Chapter 4. Planning (8/8)

102 A Practical Guide to Security Assessments

accountability both for the team conducting the assessment and the client personnel

involved.

Creating a project plan serves several key purposes:

• Documented plan — The plan, which is a translation of the scope into

tasks, is documented and can be used to run the project.

• Accountability — Because resources are speciﬁed in the project plan, a

sense of accountability is created for everyone involved including client

subject matter experts and the people conducting the assessment.

• Management tool — The project plan can be used to manage the dates

and tasks of the assessment

It is important that someone owns the responsibility of updating the project plan to

ensure that it remains an effective tool to manage the assessment.

SET CLIENT EXPECTATIONS

The ﬁnal aspect of planning is to clearly set the expectations of the client — i.e.,

articulate how the assessment is going to work and what the client can expect.

Communications should take place before, during, and after an engagement. Clients

should understand what is done as part of the assessment and what exactly they are

receiving. One of the problems today is that there are security services similar to a

security assessment. If the client is confused, the differences between a security

assessment and the other related security services (e.g., vulnerability assessment)

should be clariﬁed.

Once the ﬁeldwork commences, there should be different communications at

different stages of the assessment process. At this stage, the two key communications

to discuss are:

• Status meetings — These meetings occur during the assessment.

– Discuss ﬁndings and risks so that the client can provide any additional infor-

mation that might have been overlooked.

– Obtain buy-in for the format of the deliverable.

– Resolve any logistics issues.

• Deliverable template presentation — Sharing the deliverable template

will allow the client to review and approve what the ﬁnal document is

going to look like. This will enable you to gradually complete the deliv-

erable throughout the course of the assessment.

NOTES

1. Computerworld—Managing Financial Services Security: An Internal Affair—by:

Lucas Mearian—August 5, 2002 http://www.computerworld.com/securitytop-

ics/security/story/0,10801,73167,00.html

AU1706_book.fm Page 102 Tuesday, August 17, 2004 11:02 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4. Planning (8/8)