Chapter 5. Initial Information Gathering (1/8)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

103

Initial Information

Gathering

At this point in the process, the project scope has been deﬁned and the subject matter

experts have been identiﬁed. You are now waiting for the client to schedule meetings

so you can begin the ﬁeldwork phase of the project. In the meantime, you should

start the initial information gathering process.

The purpose of the initial information gathering phase is to gather information

and become knowledgeable about the company so you are better prepared once you

begin the assessment at the client site. The information gathered at this stage com-

prises some independently gathered information and some basic information gath-

ered from the client. During this phase, the information is gathered off site (i.e., not

on the client’s premises), and minimal interaction with the client occurs.

The time you have to complete this phase can vary depending on scheduling.

Regardless of the amount of time you have, it is in your best interest to do the

research in this phase, so you will be better prepared once at the client site.

The more thorough the initial preparation, the better the whole security assess-

ment process will go. However, if time for the security assessment is limited, use

your time wisely and do the preparation that will give you the most beneﬁt during

the assessment. With experience, you will be able to determine what information is

worth learning about during this phase and useful for the assessment.

BENEFITS OF INITIAL PREPARATION

Learning general information about a company provides a strong foundation for

interviews with business process and technology owners. Knowing general infor-

mation about a company, such as its core operations, locations, and general demo-

graphic information, allows you to be better prepared and thus get more out of the

interviews. Two key advantages of obtaining this preliminary information are:

• Credibility with the client

• Ability to ask better questions

REDIBILITY

WITH

THE

USTOMER

If an internal group is performing the security assessment, obtaining preliminary

information may or may not be useful because much of it may already be known.

For a third party doing the security assessment, this process of initial research is

invaluable. The concept here, and stressed throughout this book, is that understanding

AU1706_book.fm Page 103 Tuesday, August 17, 2004 11:02 AM

104

A Practical Guide to Security Assessments

the business is a critical prerequisite to understanding how it is to be secured. Having

a general understanding of the business and some current events involving the

company gives you a tremendous amount of credibility with the customer. From a

customer’s perspective, it shows that you are taking the security assessment seriously

and it starts the security assessment on a very positive note. It is worth noting that

this is really true for any consulting assignment one does with a company. Taking

the time to learn about a company before walking in the door helps establish

credibility, which has a positive impact throughout the course of the engagement.

BILITY

THE

IGHT

UESTIONS

Once the assessment starts, having this basic understanding allows you to tailor your

questions for the client. In the initial questionnaire (discussed later in this chapter)

that is sent to the client, the questions can be tailored to reﬂect what you have learned

about the company. Based on knowledge you gain during the initial preparation,

certain events might give rise to or place emphasis on speciﬁc questions or generate

questions you would not have otherwise thought to ask. For example:

•

The company has announced layoffs.

If the company has just announced

layoffs, personnel security and the issue of ensuring that employees’

access is properly terminated would be an area of concern. Questions

geared around the termination process would be important in this scenario

because of the need to reduce the risk of what former employees can do.

In addition, if layoffs occur, it could mean that the company might be

suffering ﬁnancially. If this is the case, other projects or initiatives may

have been placed on hold — this too could have security implications.

•

The company is involved in the acquisition of another company.

Acqui-

sitions can have signiﬁcant impact on a company from a security perspec-

tive. Questions will need to be asked about how the new company will

be integrated into the information technology (IT) environment as well

as into the overall environment from a business perspective. You may also

want to ﬁnd out about how the organization structure is impacted by the

acquisition, as that will impact roles and responsibilities. These are all

important pieces of information for a security assessment.

Uncovering information during this phase allows you to ask the right questions

during the interviews. One thing to note regarding interviews with client personnel

is that if you do not ask about changes to the business, they may not volunteer the

information. This is not being done because they are trying to withhold information;

instead, they just do not understand the importance of it from a security perspective.

Once you put the information out to client personnel and engage them in a conver-

sation about it, you are likely to ﬁnd out how the change to the business impacts

the security assessment.

Obtaining this information up front gives more credibility to the process and

makes the security assessment a more efﬁcient process. Initial preparation will give

you knowledge about a company that you will not have to learn when you go on

site. Consequently, the interviews with the client personnel can focus on security.

AU1706_book.fm Page 104 Tuesday, August 17, 2004 11:02 AM

Initial Information Gathering

105

As for the time spent on the initial preparation, it is a judgment call based on the

time that is available to you. Although heavy-duty preparation might not be neces-

sary, some level of preparation, where you at least know what the company does

and some of the geographic demographics and the ﬁnancial condition of the com-

pany, is very useful and can go a long way. Initial preparation can be time consuming;

however, most of this preparation probably saves time in the security assessment

over the long term.

Overall, the main purpose of this phase is to conduct research on the client using

publicly available information and prepare for the ﬁeldwork phase of the assessment.

The amount of initial preparation depends on how much you already know about

the client and the time constraints under which you are working. The ﬁve key

components in the initial information gathering phase are:

• Gather publicly available information

• Gather information from the client

• Analyze gathered information

• Prepare initial question sets

•Develop and populate template for ﬁnal report

GATHER PUBLICLY AVAILABLE INFORMATION

Gathering publicly available information before the interviews in the next phase is

very helpful in performing a security assessment (Figure 5.1). This process will

yield many kinds of information about a company that might be relevant for a security

assessment, including such details as:

•How the company is doing ﬁnancially

• Signiﬁcant management changes

• Merger or acquisition activity

• Security breaches

• Expansion or reduction plans

•Regulatory activity that might be affecting the company

All of the events listed above as well as others not included in the list have

security implications and should be considered if conducting a security assessment.

The list above represents some of the events to look for when conducting initial

research. As explained in the previous section, having this information and being

able to ask about it during the interviews gives you a tremendous amount of cred-

ibility. If you know some basic information about events such as the ones listed

above, you have the opportunity to spend time during the interviews talking in depth

about the security implications of the events.

WHERE IS THIS INFORMATION FOUND?

During this initial research phase, the more information that can be found in a

reasonable period of time, the better. The key is to ﬁnd information in the most

AU1706_book.fm Page 105 Tuesday, August 17, 2004 11:02 AM

106

A Practical Guide to Security Assessments

FIGURE 5.1

Gather publicly available information.

Initial

Information

Gathering

Gather

publicly

available

information

Gather

information from

the client

Analyze gathered

information

Prepare initial

question sets

Develop and

populate template

for final report

AU1706_book.fm Page 106 Tuesday, August 17, 2004 11:02 AM

Initial Information Gathering

107

efﬁcient manner possible. With this in mind, there is no better source of information

than the Internet. Besides some of the obvious sites to visit such as the company’s

Web site (if one exists), a good search engine is the fastest way to search for news

articles in newspapers, magazines, trade journals, and other publications. Search

engines can be used to conduct searches about a company’s operations and man-

agement team, as well as other aspects of a company.

When researching a company on the Internet, there are many places to look.

You must make the most of the limited time you have to conduct initial research,

so you must have some guidelines about where you are going to look. Based on

experience, the best places to ﬁnd out information about a company where you get

the most “bang for the buck” are the following:

• Company Web site (if one exists)

• Public ﬁnancial statements (if they exist)

•Trade journals

• Other articles found on the Internet

OMPANY

ITE

The company Web site, if one exists, can provide a tremendous amount of informa-

tion about a company. Many organizations are becoming increasingly dependent on

their Web sites to provide information as well as to offer services over the Internet.

The company Web site name can be provided by the client or it can probably be

obtained through searching the Internet. Some of the basic information that can be

taken from a Web site includes general company-related information and operations-

related information. In conducting a security assessment, Web site review can yield

the following types of information:

• General company news

• Operations-related information

• Planned initiatives

• Management team

• Financial information

•Web-based offerings

• Sense of dependency on Internet presence

Although this sounds like a signiﬁcant amount of information to look for and

review, the intention is only to familiarize yourself with the company, so the amount

of time spent should be chosen with that in mind. The purpose of reviewing this

information is to become familiar with the company, not to learn everything possible

about it. The next sections contain discussions about the speciﬁc items listed above.

General Company News

Many company Web sites have a section that is devoted to current events relevant

to the company. This section may contain company-related press releases as well as

AU1706_book.fm Page 107 Tuesday, August 17, 2004 11:02 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 5. Initial Information Gathering (1/8)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 5. Initial Information Gathering (1/8)