98 A Practical Guide to Security Assessments
final deliverable consists of the issues that are uncovered. Although there will
certainly be cosmetic changes to wording in the final deliverable, the issues will
mostly remain the same. The advantage of sharing this information throughout the
course of the assessment is that when final document is presented, there are no
surprises. The last thing you want to do is blindside the client with issues that have
not been discussed before. By doing this, there are risks to the client as well as to
the people performing the assessment. For the client, it can be an embarrassing
situation in the final meeting, where all of the key players are assembled, if they
cannot effectively talk about the issue. For the group conducting the assessment, it
can be embarrassing if it turns out that there was some critical piece of information
that was overlooked and the finding is really not legitimate. Either of these situations
reduces the credibility of the security assessment process and the resulting information.
Note that status meetings do not have to be a formal process. It all depends on
the client and how the assessment is going. The bottom line is that some type of
status update should be happening throughout the security assessment process.
Deliverable Template
One of the main expectations of the client is the content of the final deliverable.
This document represents the results of the assessment, and the client probably has
an idea of what is desired in terms of content and the level of detail. As part of this
step of setting expectations, it is valuable to share the template of the final deliverable
so they have a good idea of what they are going to get at the end of the assessment.
It is important to obtain the client’s buy-in on the deliverable early in the process.
As you will see in later phases of the assessment, you will document as much as
possible straight into the report to be more efficient and save time. Having the client
approve the deliverable provides significant assurance that the document will be
acceptable to the client at the end of the assessment.
Gaining client approval on the format of the final deliverable is a critical com-
ponent of the security assessment because the deliverable is the finished product
representing what was done. The final deliverable will contribute significantly to
how the client perceives you. The security assessment can be done in the most
professional way, and some very pertinent findings may have been discovered.
However, if the results of the assessment are not delivered to the client in the way
they are expecting or are delivered in an unsatisfactory way, the perceived quality
of the assessment can be significantly diminished. Consequently, setting expectations
for the deliverable with the client is critical in ensuring a successful assessment. The
first step in determining what the deliverable should look like is to determine what
the client is seeking. One of the main things to consider when preparing the final
deliverable is who the audience for the report is. Another consideration is how much
detail the client wants in the report.
An effective way to have a dialogue about the final format of the deliverable is
to show the client “scrubbed” deliverables (i.e., names and any other pertinent
customer-specific information is taken out of the document) from other security
assessments. Clients can use these templates as a starting point in determining the
format of the deliverable. Based on this discussion with the client, you should provide
AU1706_book.fm Page 98 Tuesday, August 17, 2004 11:02 AM