. It all depends on
the client and how the assessment is going. The bottom line is that some type of
status update should be happening throughout the security assessment process.
Deliverable Template
One of the main expectations of the client is the content of the final deliverable.
This document represents the results of the assessment, and the client probably has
an idea of what is desired in terms of content and the level of detail. As part of this
step of setting expectations, it is valuable to share the template of the final deliverable
so they have a good idea of what they are going to get at the end of the assessment.
It is important to obtain the client’s buy-in on the deliverable early in the process.
As you will see in later phases of the assessment, you will document as much as
possible straight into the report to be more efficient and save time. Having the client
approve the deliverable provides significant assurance that the document will be
acceptable to the client at the end of the assessment.
Gaining client approval on the format of the final deliverable is a critical com-
ponent of the security assessment because the deliverable is the finished product
representing what was done. The final deliverable will contribute significantly to
how the client perceives you. The security assessment can be done in the most
professional way, and some very pertinent findings may have been discovered.
However, if the results of the assessment are not delivered to the client in the way
they are expecting or are delivered in an unsatisfactory way, the perceived quality
of the assessment can be significantly diminished. Consequently, setting expectations
for the deliverable with the client is critical in ensuring a successful assessment. The
first step in determining what the deliverable should look like is to determine what
the client is seeking. One of the main things to consider when preparing the final
deliverable is who the audience for the report is. Another consideration is how much
detail the client wants in the report.
An effective way to have a dialogue about the final format of the deliverable is
to show the client “scrubbed” deliverables (i.e., names and any other pertinent
customer-specific information is taken out of the document) from other security
assessments. Clients can use these templates as a starting point in determining the
format of the deliverable. Based on this discussion with the client, you should provide
AU1706_book.fm Page 98 Tuesday, August 17, 2004 11:02 AM
Planning 99
at least a high-level format of what the final deliverable is going to look like at one
of the status meetings during the assessment. This is the client’s chance to say that
they are happy with that format or they want something different. Based on past
experience, a suggested format for the report should contain the following information:
•Executive summary
High-level description of what was done
Business drivers for the assessment
Scope — definition of scope as defined
Methodology
Current state
Description of core business processes
Significant initiatives that are either underway or planned in the near term
Findings, risks, and recommendations
Comprehensive prioritized list of all findings, associated risks, and recommen-
dations categorized by severity
Some characteristics that should be considered when preparing the final deliverable
include:
Length of the final report — When preparing the final report, length should
not be a factor. Most clients prefer a report that is succinct, provides a
summary of what was done in the assessment, and clearly articulates
findings, risks, and recommendations. In other words, clients do not want
a novel when they receive the final report. They typically want something
that they can go through relatively quickly and extract the information
they need.
Audience of the final report — Audience is a very important factor when
preparing the final deliverable. You can have everyone from executive
managerial types to hard-core technical employees who might be inter-
ested in the report, in which case you must accommodate them. Because
of the range of people that you deal with in an assessment, the deliverable
must have something for the different groups that are reading it. The
suggested format above is designed to address the different groups. For
example, executives are probably interested in a summary of what was
done, which is covered in the executive summary, scope, and methodology
sections. A security officer, who already is familiar with what was done,
might only be interested in critical findings, which are in a separate
section. Finally, a technical person might only care about what was found;
these individuals would go straight to the detailed findings section. The
main point is to ensure that the different audiences for the report have the
information they are looking for in the report.
Inclusion of the notes from meetings — Including the notes from meetings
is a pitfall that should be avoided. Some clients might ask for an electronic
version of the notes so they can see who said what during the assessment.
There are two problems with including the notes as part of the deliverable:
AU1706_book.fm Page 99 Tuesday, August 17, 2004 11:02 AM
100 A Practical Guide to Security Assessments
Meeting notes were probably recorded by hand during meetings with the client.
To create an electronic version of these notes is a very time-consuming task
that probably is not very valuable.
If meeting notes are voluminous and included in the deliverable, the notes will
overshadow the actual report.
Some clients will ask for this information. Unless there is some really
good and compelling reason to provide these notes, they should not be
provided.
EXECUTIVE SUMMARY
The planning phase of a security assessment is vital in ensuring that the security
assessment is successful. Spending the time to effectively plan a security assessment
will eventually save you time later.
The key steps in planning the security assessment include the following:
Defining scope
Staffing
Holding kickoff meeting
•Developing project plan
Setting client expectations
DEFINING SCOPE
Once the decision is made to conduct a security assessment, the scope of the
assessment should be clearly defined. Scope definition depends on the following
four key factors:
Business drivers — Business reasons for the client to have a security
assessment done are established.
Scope definition — Scope is defined in terms of what is covered and what
processes will be performed.
Standards — Benchmarks that will be used to determine the security
posture are established.
Managing scope — It is important for the group conducting the assessment
to ensure that the scope is not changed and if it is, that there is a good
reason and that the change goes through a change control process.
STAFFING
Clients must then decide who is going to actually conduct the security assessment.
They can have it done using either internal resources or third-party consultants.
Some of the drivers that will influence their selection include:
Funding allocated for the project
Business drivers for the assessment
Resource availability
AU1706_book.fm Page 100 Tuesday, August 17, 2004 11:02 AM
Planning 101
Both internal employees and consultants have their advantages and disadvan-
tages. Third-party consultants bring the following advantages to the table:
Independence
Specific technical skill sets
Methodologies
References
Industry expertise
Internal resources often have the right skill sets to perform an assessment. The
major hurdle with using internal resources is whether they can be independent in
performing the assessment. A good internal resource is the internal audit department,
which has the independence, the access to senior management, and significant
knowledge of the company business processes.
KICKOFF MEETING
The kickoff meeting should occur prior to the commencement of fieldwork at the
client site. The kickoff meeting should have the following people in attendance:
Executive sponsor — The executive sponsor’s presence is important
because it shows management’s commitment to the security assessment.
Key stakeholders — The key stakeholders will be involved in helping to
identify the business and technology owners who will be involved in the
assessment; the key stakeholders’ support is critical to the success of the
assessment.
Team conducting the assessment — Until this meeting, the client has
probably not met the team that will conduct the assessment; this is a good
time for them to meet so the client understands the roles and responsibil-
ities of team members.
The goals of the kickoff meeting include:
Introductions — The team conducting the assessment and the key players
from the client are introduced to one another.
High-level assessment process — The assessment methodology is discussed.
Scope — What will and will not be covered is established.
Logistics — The client will assign a single point of contact who will be
responsible for scheduling meetings and addressing other logistical con-
cerns such as work space, phones, and Internet access.
Identify business process and technology owners — The key business
process and technology owners who will take part in the assessment are
identified.
DEVELOP PROJECT PLAN
The project plan should be developed and reviewed with the client so that the client
has the opportunity to provide feedback and then approve it. The project plan creates
AU1706_book.fm Page 101 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.148.124