Business Process Evaluation
149
When discussing the organization, some of the more specific items you should
focus on for the security assessment include:
•
Ownership of the security function —
In any of the best practice standards
for information security, one of the key components is accountability and
ownership. Some companies have individuals who are officially respon-
sible for the information security function, but in other companies, it is
part of someone’s responsibilities. When looking at overall ownership of
information security, there are two main things to look for:
–
What level position does the person responsible for information secu-
rity report to? —
The reporting aspect is important because it will give
some indication as to how seriously information security is taken. There
is a big difference between a junior staff-level person with security-
related responsibilities reporting to a manager-level person in IT and
a Chief Information Security Officer (CISO) reporting to the chief
information officer (CIO) or some other C-level executive of the com-
pany. If security is recognized at the C-level, greater assurance exists
that the company is giving security importance. This is not a rule but
it does provide a fairly strong indication. Another aspect to consider
is how the security organization has evolved. Most CSOs, for example,
have not been on the job for very long. In a survey that was reported
in
CSO Magazine
in September 2002, 37 percent of CSOs surveyed
had been in that position for less than one year and 25 percent had
been on the job for one to two years. In other words, if a CSO who
reports to a C-level executive is in place, it could mean that security
is something that has recently been recognized as a concern. It could
also mean that a security incident occurred that prompted the company
to take security more seriously. The bottom line is that you should not
only understand who is in charge of security and where that person
reports, you should also understand how the structure evolved to its
current state.
–
Security organization —
This question is sort of an extension of the
previous point and speaks to what someone in charge of security has
at his or her disposal. Recall that the security organization is one of
the key elements of an effective information security program. Ideally,
the person in charge of security should have some people who report
to him or her and who can implement and enforce good security
practices. One of the things you might see is an organization where
there is a person who is responsible for security but has no organization
or authority. Such individuals are in a position where they are trying
to convince other organizations
to implement certain security measures.
In companies where there is a strong security culture, this works.
Otherwise, this structure is not very effective. During this discussion,
you should also gauge management’s attitude about ownership of the
security function. Ownership is one of the most critical aspects of an
AU1706_book.fm Page 149 Wednesday, July 28, 2004 11:06 AM
150
A Practical Guide to Security Assessments
information security program, so it is important to understand how
management sees the ownership of the security function.
•
Key roles and responsibilities related to information security —
As an
extension to the above points regarding the ownership of information
security, the next step is to understand the key roles and responsibilities
with respect to information security. For the discussion with management,
you need to determine whether the necessary building blocks for an
information security program are present, as discussed in Chapter 3. The
key roles and responsibilities related to each of these elements should be
discussed at a high level with management. The seven elements and the
associated roles and responsibilities are:
–
Security strategy —
Security management in collaboration with busi-
ness representatives responsible for developing strategy
–
Security policies and procedures —
Security personnel responsible for
working with various groups to update policies as the business changes
–
Security organization —
Security personnel responsible for carrying
out tasks related to information security
–
Executive support —
Management responsible for providing support
for information security initiatives
–
Training and awareness —
Security and business unit personnel
responsible for delivering appropriate training to ensure awareness of
the importance of security
–
Toolsets —
Management who have the authority to procure the right
tools to automate certain security tasks
–
Enforcement —
Security or audit personnel responsible for enforcing
security measures and management providing the appropriate backing
•
IT organization —
The IT organization is a significant component of the
overall information security posture of a company. The way in which the
IT organization is set up will have implications as you perform the security
assessment. In smaller companies, it could be a traditional IT staff with
some work being done by consultants. You may even see certain parts of
IT or all of IT being outsourced. In larger companies, you may see IT set
up like a shared services organization, where one organization services
the IT needs for various business units or each business unit has its own
IT staff. It might be a combination of the two. A typical scenario for a
company is having the management of the overall network as a centralized
function and the typical system administration, application development,
and other IT functions managed by the specific business units. Both types
of environments (centralized and decentralized) have implications relevant
for a security assessment. In a decentralized environment, the implications
include potentially inconsistent security standards across platforms, incon-
sistent application of security policies, and a potential lack of ownership
of security-related responsibilities at integration points between groups —
i.e., each group thinks the other one is responsible for functions such as
termination of users or change management. In a centralized environment,
the implications include more controlled ownership of security and consistent
AU1706_book.fm Page 150 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation
151
security processes related to information technology. For smaller compa-
nies, there is often one organization, in which case the issue of central-
ization versus decentralization does not make much of a difference.
M
ANAGEMENT
C
ONCERNS
R
EGARDING
I
NFORMATION
S
ECURITY
In most cases, the audience for the security assessment is management. Assuming
that they are on board with the security assessment and understand the value of it,
they will have certain expectations. They also have some of their own expectations
and concerns when it comes to information security in their own environment. These
expectations and concerns might be based on security incidents that might have
occurred in the past, what they are reading in the trade magazines, regulatory
concerns, and other issues. It is in your interest to understand what management’s
expectations and security-related concerns are. Although this may not substantively
change what is done in the assessment, it does help you ensure that management is
satisfied with the final outcome of the assessment because you can set their expec-
tations accordingly. If something in particular concerns them from a security per-
spective, you can accommodate their concern by addressing it in the assessment or
explain to the client that it is not really a concern or that it is not part of the scope.
In any case, you have an opportunity to let the client know how you are going to
handle their concerns so that they are not surprised in the end.
Remember that the success of the security assessment is partly driven by whether
management sees the value in the final deliverable — i.e., the findings, risks, and
recommendations. If key members of management feel that their concerns have not
been addressed in some way, the value of the final product can be diminished no
matter how good it is simply because some member of management was disap-
pointed. Taking the time at the beginning of the assessment to listen to management’s
concerns is useful, and what you discover in this way should be kept in the back of
your mind during the assessment. This knowledge will give you additional guidance
when gathering information and making recommendations.
FINALIZE QUESTION SETS FOR PROCESS REVIEWS
In this step of the assessment (Figure 6.3), you will use your existing knowledge to
finalize the question sets in preparation for the meetings with business process
owners. At this point in the security assessment, you have had the initial meeting
with management and you have a good “big picture” view of the company. Your
next meetings will be with business process owners, where you will get into the
details of business processes and the key supporting technologies. In preparation for
your meetings, the question sets that were begun in the last phase need to be modified
to reflect what you have learned about the company. Using the Generic Question
Set for business process owners from the last chapter (in Appendix B), you now
have to build on that question set based on what you have learned about the company
since developing those questions. Finalizing the question sets is really a process of
developing specific questions for the people whom you will be interviewing. For
example, if you are interviewing someone who has responsibility for facilities, you
AU1706_book.fm Page 151 Wednesday, July 28, 2004 11:06 AM
152
A Practical Guide to Security Assessments
FIGURE 6.3
Finalize question sets for process reviews.
Identify
Business
Risks
General review of
company and key
business processes
Finalize
question sets
for process
reviews
Meet with
business process
owners
Analyze
information
collected and
document findings
Status meeting
with client
AU1706_book.fm Page 152 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation
153
would add more specific questions related to physical security. Similarly, if you are
talking to someone who handles all application service provider (ASP) relationships,
you would ask more specific questions related to externally hosted services. If you
are meeting with a business process owner who is responsible for an area for which
a specific questionnaire is provided in the appendices, use that particular question-
naire in addition to the generic questionnaire.
To finalize the question sets, you essentially have to take the generic question
set that has been developed and add in the specific questions for the people whom
you will interview. These updates may or may not be extensive, depending on how
much you learned from your meeting with management and how many additional
questions it raised. When you update question sets, you will certainly add questions,
but equally important, you will be able to take some questions out because they
have been answered or are not applicable. One thing to avoid is asking questions
that have already been answered unless there is some value in confirming the answer
or hearing another perspective.
The process of updating the question sets can be daunting, considering the
amount of information you are learning. You must document the information you
learned from the meeting with management and determine what updates are required.
Going forward, you should get used to documenting your meetings in a way that is
most efficient for you.
As you update the question sets, ask anything you feel is necessary for you to
conduct a successful security assessment. On the other hand, keep in mind that you
should have a reason for asking your questions. There is a good chance that at some
point, the client might say, “Why are you asking me that question?” If you cannot
provide a response and tell the client the reason for the question, you will lose
credibility with the client. Conversely, being able to clearly explain the reason for
a question will enhance your credibility with the client. For the questions in the
appendices, note that all questions have a section called “Guidance.” This section
articulates why certain questions are asked and why they are relevant for a security
assessment. You should have something similar for the questions you develop so
you are prepared when questioning the client.
The other value of understanding why you are asking a question is that it can
help you frame the question to the customer. If the person being interviewed under-
stands why the question is being asked, the response will probably be more mean-
ingful. The client will also start to see you as an expert and might open up with
other information.
The value of the question sets cannot be emphasized enough. Being prepared
when talking to the client’s subject matter experts is critical. It represents one of the
fundamental concepts of this methodology, which is preparation. A common com-
plaint with customers is that consultants either ask questions that are irrelevant or
they are just using a checklist without giving any thought to the particular circum-
stances of the company. This approach indicates that you have done little preparation
and immediately diminishes your credibility. Remember that when a company wants
security assessment done, they are looking for independent expertise. Being pre-
pared, asking the right questions, and demonstrating knowledge about security and
the client’s business demonstrate the expertise that clients expect.
AU1706_book.fm Page 153 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.