154
A Practical Guide to Security Assessments
MEET WITH BUSINESS PROCESS OWNERS
Now that you have finalized the question sets, you are ready to meet with the business
process owners (Figure 6.4). These meetings are one of the most important parts of
the security assessment because it is in these meetings where you will learn the
business of the client in detail. Before you begin the meetings, certain steps should
be taken.
P
REPARATION
FOR
M
EETINGS
First, the business process owners must be “prepared” so that they are aware of the
security assessment. Until now, you and the team performing the assessment have
not met the business process owners. At the kickoff meeting, you met the stakehold-
ers, who were probably managers of the business process owners with whom you
will now be working. Even if some of the stakeholders are also the business process
owners, the security assessment might not be something that is in the forefront for
them. It is for these reasons that you should ensure that your single point of contact
from the client personally informs the process owners before you meet with them.
The one thing you do not want to hear when you walk into a meeting is, “What are
we doing? I don’t know about any security assessment.” If people are not told in
advance, this type of response is very possible. If this does happen, it creates a
problem for two reasons. First, you have to waste a portion of the meeting time
having to explain the security assessment, why it is being done, and other details
about it. Second, if the people you are interviewing are surprised about the assess-
ment, they might be suspicious about the whole process, and as a result, they may
be less than forthcoming with information.
To prevent this from happening, you can do two things. First, you can insist that
your single point of contact inform the interviewees prior to you meeting them to
ensure that they know that you are coming. Second, you can provide the question
set to them in advance of the meeting. This enables business process owners to
prepare for the meeting. In addition, if there are topics that they cannot discuss
effectively, they can bring in the people who can.
I
NTERVIEWS
WITH
P
ROCESS
O
WNERS
Once in the meeting, you must ensure that you are prepared for the meeting and
that you run it in an efficient way. Remember that the people you are talking to are
taking time out from their jobs to talk to you. They might be on tight schedules, so
you should make the most of the time you have with them.
To facilitate the conversation, use the question set that you have prepared and
hopefully given them prior to the meeting. If you can follow the order of the questions
from the question set, then definitely do so. More likely than not, the conversation
you have will jump around a little based on how the question set is structured. This
is all right as long as you stay within the intended topics. If the conversation goes
off on a tangent, you will have to make a judgment call as to whether the topic is
relevant.
AU1706_book.fm Page 154 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation
155
FIGURE 6.4
Meet with business process owners.
Identify
Business
Risks
General review of
company and key
business processes
Finalize question
sets for process
reviews
Meet with
business
process
owners
Analyze
information
collected and
document findings
Status meeting
with client
AU1706_book.fm Page 155 Wednesday, July 28, 2004 11:06 AM
156
A Practical Guide to Security Assessments
One issue for many people during these meetings is taking notes. This may seem
trivial, but when you consider the amount of information that you are obtaining, it
can be a challenge to document the information. The challenge is knowing what to
document and then organizing the information afterwards so the proper analysis can
be done. In these situations, people use a variety of methods to make sure everything
is captured. You can use a white board and document key facts as the client says
them so the client also sees the documentation and can confirm that the right
information is captured. You can also bring a person to the meeting whose job is to
be the scribe and make sure that the information is being captured. Ensuring that
these meetings are properly documented is critical because the information derived
from the meetings will be used in the analysis.
If process owners seem confused when you are asking something or are uncertain
about the relevance of the question, you should explain the relevance. In the question
sets in the appendices of this book, the questions have “Guidance” sections to help
in understanding the relevance of questions.
P
OTENTIAL
P
ITFALLS
When you get into this phase of the security assessment and particularly with the
business process owner meetings, you should be aware of and try to avoid several
potential pitfalls.
One that has already been touched on is an interview going off track. To avoid
this, use the question sets to help you remain focused on the topics relevant to the
assessment. You should stress that in the interest of time, you have to address the
topics in the question set, which the client should have received prior to the meeting.
The question sets will be of great help in this scenario because you can see what
has to be discussed. Without the question sets, there is nothing in writing to help
you focus the conversation.
Another potential pitfall is the uncooperative client. These cases are difficult
because you must handle them delicately. Again, the question sets help you at least
in obtaining the listed information. Depending on how the meeting goes, you may
or may not get any additional information from these individuals, but you must at
least address the items on the questionnaire. If you are not getting the cooperation
you need and you have exhausted diplomatic ways to deal with the situation, you
should talk to the single point of contact or preferably, the executive sponsor. This
can be difficult, but keep in mind who the customer
is — the executive sponsor. You
are accountable to that person. If issues arise that you cannot resolve, you should
escalate to the executive sponsor. This can be done in a separate conversation with
the executive sponsor or it can be done during a status meeting, depending on the
severity of the situation.
ANALYZE INFORMATION COLLECTED
AND DOCUMENT FINDINGS
Once your meetings with the business process owners are complete, it is important
to analyze and document what you have learned, particularly the findings (Figure 6.5).
AU1706_book.fm Page 156 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation
157
FIGURE 6.5
Analyze information collected and document findings.
Identify
Business
Risks
General review of
company and key
business processes
Finalize question
sets for process
reviews
Meet with
business process
owners
Analyze
information
collected and
document
findings
Status meeting
with client
AU1706_book.fm Page 157 Wednesday, July 28, 2004 11:06 AM
158
A Practical Guide to Security Assessments
Using the raw data collected during your meetings with the client, you must now
perform the analysis to identify security weaknesses. At this point, whatever findings
you have are primarily business process related.
Analyzing the information you collected will take some time. Flowcharting can
be used to help you analyze the information. This method enables you to visualize
the process, along with where in the process the different systems are used; thus, it
will make it easier for you to see where potential issues exist.
When analyzing the data, you should do it as a team. This is important, especially
in assessments where a team of people is doing the interviewing because it facilitates
information sharing between the different people conducting the assessments. Infor-
mation sharing is critical during the analysis because it is likely that information
that someone else collected may help you better understand the business processes.
Also, significant integration points probably exist between the various business
processes, thus increasing the importance of information sharing.
The data used in the analysis and the basis of any findings you make are important
to have. You need them to help explain the basis of the finding. It is also possible
that when you present a finding, the client might ask for its basis.
As you document your findings, you should document them straight into the
final report, which you should have already started. You can gain significant effi-
ciencies by formatting your findings the way they are going to look in the final
report. They will have to be arranged in this format at some point anyway.
Along with the findings, you should also document the associated risk. When
documenting risk, do your best to express it in terms of impact to the business. To
the extent that you can quantify the risk in terms of revenue or potential costs to the
company, you should do so. To the extent that you have formulated a recommenda-
tion, you should document that as well. Remember that this is an evolving document,
so it is not a problem if it is in rough format at this stage. The key is to have your
thoughts on paper while they are still fresh.
One of the pitfalls when conducting security assessments is not documenting
throughout the process. If you are saving all of the documentation until the end, you
risk leaving information out of the final report. In addition, the more time you spend
developing the report during the assessment process, the more time you can spend at
the end refining the report. Conversely, it can take significantly more time to docu-
ment the report at the end just because your thoughts are no longer fresh.
STATUS MEETING WITH CLIENT
One of the topics discussed during the Kickoff Meeting during the first phase of the
security assessment was communications throughout the course of the assessment.
Now is a good time to have a status meeting (Figure 6.6) because you are about to
complete this phase. As you near the end of this phase, you should have a status
meeting with the client to go over a few items including:
• Findings
• Status based on the project plan
• Discussion of critical technologies you plan to test
AU1706_book.fm Page 158 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.