Initial Information Gathering 127
and supporting technologies in determining security weaknesses. Note that some of
the significant business processes should already be known at least at a high level
based on the information gathered thus far. For each of the significant business
processes, you should have a structured discussion with the appropriate subject
matter expert to help ensure that you are capturing the relevant information. Below
is a detailed discussion of specific questions you can ask related to significant
business processes and supporting technologies. These questions are generic and
can be used for any business process subject matter expert. To the extent that you
can customize the questions for the specific people you will interview, you should
do so. In the next phase, time is allotted for finalizing the question sets, so modifi-
cations can be made up until that time. As you discuss the processes, some or all
of the questions might be answered during the course of the conversation. These
questions will help ensure that you gain a comprehensive level of knowledge about
the different business processes.
As with the other questionnaires contained in the appendices, the questions are
there to serve as a guide and help ensure that all pertinent questions have been
answered. Below are questions and topics that should be addressed for each of the
significant business processes:
• Describe how the business process works — This is a general question to
start the discussion of specifics about the business process. Here, process
owners can talk about what they do and how they do it. This is a good
way to start the discussion because it provides you an understanding of
the process as well as other aspects, which will be discussed in the next
questions.
• What are the critical roles in the process and do backups exist in the event
that key individuals are not present? — Understanding the roles and
responsibilities as they relate to the business process is important for a
few reasons. First, you can determine whether any segregation of duties
issues exist, and if they exist, whether any mitigating controls are present.
Second, you can determine whether there is a dependency on specific
people to ensure the process is running. You should be particularly inter-
ested if there is a dependency that has a security implication (e.g., only
one person can administer a particular application or only one person has
a particular skill set that is critical). Third, you can determine whether
someone owns the key responsibilities related to the business process. Own-
ership is a fundamental concept in information security — without own-
ership, there is no accountability or assurance that tasks will be completed.
• What technology supports this business process? — Understanding the
supporting technology to determine what warrants further examination is
the purpose of this question. In this question, technology refers to critical
servers, applications, infrastructure, and any other technology that sup-
ports the process. In addition, things like general network connectivity,
Internet connectivity, printing services or the availability of a third-party
ASP (Application Service Provider) should be considered. When deter-
mining the key technologies that support the process, it is best to document
AU1706_book.fm Page 127 Tuesday, August 17, 2004 11:02 AM