140
A Practical Guide to Security Assessments
security assessments. The security assessment is viewed as a technical process
instead of a process where business and technology are intertwined. Depending on
how much the IT person you are dealing with interacts with users and their man-
agement, security assessments tend to be very technical-focused and have minimal
focus on the business.
An example of how you can immediately fall off track is a security assessment
where you immediately begin the engagement by discussing the security architecture,
which then leads to a lengthy technical discussion about the merits of the security
architecture and whether it makes sense. Although some aspect of the business might
be discussed, there is no assurance that the core business processes of the
company — i.e., those most important to the business — have been identified. As
part of the discussion, you might even gain access to certain systems to start looking
at what security measures are in place. Security configurations such as the firewall
rule base and security settings on servers might be reviewed. The fundamental
problem with this approach is that you cannot really determine how good or appro-
priate the security posture is without knowing what it is that is being protected. At
this stage, even with the initial research that has been done, your knowledge about
the company is still fairly minimal so you are evaluating security without really
knowing what risks you are dealing with. By not following the methodology, and
more specifically, by not starting with the business process, you run the risk of
making incorrect conclusions related to findings, risks, and security measures in
place.
How does the security assessment fall off track? Below are some typical reasons
and how these situations can be avoided:
•
Reason:
Security assessment ownership —
From the client’s side, some-
one from the information technology group often owns the security
assessment — i.e., it was initiated by IT and they are responsible for it.
This ownership is often the result of management labeling security as an
IT problem, when it is really something that cuts across all parts of the
business. The IT person who is responsible for the security assessment
may or may not be versed in what is important to the business and also
may not have strong relationships with people from the business side.
One thing for sure is that people from the IT group are probably focused
on technology because that is their job. They probably have some idea of
how the technology supports the business, but they cannot definitively
answer key questions related to how the business would be impacted if
critical information is compromised or what the tolerable downtime is if
systems are not available. Even if the IT person can provide an answer,
it should really come from the business process owners, who can provide
the definitive answer. IT personnel should not be speaking for the business.
If the security assessment is exclusively owned by IT, you will probably
do the assessment without having any substantive conversation with any-
one from the business. Consequently, if you start with technology, you
risk having an inaccurate security assessment.
AU1706_book.fm Page 140 Wednesday, July 28, 2004 11:06 AM