Initial Information Gathering 131
perspective. For example, a disgruntled employee who was terminated
but who still had certain access to systems because his access was not
properly terminated could have caused the incident. This issue could lead
to findings in the areas of how terminations are handled and general user
ID administration, if these topics were not addressed after the incident.
• How soon did you become aware of the incident? Did you find out because
of a documented process or by accident (e.g., happened to be talking to
somebody)? How soon the client became aware of the incident is an
indication of whether the company has proper mechanisms in place to
find out about security incidents. “Proper mechanisms” can refer to
employees being aware enough to alert the right people or having the
right systems in place to alert the company to incidents. During the
security assessment, if you ask whether the client has had a security
incident and the response is “no,” the next question is “how do you know?”
For many companies, no mechanism is in place to ensure knowledge that
an incident had occurred. Although security incidents can occur with any
company, how quickly the incident is detected can make a big difference.
Good detection methods and a strong incident response process can sig-
nificantly reduce the damage resulting from an incident. A perfect example
is Web site defacement. Some companies will know immediately, but
other companies will find out about it by accident. How quickly the Web
site can be fixed can make a big difference in the impact of the defacement.
• What was the reaction? Once the incident occurred and the client found
out about it, did all the people involved understand what they needed to
do in reacting to it? Questions related to whether proper communication
took place, whether the right people were involved in restoring systems,
and a host of other items (which are covered in the Incident Response
checklist) should be asked. If the reaction was less than adequate, a weak
incident response process should be flagged as an issue.
• What was the impact of the incident? The impact of the incident provides
empirical evidence of what the true risk of an incident is. It can help you
quantify the impact, which is important because it helps determine cost-
effective steps for mitigation that are commensurate with the risk. For
example, if an incident occurs where a business-to-consumer Web site is
taken down, you can quantify the immediate impact related to revenue
and the long-term impact related to a loss of customers. Here, you can
look at the real impact related to an incident and how it affected the
business, which will be helpful when doing the risk analysis.
• What has been done to prevent such incidents from happening in the
future? With any security incident, companies should at least go through
the process of assessing what happened and determining whether any
additional security measures should be taken to prevent it from happening
again. Whether or not management does anything gives some indication
about management’s attitude about security. If nothing was done, there is
a chance that management did an analysis and determined that there were
no measures to take that were cost effective. It could also mean that they
AU1706_book.fm Page 131 Tuesday, August 17, 2004 11:02 AM