Business Process Evaluation
153
would add more specific questions related to physical security. Similarly, if you are
talking to someone who handles all application service provider (ASP) relationships,
you would ask more specific questions related to externally hosted services. If you
are meeting with a business process owner who is responsible for an area for which
a specific questionnaire is provided in the appendices, use that particular question-
naire in addition to the generic questionnaire.
To finalize the question sets, you essentially have to take the generic question
set that has been developed and add in the specific questions for the people whom
you will interview. These updates may or may not be extensive, depending on how
much you learned from your meeting with management and how many additional
questions it raised. When you update question sets, you will certainly add questions,
but equally important, you will be able to take some questions out because they
have been answered or are not applicable. One thing to avoid is asking questions
that have already been answered unless there is some value in confirming the answer
or hearing another perspective.
The process of updating the question sets can be daunting, considering the
amount of information you are learning. You must document the information you
learned from the meeting with management and determine what updates are required.
Going forward, you should get used to documenting your meetings in a way that is
most efficient for you.
As you update the question sets, ask anything you feel is necessary for you to
conduct a successful security assessment. On the other hand, keep in mind that you
should have a reason for asking your questions. There is a good chance that at some
point, the client might say, “Why are you asking me that question?” If you cannot
provide a response and tell the client the reason for the question, you will lose
credibility with the client. Conversely, being able to clearly explain the reason for
a question will enhance your credibility with the client. For the questions in the
appendices, note that all questions have a section called “Guidance.” This section
articulates why certain questions are asked and why they are relevant for a security
assessment. You should have something similar for the questions you develop so
you are prepared when questioning the client.
The other value of understanding why you are asking a question is that it can
help you frame the question to the customer. If the person being interviewed under-
stands why the question is being asked, the response will probably be more mean-
ingful. The client will also start to see you as an expert and might open up with
other information.
The value of the question sets cannot be emphasized enough. Being prepared
when talking to the client’s subject matter experts is critical. It represents one of the
fundamental concepts of this methodology, which is preparation. A common com-
plaint with customers is that consultants either ask questions that are irrelevant or
they are just using a checklist without giving any thought to the particular circum-
stances of the company. This approach indicates that you have done little preparation
and immediately diminishes your credibility. Remember that when a company wants
security assessment done, they are looking for independent expertise. Being pre-
pared, asking the right questions, and demonstrating knowledge about security and
the client’s business demonstrate the expertise that clients expect.
AU1706_book.fm Page 153 Wednesday, July 28, 2004 11:06 AM