104
A Practical Guide to Security Assessments
the business is a critical prerequisite to understanding how it is to be secured. Having
a general understanding of the business and some current events involving the
company gives you a tremendous amount of credibility with the customer. From a
customer’s perspective, it shows that you are taking the security assessment seriously
and it starts the security assessment on a very positive note. It is worth noting that
this is really true for any consulting assignment one does with a company. Taking
the time to learn about a company before walking in the door helps establish
credibility, which has a positive impact throughout the course of the engagement.
A
BILITY
TO
A
SK
THE
R
IGHT
Q
UESTIONS
Once the assessment starts, having this basic understanding allows you to tailor your
questions for the client. In the initial questionnaire (discussed later in this chapter)
that is sent to the client, the questions can be tailored to reflect what you have learned
about the company. Based on knowledge you gain during the initial preparation,
certain events might give rise to or place emphasis on specific questions or generate
questions you would not have otherwise thought to ask. For example:
•
The company has announced layoffs.
If the company has just announced
layoffs, personnel security and the issue of ensuring that employees’
access is properly terminated would be an area of concern. Questions
geared around the termination process would be important in this scenario
because of the need to reduce the risk of what former employees can do.
In addition, if layoffs occur, it could mean that the company might be
suffering financially. If this is the case, other projects or initiatives may
have been placed on hold — this too could have security implications.
•
The company is involved in the acquisition of another company.
Acqui-
sitions can have significant impact on a company from a security perspec-
tive. Questions will need to be asked about how the new company will
be integrated into the information technology (IT) environment as well
as into the overall environment from a business perspective. You may also
want to find out about how the organization structure is impacted by the
acquisition, as that will impact roles and responsibilities. These are all
important pieces of information for a security assessment.
Uncovering information during this phase allows you to ask the right questions
during the interviews. One thing to note regarding interviews with client personnel
is that if you do not ask about changes to the business, they may not volunteer the
information. This is not being done because they are trying to withhold information;
instead, they just do not understand the importance of it from a security perspective.
Once you put the information out to client personnel and engage them in a conver-
sation about it, you are likely to find out how the change to the business impacts
the security assessment.
Obtaining this information up front gives more credibility to the process and
makes the security assessment a more efficient process. Initial preparation will give
you knowledge about a company that you will not have to learn when you go on
site. Consequently, the interviews with the client personnel can focus on security.
AU1706_book.fm Page 104 Tuesday, August 17, 2004 11:02 AM