Initial Information Gathering
113
Balance Sheet
The balance sheet represents the financial state of a company at a specific point in
time — the end of the fiscal year for the company. Reviewing the financial statements
can give you a sense of how financially strong a company is. No standard benchmarks
exist to indicate whether the financial position of a company is strong. However,
there is value in looking at numbers in comparison with the prior year and over a
few years (if that information is available). The information from the balance sheet
can be analyzed using ratios shown in Table 5.1.
The ratios in the table are ratios used for liquidity analysis, which is a way of
measuring the company’s ability to meet its current obligations in a timely fashion.
These ratios should be analyzed over a period of time. Any downward trend in the
ratios could potentially be a cause for concern. The numbers used in the ratios are
readily available from the balance sheet, and the calculations are relatively quick.
The relevance of reviewing liquidity is that if a company is struggling with
current obligations, a tendency to cut corners may be present. Depending on the
severity of the situation, the company may be in “survival” mode, where only
mission-critical operations are happening and everything else is on the back burner.
In a “survival-mode” scenario, it is very possible that information security is not
being given much attention.
The other impact of the financial condition on a security assessment is in the
recommendations. When making recommendations, the company’s financial situa-
tion must be considered. Although cost-effective recommendations should always
be made regardless of the situation, extra attention must be given to ensure that
recommendations make sense based on the current financial condition. Sometimes,
it is appropriate to provide clients with recommendations containing different options
that range in cost. It is then the client’s decision to choose the most comfortable
option for them.
Income Statement (Also the Profit and Loss [P&L] Statement)
Unlike the balance sheet, which represents the company position at a point in time,
the income statement represents the activity over a period of time — e.g., during
the company’s fiscal year. As with the balance sheet, the numbers should be com-
pared over at least two years; this information is available in the 10K. The numbers
TABLE 5.1
Balance Sheet Ratios
Ratio Calculation
Current ratio Current assets/current liabilities
Quick ratio Quick assets
a
/current liabilities
Net working capital ratio Net working capital
b
/total assets
a
Quick assets is current assets less inventories.
b
Net working capital is the current assets less the current
liabilities.
AU1706_book.fm Page 113 Tuesday, August 17, 2004 11:02 AM
114
A Practical Guide to Security Assessments
that make up the operating income and the changes in these numbers from the prior
year are worth reviewing when preparing for a security assessment, as those vari-
ances might indicate changes to the business or other relevant events. The high-level
line items that make up the operating income include revenues, cost of goods sold,
and selling, general, and administrative expenses.
The revenue number might be broken up into more granular components based
on the type of business it is. Significant fluctuations in the revenues over time should
be explained. Trends can be due to market conditions and be completely expected or
they may be due to other conditions in the company. For many companies affected
by the economic downturn in 2002, reduction in revenues was expected and fore-
casted at that time. The key is that the trend and its effect on the business should
be explained; from the explanation, you can determine whether any impact on the
security assessment is likely. For example, if a company is continuing to have less
revenue in a particular division, there may be a plan to discontinue certain products
and services. This will certainly impact a security assessment because those pro-
cesses and the technology that specifically support that business might be discon-
tinued, and thus you might not spend significant time on it during the security
assessment.
Similar to revenue, the cost of goods sold can be presented in a more granular
fashion depending on the company and its reporting requirements. The cost of goods
sold represents those costs directly associated with goods or services sold by the
company. Like revenues, the cost of goods sold should be reviewed over a period
of time, with any significant fluctuations explained by the client. These fluctuations
may be explained by economic conditions or by specific issues that the company
might be facing. An example of a case where differences in cost of goods sold might
impact the security assessment is if there is an unusual rise in cost of goods sold.
This could result from changes in the cost of materials (resulting in little impact on
the security assessment), changes in processes, or other changes in the organization.
If the changes resulted from changes in processes or further use of technology, this
could impact what you look at in the security assessment.
Selling, general, and administrative expenses (SG&A) generally include support
costs such as sales, back office operations such as accounting and finance, and other
support costs. SG&A should be reviewed over a period of time. Fluctuations in the
components of SG&A such as accounting, finance, and human resources (HR) could
have security implications depending on the reason for the fluctuation.
Notes to the Financial Statements
Glancing through the notes to the financial statements is valuable. The notes contain
details about line items on the financial statements that might need further clarifi-
cation. The notes also contain other information that is not reflected in the financial
statements but that companies are required to disclose. The notes are part of the
financial statements and they are audited — i.e., a third party has audited the content
of the notes and the numbers referenced in the notes. Some important pieces of
information that would be helpful in the security assessment can be extracted from
the notes. Notes vary from company to company, but some examples of important
AU1706_book.fm Page 114 Tuesday, August 17, 2004 11:02 AM
Initial Information Gathering
115
information from the notes include mergers, acquisitions, and divestitures; contin-
gencies — potential litigation; alliances with other companies; and details on specific
line items on the financial statements.
Form 10Q — Quarterly Report
The 10Q is very much like the 10K but with two significant differences:
The 10Q reflects activity over a three-month period.
The 10Q, unlike the 10K, is not subject to a full audit by a third party.
For the purposes of a security assessment, these two differences are not that
significant. Remember that the review of these statements is for the purpose of
gaining initial information and to be better informed when asking the questions. The
10Q is worth reviewing during the initial preparation phase of the security assessment
if it is taking place well into the client’s next fiscal year and the 10K is not completely
current. The 10Q should be reviewed in much the same manner as the 10K, as they
both include much of the same information.
Form 8K — Report of Unscheduled Material Events
The 8K is used to report “unscheduled material events.” These events have a material
(i.e., significant) impact on the business; publicly traded companies are obligated to
inform the public about such developments. Classifying an unscheduled event as a
“material” event is the decision of management and the board of directors of a
company. However, certain events such as the following will probably be reported
via an 8K:
Merger or acquisition
Significant changes to management (e.g., new chief executive officer
[CEO], etc.)
Major litigation settlement
Events reported using an 8K also appear in the 10K and 10Q statements. When
preparing for a security assessment, you should look at any 8Ks filed since the last
10K or 10Q. If any type of material event has occurred, there is a chance that it can
impact the security assessment.
To reiterate, the statements listed above are an invaluable resource in obtaining
information about a company in preparation for a security assessment. The review
of these statements, however, must be kept in perspective. The time spent on review-
ing the financial statements depends on how much time is available for completing
the security assessment and how much knowledge you already have about the
company. If you are new to the company or have only superficial knowledge of it,
a cursory review of the statements, at a minimum, is warranted. For an internal
employee doing the assessment, the level of review depends on how complex the
company is and how much of the operations is familiar as a result of the employee’s
AU1706_book.fm Page 115 Tuesday, August 17, 2004 11:02 AM
116
A Practical Guide to Security Assessments
current role. In any case, reviewing the statements is important, and the time spent
is a judgment call for those conducting the security assessment.
Reviewing the financial statements normally clues us in to areas of the business
where potential security concerns exist. This supports the notion that information
security is an integral part of the business and not a set of disparate technologies
that is not integrated with the business. Security is a business issue, and it is the
business that drives the security requirements, which is the basis for this security
assessment methodology.
T
RADE
J
OURNALS
Another good source of information is trade journals. Besides providing information
about the company being evaluated, trade journals provide information about the
industry in general. Going through trade journals provides a sense of what is hap-
pening in the specific industry, as well as some of the issues facing the industry as
a whole. Some items that might be of interest in the context of a security assessment
include:
Regulatory requirements facing companies in that industry —
When per-
forming a security assessment, it is important to understand any regulatory
requirements with security implications that affect a company. With reg-
ulatory requirements, management must comply and specific steps should
be included in the security assessment to determine compliance with
regulations. If you are working with a company subject to regulations, it
is important to review the regulations in the scope development process
to determine what parts of the regulations are in the scope. Some regula-
tions are very extensive, so it is wise to be granular with what is in scope
and what is not. Besides some of the better-known security related require-
ments such as HIPAA (for health care) and GLBA (for financial services),
other security-related regulatory requirements exist in other industries.
One example is the Family Educational Rights and Privacy Act (FERPA),
which requires most schools to secure student information. Besides iden-
tifying regulations, trade journals can also provide information about how
similar companies are addressing regulatory issues.
Use of new technology that is changing how business processes are per-
formed —
Technology has impacted virtually every industry by stream-
lining business processes and changing how things are done. Trade journals
can provide information on industry-standard technologies, emerging
technologies, and potential security issues with these technologies. If the
company for which the security assessment is being done is using these
technologies or is planning to use them, this information can be valuable.
Security-related issues facing the industry —
With the dependence on
technology and the level of connectivity of today’s networks, security is
a major issue that affects almost every industry. Security issues can be
technology specific and also industry specific because certain technologies
are specifically built for certain industries. Trade journals can provide
AU1706_book.fm Page 116 Tuesday, August 17, 2004 11:02 AM
Initial Information Gathering
117
information related to industry-specific risks, which can be valuable infor-
mation in preparing for the security assessment.
Issues that the company’s alliance partners are facing —
Alliance part-
ners, as noted in the earlier section, can be third parties that are connected
with the company. Specifically, if business-to-business (B2B) or applica-
tion service providers (ASPs) are having problems, this can affect the
company being assessed. For example, consider a situation in which an
ASP is providing an application that is a core business process for a
company. If the ASP has financial troubles to the extent that it could be
on the verge of bankruptcy, this can have a very significant impact on the
company.
Reviewing for all of the information outlined above can seem to be a daunting
amount of work. As with the financial statements, this should be done based on time
constraints and the knowledge that an individual has about the industry. Its important
to remember that this review is done in the “Initial Preparation” phase, and the
purpose is to gather information to create good question sets and be able to talk to
the client armed with as much information as possible. Also, obtaining information
from trade journals or any other source discussed here is an iterative process. During
the security assessment, information can be uncovered that would warrant revisiting
some of the sources already reviewed. Additional reviews would obviously be more
focused on specific topics.
O
THER
A
RTICLES
ON
THE
I
NTERNET
The final place where you can seek information about a company is the Internet,
using traditional search engines such as Google and Yahoo! Aside from the sources
identified in the sections above, the Internet in general can provide a wealth of
information. Searches on the Internet can yield all kinds of information about the
company, its competitors, and the industry in which they operate. These articles
might be from traditional daily newspapers and magazines. This category of infor-
mation rounds out obtaining publicly available information from the Internet.
Myriad information can be gathered in the initial information gathering phase.
How much or how little information can be obtained depends on how well known
the company is, whether it is publicly traded, and other factors. If the company is
publicly traded, a host of information is available through the SEC filings. In any
case, the more information that can be gathered, the more prepared you will be for
the assessment.
GATHER INFORMATION FROM THE CLIENT
Once the publicly available information is reviewed, information should be obtained
from the client if possible (Figure 5.2). If an internal employee is conducting the
assessment, that individual might already have access to much of the information
that can be used in preparation for the security assessment.
AU1706_book.fm Page 117 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.82.167