144
A Practical Guide to Security Assessments
This phase is absolutely critical in the security assessment process, as the success
of the rest of the assessment rests on having a good understanding of the business.
In this step of the phase, you will gain a high-level understanding of the business
by meeting with members of the management team. The single point of contact from
the client’s side should set up this meeting at the beginning of this phase with
members of management who can talk about the strategic direction of the business,
organizational structure, and other high-level aspects of the company. It is important
that you meet with management and not someone who is more tactical — i.e.,
someone who is in more of a day-to-day operational role. Management can offer
insight, particularly about the organization, strategic direction, and a “big picture”
view of the company. This first meeting is important because it will set the tone for
the rest of the security assessment.
Because of the nature of this meeting — e.g., “big picture” view, strategic
direction, you should talk to management because they can best provide this type
of information. One of the potential problems that you may run into is that your
point of contact in the company might not have someone from management for this
meeting because of a lack of access to management or a failure to see the necessity
of involving management. Either reason is a problem and if that happens, you should
insist on speaking with the right people or talk to the executive sponsor for the
project. This meeting is important because it will help you determine what the
core business processes are from the perspective of management — the people who
are ultimately responsible for the business. Remember that the ultimate audience of
your work product will probably be decision makers with budgetary authority who
have their own “big picture” view of what is important. It is important to understand
this at the outset of the security assessment process.
As a result of this meeting, you should have:
•A good understanding of what management perceives as being the core
business processes of the business.
• Additional information that can be used to refine the question sets devel-
oped in the last phase
When you do have this meeting with management, you must be fully prepared.
You should have done the proper research and be prepared to ask questions. This
meeting also helps establish (or hurts) your credibility with the company. The person
from management you talk to is probably someone who will be interested in the
final product resulting from the assessment. Making a bad impression with this
individual will create a negative perception, which might impact the assessment long
term — especially if management does not view you and your team as being credible.
Consequently, it is imperative to prepare and be ready for this meeting.
Key topics that should be covered at this meeting include:
• Critical business processes
• Business environment
• Planned changes that may impact security
AU1706_book.fm Page 144 Wednesday, July 28, 2004 11:06 AM