108
A Practical Guide to Security Assessments
other items that might have been in newspapers. Although no assurance exists that
the company’s news is completely up to date, the general news found on a company’s
Web site can be useful.
Operations-Related Information
Operations information is basically what the company does, including the following:
•
Products and services provided —
This is perhaps the most important
piece of information that can be obtained from the company Web site.
Based on the products and services being offered, you can gain a sense
for what some of the mission-critical business processes are.
•
Locations —
The number of locations is significant for a security assess-
ment when discussing the network infrastructure and connectivity issues
as well as general operations. The various locations will normally have
to communicate with each other, so you will probably have to learn about
the infrastructure and how the different sites are connected. It will be
crucial to build on this information later when planning and conducting
the technology review (Phase 4 of the assessment). There may be some
potential issues related to security of communications between sites, fire-
wall configuration, and the overall security architecture. The discussion
around locations will also naturally lead to how employees are given
remote access to the company network. Knowing the locations provides
invaluable information that can be built upon.
•
Number of employees —
The number of employees coupled with other
information including revenues, number of locations, and other statistics
can provide some sense of the size of the company. It is important to note
that the size of the company does not necessarily reflect the complexity
of the company’s operations or how complicated the related security issues
might be.
•
Business unit information —
The business unit information is, in some
ways, an extension of the information on what products and services are
offered by a company. Details about what the various business units do
and where they are located are invaluable when performing the security
assessment. Another aspect of business units that has security implications
is how the company was formed in the first place. If business units became
part of the company via acquisition, there are potential security implica-
tions related to how well the new company was integrated into the existing
infrastructure.
•
Business-to-business (B2B) relationships —
B2B relationships have made
many processes very efficient. Supply chain activities are a case in point;
B2B relationships have streamlined these processes. Suppliers, for exam-
ple, sometimes now manage inventory for their customers. They have a
view of inventory and are charged with maintaining certain levels. Although
this process is very efficient, areas of security risk exist and should be
reviewed. Some of the risks with B2B relationships include (full list can
be reviewed using the questionnaire provided in the appendices):
AU1706_book.fm Page 108 Tuesday, August 17, 2004 11:02 AM
Initial Information Gathering
109
–How is the B2B partner’s access to the company’s information limited
to only the information required for that partner?
–How is access controlled at the B2B partner level when an employee
is terminated?
•
Regulatory environment —
Sometimes, companies may have information
regarding certain regulatory requirements to which they are subject. If the
regulatory requirements have any information security components, it
would be important to know this as early as possible in the assessment
process. Some of the more recent legislation that has information security
components includes the Health Insurance Portability and Accountability
Act (HIPAA; health care), the Gramm–Leach–Bliley Act (GLBA; finan-
cial services) and the Sarbanes–Oxley Act, which affects publicly traded
companies.
Planned Initiatives
It is critical to understand what the customer is planning for the future and what
type of security implications that might have. Planned initiatives can significantly
change recommendations you might make in a security assessment. These initiatives
can range from simple changes, such as adding to an existing network, to very
complicated changes in the overall network architecture, acquisition or disposal of
a business unit, or a major change to the products and services offered. Depending
on the nature of the initiative, the company Web site might provide details about it.
Recommendations in the security assessment should take planned initiatives into
account, as both the content and the criticality may be affected.
Management Team
The management team is often listed on a company’s Web site. Although this
information will not necessarily allow you to ask better questions, a name might
“ring a bell.” Someone may be familiar to you based on other places where you
have performed security assessments or someone in management may be known
from other companies. If you skim the bios of the management team, you might
gain a sense of where they previously worked; this might be useful information
when trying to gauge management’s attitude about security. Also, if a management
overhaul has taken place, that could mean changes in the focus of the business,
changes in business processes, or other changes to the business that could potentially
affect the outcome of a security assessment.
Financial Information
Financial statements (discussed in detail in the next section), especially in the case
of publicly traded companies, are often published on the company’s Web site. If the
company is not publicly traded, information on how they are funded and how much
funding they have may be available. Financial information can give some indication
as to how the company is doing and what their financial position is. A company that
is doing well might be more proactive when it comes to security. Conversely,
AU1706_book.fm Page 109 Tuesday, August 17, 2004 11:02 AM
110
A Practical Guide to Security Assessments
companies that are not doing as well tend to cut corners wherever possible and are
completely focused on generating revenue and keeping expenses down.
The financial situation of a company should viewed in conjunction with other
available information about the company. It is just one more way to help understand
the company before diving into the details regarding processes and technology in place.
When conducting a security assessment, you not only have to consider the
financial condition of the company, you must also consider the financial condition
of any companies with whom there is a dependency. Consider the example of a
company that outsources its IT operations to an outsourcing provider. The outsourc-
ing provider is now charged with providing an adequate level of security for the
company’s data residing on machines inside the outsourcer’s data center.
Web-Based Offerings
Web-based offerings are becoming more common every day, with many companies
now either offering or planning to offer goods and services over the Internet. In
terms of a security assessment, any type of Web-based offering should raise a flag
and will probably warrant further detailed testing. Web-based offerings can come in
a number of forms, with each carrying its own level of risk. One thing to look for
is if the Web site is certified by “BBB
OnLine
” or other similar bodies; this provides
some level of assurance that the company has taken steps to have an independent
assessment performed to assess the security of their Web site. When evaluating Web-
based offerings and determining the extent to which they will be reviewed in the
security assessment, the following should be kept in mind:
•
Sensitivity of information used in the Web-based offering
— i.e., are users
entering any of their personal information?
•
Whether Web site users will be able to buy something from the site
—
i.e., will they be providing sensitive credit card information?
•
Does the Web-based offering provide content only? —
i.e., users will not
enter any personal information.
Based on the criteria above as well as other criteria that will become evident as you
obtain more information about the operations, you can determine how Web-based
offerings will impact the scope of the security assessment (e.g., the potential need
for additional process reviews and hands-on testing of the systems supporting the
Web-based activity).
Sense of Dependency on the Web Presence
One of the questions we will ask as we go through different areas of the security
assessment will be, “How important is it to you?” or “How dependent are you on
a certain system and how long could you tolerate its unavailability?” As far as the
Web presence, you can gain a sense for the company’s dependency on their Web
presence just by looking at the Web site and what it offers. The importance of the
Web site, how it integrates into the key business processes, and where it is in the
overall network architecture will drive the extent and type of testing that will be done.
AU1706_book.fm Page 110 Tuesday, August 17, 2004 11:02 AM
Initial Information Gathering
111
As is evident above, a company’s Web site can provide a plethora of information
and make you better prepared to talk with the client. When evaluating information
that a company posts on its Web site, keep in mind that it is the company
that is
posting the information. Although some of the information, such as financial data,
is objective, some data on a company’s Web site may be subjective in nature. This
subjective information should be viewed with “healthy skepticism,” as it is not
independent. Subjective information should be questioned and not taken at face
value, and to the extent it affects a finding, you should consider verifying certain
information.
F
INANCIAL
S
TATEMENTS
In the previous section, we discussed financial statements, which sometimes reside
on the company’s Web site. In addition, the financial statements for publicly traded
companies are public documents that are filed with the Securities and Exchange
Commission (SEC). Links to SEC filings are normally available on financial-related
Web sites such as the Yahoo! Finance Web site or http://www.secinfo.com/. A number
of different parts of the statements provide a wealth of information that is useful in
learning about a company. Some of this information is objective in nature and has
been attested to by an independent auditor, but other information is more subjective.
The subjective information must be viewed with a “healthy skepticism” and to the
extent that it is relevant for the security assessment, some level of independent
verification should be performed. Some of the key statements to look for in prepa-
ration of a security assessment include:
•Form 10K — Annual Report
•Form 10Q — Quarterly Report
•Form 8K — Report of Unscheduled Material Events
Form 10K — Annual Report
The 10K is essentially the company’s annual report, which is filed with SEC soon
after the end of the company’s fiscal year. If you have limited time to become familiar
with a company, the 10K is the best document to review. The 10K is very compre-
hensive and probably one of the best sources of information for a company. Note
that the 10K form is only required for publicly traded companies; other companies
might still have an annual report that the client can provide if needed. The Annual
Report and the 10K are the same document. Some of the information that the 10K
provides can include:
•
Description of the business —
The 10K provides a description of the
company in a narrative-type format explaining what the company does
and the products or services it sells. This is high-level information, which
you have probably seen from other sources.
•
Business unit information —
Business unit information provides more
details about the business. The 10K might go into detail about what each
AU1706_book.fm Page 111 Tuesday, August 17, 2004 11:02 AM
112
A Practical Guide to Security Assessments
division or business unit does and how the business unit is doing. This
information can be evaluated to identify potential areas of concern from
a security perspective. Although the 10K will probably not go into process-
level detail, it might give enough information to allow you to have a high-
level understanding of the different business units. The business unit
information can also be used in conjunction with the financial information
to understand the focus of the business. In some cases, the 10K might
contain a breakdown of revenues at the business unit level providing some
indication about which business units are more or less critical to the
business. This information becomes more important as the business
becomes larger and more complex. For smaller businesses, there may be
only one business unit, and this type of information might be a moot point.
•
Management discussion and analysis —
The Management Discussion and
Analysis (MD&A) is management’s discussion of the business, which
includes a review of the year’s results as well as an idea of what is to
come in the future. This discussion goes through some of the financial
details of the company and typically includes a comparison with the
numbers from the prior year. Any significant variances in the results from
the prior year are explained, which can provide information regarding
changes in the business. Keep in mind that the MD&A is prepared by the
company’s management, so it is not objective and independent. Even so,
the information is valuable because it might give a sense of what the
company views as important in the business. Note that the numbers
referenced in the MD&A are audited, but the overall content of the MD&A
is management’s view of the business today and where they see it going
in the future.
•
Merger or acquisition activity —
Merger or acquisition activity is an
important consideration for a security assessment. Mergers and acquisi-
tions potentially introduce new processes and technologies into a com-
pany. The degree to which a company can integrate processes and
technology infrastructure as a result of a merger or acquisition can have
an impact on the overall security posture of the company. Questions
regarding security policies, security infrastructure, and security ownership
all become more relevant when mergers or acquisitions occur. The sig-
nificance of the merger or acquisition depends on how large the new
business is and how it is going to be integrated. Companies sometimes
will integrate new acquisitions over a period of time and let them function
“business as usual” for a short time before beginning the integration
process. If a merger or acquisition has occurred, it should definitely be
covered in the interviews with the client.
In addition to the information listed above, the 10K also contains financial
statements and supplementary data. The statements include the balance sheet, income
statement, and cash flow statement, as well as other summary statements and the
notes to the financial statements — all of which are worth looking at.
AU1706_book.fm Page 112 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.