144
A Practical Guide to Security Assessments
This phase is absolutely critical in the security assessment process, as the success
of the rest of the assessment rests on having a good understanding of the business.
In this step of the phase, you will gain a high-level understanding of the business
by meeting with members of the management team. The single point of contact from
the client’s side should set up this meeting at the beginning of this phase with
members of management who can talk about the strategic direction of the business,
organizational structure, and other high-level aspects of the company. It is important
that you meet with management and not someone who is more tactical — i.e.,
someone who is in more of a day-to-day operational role. Management can offer
insight, particularly about the organization, strategic direction, and a “big picture”
view of the company. This first meeting is important because it will set the tone for
the rest of the security assessment.
Because of the nature of this meeting — e.g., “big picture” view, strategic
direction, you should talk to management because they can best provide this type
of information. One of the potential problems that you may run into is that your
point of contact in the company might not have someone from management for this
meeting because of a lack of access to management or a failure to see the necessity
of involving management. Either reason is a problem and if that happens, you should
insist on speaking with the right people or talk to the executive sponsor for the
project. This meeting is important because it will help you determine what the
core business processes are from the perspective of management — the people who
are ultimately responsible for the business. Remember that the ultimate audience of
your work product will probably be decision makers with budgetary authority who
have their own “big picture” view of what is important. It is important to understand
this at the outset of the security assessment process.
As a result of this meeting, you should have:
•A good understanding of what management perceives as being the core
business processes of the business.
• Additional information that can be used to refine the question sets devel-
oped in the last phase
When you do have this meeting with management, you must be fully prepared.
You should have done the proper research and be prepared to ask questions. This
meeting also helps establish (or hurts) your credibility with the company. The person
from management you talk to is probably someone who will be interested in the
final product resulting from the assessment. Making a bad impression with this
individual will create a negative perception, which might impact the assessment long
term — especially if management does not view you and your team as being credible.
Consequently, it is imperative to prepare and be ready for this meeting.
Key topics that should be covered at this meeting include:
• Critical business processes
• Business environment
• Planned changes that may impact security
AU1706_book.fm Page 144 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation
145
•Organizational structure
– Placement of the security function
– IT organization
• Management’s concerns related to information security
Each of these is discussed in detail in the next sections.
C
RITICAL
B
USINESS
P
ROCESSES
The first thing you should discuss with management is basically what the business
does to earn money and how they do it. You need to understand what goods and
services they sell and how they are produced and delivered. You also want to know
what the key dependencies are, which can include certain suppliers, certain individ-
uals, etc. To illustrate this point, review the example below:
E
XAMPLE
Consider a manufacturing company that produces and sells products through certain
distributors. This particular company makes money by manufacturing and selling a
few different products. For this company, the manufacturing process is a critical process,
which looks something like the one in Figure 6.2.
The figure is a very simple illustration of a typical manufacturing process that outlines
the key steps at a high level. This technique of flowcharting is an effective way of
documenting processes and is something you should consider if you have flowcharting
tools such as Microsoft Visio.
Based on the information above, we can ascertain the following:
• Manufacturing, order processing, and billing and collections are core operations
of the company.
• Integrity of inventory information is important because it is used to determine
what the company needs from the raw material supplier.
• The physical security of the manufacturing plant where the goods are manufac-
tured is important.
• Good internal controls should be in place for the process of shipping product to
the third-party packaging company to ensure that all product sent was received.
• Critical systems include:
– Accounting systems that record inventory (raw material and final product)
– Finance and accounting systems
– Systems that support the shipping process
The example above is a fairly simplistic example in which we identify core
business processes and critical systems. This information is at a high level, but it is
enough so that we can go to the next level when we talk to the business process and
technology owners and get into the nuts and bolts of how this is all done. Besides
this process, you might find out about other processes as a result of your discussion
with management.
AU1706_book.fm Page 145 Wednesday, July 28, 2004 11:06 AM
146
A Practical Guide to Security Assessments
FIGURE 6.2
Manufacturing process.
Receive raw
material from
supplier
Materials are
processed at
the plant
Product is
produced
Product is
shipped to a
third party for
packaging
T
hird party
sends
p
ackaged
p
roduct
Product is
ready to send
to distributor
AU1706_book.fm Page 146 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation
147
One thing to stress here is that you are talking to management, and it is not
appropriate to try to talk about detailed processes, as they will probably not be
conversant with them. Note that in smaller and mid-size companies, this might not
be the case. In smaller companies, you might be able to talk about details. This will
require that you adjust the methodology and potentially combine some steps.
At the end of this discussion, you want to come away with an understanding of
what business processes are important to the company — i.e., what does management
consider mission critical to their business. This understanding will guide the rest of
the security assessment. The information security program for the company must
minimize any security risks to these business processes and ensure that they can be
performed in a secure manner. In other words, the information security program
must be aligned to ensure that mission-critical business processes and data are
adequately secured.
B
USINESS
E
NVIRONMENT
The business environment includes the company and the environment in which it
operates. The company’s environment includes various aspects such as the industry,
competition, geography, and regulations to which the company is subject. The
security implications associated with these aspects should be considered in an
assessment. One characteristic of the environmental forces a company is facing is
that the company has no control over them. This is important to understand because
security risks associated with these environmental forces normally must be addressed.
Companies have a certain amount of latitude in how much they do to address these
security implications, but they must address them.
Two of the most prevalent forces from a business environment perspective are:
•
Regulatory requirements
— Laws such as the Health Insurance Portability
and Accountability Act (HIPAA), the Gramm–Leach–Bliley Act (GLBA),
and the Sarbanes–Oxley Act have forced companies to address informa-
tion security. Companies have the opportunity to interpret the requirements
for their own businesses but they must be compliant.
•
Industry
— One example is e-commerce, where an increasing number of
companies have some type of security certification. As a result, some
e-commerce vendors are now feeling the pressure to have a similar cer-
tification because they either have not really addressed security or they
want to have a certification to provide confidence to consumers who shop
at their site.
The best way to approach this topic with the client is to ask open-ended questions
based on the research you have done. You should leverage any knowledge gained
from reviewing trade journals, the Internet, and other sources to ask these questions.
AU1706_book.fm Page 147 Wednesday, July 28, 2004 11:06 AM
148
A Practical Guide to Security Assessments
P
LANNED
C
HANGES
T
HAT
M
AY
I
MPACT
S
ECURITY
Planned changes or initiatives in a company can impact the results of a security
assessment. Planned changes are significant events coming up for the company that
will potentially have some sort of a security impact. Planned changes vary and can
include:
•
Merger or acquisition
— If one has taken place, how will the different
businesses be integrated? If a merger or acquisition is pending or has
already occurred, what are the plans for integration? The information you
receive on this topic may be limited because of confidentiality issues.
•
New technology implementation
— Major new technology initiatives —
e.g., new remote access methods using clientless virtual private networks
(VPNs) — will certainly impact the security posture of a company.
•
Location changes
— The company might be expanding into new locations
or consolidating locations.
•
Outsourcing —
To save money, more companies are turning to outsourcing
activities, including certain business processes and the management of
parts of their IT organization. If this is in process, all kinds of security
issues exist related to how the company’s data will be secured and how
information security activities are integrated into the outsourcing service.
The examples listed above are not an all-inclusive list, but they can be used to
spark discussions with clients. The examples are also sensitive areas, some of which
might still be in the initial discussion phases, so it is very possible that clients will
not divulge this type of information. However, you should go through this process
and see what information emerges.
Planned changes are brought up in this meeting because management will likely
have a better sense of them. Although some things will be confidential and thus not
divulged, management probably has a wealth of other information that would be
useful for the security assessment. One key message that management should receive
is that as these initiatives are planned, information security should be considered,
particularly with changes in technology. You can provide significant added value by
demonstrating how these planned initiatives impact the security posture of the
company and why it is important to consider security early in the process.
O
RGANIZATION
S
TRUCTURE
The high-level organization structure was discussed in the initial questionnaire with
the client. If those questions were answered, this discussion is merely to confirm
the results of the questionnaire and drill down a little deeper, if necessary, to gain
further information regarding the organization structure. The organization structure
is important in a security assessment because it deals with people’s roles and
responsibilities. This leads to ownership and accountability, which is a fundamental
concept in information security. Unclear roles and responsibilities and a lack of
ownership and accountability of tasks lend themselves to an insecure environment.
AU1706_book.fm Page 148 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.