158
A Practical Guide to Security Assessments
Using the raw data collected during your meetings with the client, you must now
perform the analysis to identify security weaknesses. At this point, whatever findings
you have are primarily business process related.
Analyzing the information you collected will take some time. Flowcharting can
be used to help you analyze the information. This method enables you to visualize
the process, along with where in the process the different systems are used; thus, it
will make it easier for you to see where potential issues exist.
When analyzing the data, you should do it as a team. This is important, especially
in assessments where a team of people is doing the interviewing because it facilitates
information sharing between the different people conducting the assessments. Infor-
mation sharing is critical during the analysis because it is likely that information
that someone else collected may help you better understand the business processes.
Also, significant integration points probably exist between the various business
processes, thus increasing the importance of information sharing.
The data used in the analysis and the basis of any findings you make are important
to have. You need them to help explain the basis of the finding. It is also possible
that when you present a finding, the client might ask for its basis.
As you document your findings, you should document them straight into the
final report, which you should have already started. You can gain significant effi-
ciencies by formatting your findings the way they are going to look in the final
report. They will have to be arranged in this format at some point anyway.
Along with the findings, you should also document the associated risk. When
documenting risk, do your best to express it in terms of impact to the business. To
the extent that you can quantify the risk in terms of revenue or potential costs to the
company, you should do so. To the extent that you have formulated a recommenda-
tion, you should document that as well. Remember that this is an evolving document,
so it is not a problem if it is in rough format at this stage. The key is to have your
thoughts on paper while they are still fresh.
One of the pitfalls when conducting security assessments is not documenting
throughout the process. If you are saving all of the documentation until the end, you
risk leaving information out of the final report. In addition, the more time you spend
developing the report during the assessment process, the more time you can spend at
the end refining the report. Conversely, it can take significantly more time to docu-
ment the report at the end just because your thoughts are no longer fresh.
STATUS MEETING WITH CLIENT
One of the topics discussed during the Kickoff Meeting during the first phase of the
security assessment was communications throughout the course of the assessment.
Now is a good time to have a status meeting (Figure 6.6) because you are about to
complete this phase. As you near the end of this phase, you should have a status
meeting with the client to go over a few items including:
• Findings
• Status based on the project plan
• Discussion of critical technologies you plan to test
AU1706_book.fm Page 158 Wednesday, July 28, 2004 11:06 AM