Chapter 6. Business Process Evaluation (1/6)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

139

Business Process

Evaluation

The third phase of the security assessment is the Business Process Evaluation, which

marks the beginning of the substantive portion of the security assessment. Before

going into the details of this phase, it is worth discussing the overall progression of

information gathering that will take place beginning with this phase, why the process

is important, and some of the reasons why the process may not go as smoothly as

we would like. This is relevant because the business process evaluation phase is

arguably the most critical phase of the security assessment. The work in this phase

will drive the rest of the security assessment, including what technologies you review

and how you classify the ﬁndings.

The main information gathering happens in this phase and the next (Business

Process Evaluation, Technology Evaluation). In these two phases, you will evaluate

the business processes and supporting technologies from a security perspective. You

will meet with management, business process owners, and technology owners to

gather the necessary information.

The progression of information gathering will start with the business and then

move into technology. We ﬁrst start with the where the business is today and where

it is heading from a strategic perspective. Based on this, we will determine the high-

level security requirements of the business. The strategy discussion is high level,

and the discussion is mainly about the core business processes, the organizational

structure, and other topics that might affect the direction of the company.

As a result of this discussion, we will determine the core business processes of

the company. In addition, other business processes that are relevant from a security

perspective might be worth exploring.

The ﬁnal area to review is the information technology (IT) environment. At this

stage, the key technologies have been identiﬁed. Interviews with technology owners

and certain hands-on testing of critical systems are performed.

The point of the progression of information gathering is that each step of the

process builds on the previous step. Doing the steps in the wrong order may result

in focusing on processes or technology that are not very important to the business,

resulting in an assessment that is not accurate. If you start with the core business

processes and supporting technologies from a security perspective, your analysis

will have the right focus. This approach will also help you prioritize your efforts in

the security assessment. This ﬂow of information gathering is in line with the

fundamental concept of this methodology, which is that the business drives security

and not the other way around.

One mistake that is often made when doing a security assessment is immediately

focusing on the technology; this sometimes happens because IT groups often initiate

AU1706_book.fm Page 139 Wednesday, July 28, 2004 11:06 AM

140

A Practical Guide to Security Assessments

security assessments. The security assessment is viewed as a technical process

instead of a process where business and technology are intertwined. Depending on

how much the IT person you are dealing with interacts with users and their man-

agement, security assessments tend to be very technical-focused and have minimal

focus on the business.

An example of how you can immediately fall off track is a security assessment

where you immediately begin the engagement by discussing the security architecture,

which then leads to a lengthy technical discussion about the merits of the security

architecture and whether it makes sense. Although some aspect of the business might

be discussed, there is no assurance that the core business processes of the

company — i.e., those most important to the business — have been identiﬁed. As

part of the discussion, you might even gain access to certain systems to start looking

at what security measures are in place. Security conﬁgurations such as the ﬁrewall

rule base and security settings on servers might be reviewed. The fundamental

problem with this approach is that you cannot really determine how good or appro-

priate the security posture is without knowing what it is that is being protected. At

this stage, even with the initial research that has been done, your knowledge about

the company is still fairly minimal so you are evaluating security without really

knowing what risks you are dealing with. By not following the methodology, and

more speciﬁcally, by not starting with the business process, you run the risk of

making incorrect conclusions related to ﬁndings, risks, and security measures in

place.

How does the security assessment fall off track? Below are some typical reasons

and how these situations can be avoided:

•

Reason:

Security assessment ownership —

From the client’s side, some-

one from the information technology group often owns the security

assessment — i.e., it was initiated by IT and they are responsible for it.

This ownership is often the result of management labeling security as an

IT problem, when it is really something that cuts across all parts of the

business. The IT person who is responsible for the security assessment

may or may not be versed in what is important to the business and also

may not have strong relationships with people from the business side.

One thing for sure is that people from the IT group are probably focused

on technology because that is their job. They probably have some idea of

how the technology supports the business, but they cannot deﬁnitively

answer key questions related to how the business would be impacted if

critical information is compromised or what the tolerable downtime is if

systems are not available. Even if the IT person can provide an answer,

it should really come from the business process owners, who can provide

the deﬁnitive answer. IT personnel should not be speaking for the business.

If the security assessment is exclusively owned by IT, you will probably

do the assessment without having any substantive conversation with any-

one from the business. Consequently, if you start with technology, you

risk having an inaccurate security assessment.

AU1706_book.fm Page 140 Wednesday, July 28, 2004 11:06 AM

Business Process Evaluation

141

–

Remedy:

During the initial phases of the security assessment, from the

kickoff meeting on, you must educate the client on the methodology

and insist on working with people from both the business and the

technical sides of the company. You can also talk to the executive

sponsor of the assessment about the importance of following the meth-

odology. The argument for the approach is that the ﬁnal document

resulting from the security assessment will be a “security roadmap” to

help improve the security posture of the company. If the assessment is

not performed correctly, the results could overlook key risks and incor-

rectly prioritize future security initiatives. This in turn leads to an

ineffective allocation of funds for security initiatives. The long-term

impact of not conducting the security assessment in the right way

should be stressed.

•

Reason:

Scope was not properly deﬁned —

With some assessments,

the scope of work is very vague and not clearly deﬁned. Sometimes, the

preﬁeldwork steps, as deﬁned in this methodology, are rushed due to

time constraints and other factors. You might have been developing the

scope with someone from the company who did not have a good grasp

on the business, or the scope deﬁnition might have seemed obvious so

you did not spend much time on it. As discussed earlier, the scope devel-

opment process can take some time; if it is rushed, there is a chance that

it can cause problems later.

–

Remedy:

The process of gathering information and the business process

owners you need to speak to should be mentioned in the scope and

then covered in the kickoff meeting. If this was not done, you must

address this quickly with your single point of contact and potentially,

the executive sponsor. As with the previous reason, the importance of

following the methodology and the consequences of not following it

should be stressed. Speciﬁcally, you should stress that if the assessment

is not done correctly, the “security roadmap” from the assessment might

overlook key risks and incorrectly prioritize security initiatives for the

short and long term. This can result in an ineffective allocation of funds

for future security initiatives.

•

Reason:

Lack of cooperation from key individuals —

Some security

assessments are done under circumstances where not everyone is neces-

sarily on board with the process. The assessment might not have been

presented in the right way to the people in the organization and as a result,

employees may be fearful about the results of the assessment. By their

very nature, security assessments will uncover security weaknesses with

processes and technology. Some of these weaknesses will point back to

individuals in the organization, and that causes some level of discomfort,

which can result in people being less than cooperative during the assess-

ment. This does not mean that an employee will not talk to you or answer

AU1706_book.fm Page 141 Wednesday, July 28, 2004 11:06 AM

142

A Practical Guide to Security Assessments

questions as part of the security assessment process. It does mean that

this is all the employees will do. In other words, they may

only

answer

the question. They will not volunteer other information that may be related

and relevant to the questions you ask. These other bits of information are

often valuable. This lack of cooperation can potentially lead to not uncov-

ering issues and to providing inappropriate recommendations.

–

Remedy:

If you are not receiving the cooperation you need and you

have done what you can to make people feel at ease, you must escalate

to your single point of contact. If that does not work, you must escalate

to the executive sponsor. Escalation is critical here. Keep in mind that

you are ultimately accountable to the executive sponsor, who is respon-

sible for making the assessment happen in the ﬁrst place. Do not fall

into the trap of feeling bad and not wanting to get the client personnel

into trouble. Remember that you have a limited amount of time to do

the assessment and you cannot afford to have time wasted due to people

not cooperating. The quality of the assessment is only as good as the

information you receive from client personnel, so their cooperation is

critical.

To ensure that the security assessment follows the proper methodology, you must

ensure that you properly deﬁne the scope and that you are clear with the client about

the methodology you use.

GENERAL REVIEW OF COMPANY AND KEY

BUSINESS PROCESSES

In this step (Figure 6.1), you will meet with management to gain a “big picture”

view of the company. Before you can really start looking at detailed business

processes, you need to have a good overview of the company and what it does. At

this stage, you may know some general information based on your initial research

and the questionnaire that you went over with the client representative. That infor-

mation is useful, but you still need to learn about the company from the people who

are actually running it on a day-to-day basis. The information being sought at this

point is a high-level understanding that goes a level deeper than the initial question-

naire that you discussed with the client. The purpose is to lay the groundwork for

the rest of the assessment.

In gaining an understanding of the business, the ﬁrst step is to understand what

it does and what the strategic direction of the company is. At this point, you should

give minimal attention to technology, as that will come later. You are really trying

to come away with an idea of what the company does and how it is done at a high

level. You want to know the core business processes of the company — i.e., how

does the company make money? From a security perspective, you should also try

to learn about the company’s information security program and the various elements

discussed in Chapter 3.

AU1706_book.fm Page 142 Wednesday, July 28, 2004 11:06 AM

Business Process Evaluation

143

FIGURE 6.1

General review of company and key business processes.

Business

Process

Evaluation

General

review of

company and

key business

processes

Finalize question

sets for process

reviews

Meet with

business process

owners

Document

findings

Status meeting

with client

AU1706_book.fm Page 143 Wednesday, July 28, 2004 11:06 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 6. Business Process Evaluation (1/6)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 6. Business Process Evaluation (1/6)