Business Process Evaluation
159
FIGURE 6.6
Status meeting with client.
Identify
Business
Risks
General review of
company and key
business processes
Finalize question
sets for process
reviews
Meet with
business process
owners
Analyze
information
collected and
document findings
Status
meeting with
client
AU1706_book.fm Page 159 Wednesday, July 28, 2004 11:06 AM
160
A Practical Guide to Security Assessments
F
INDINGS
Discussing the findings at this stage is important for two reasons:
•
Clients have the opportunity to provide feedback —
Although you may
think you have a valid issue, you might not have considered all of the
facts or there might be some mitigating controls related to a finding of
which you were not aware. The status meeting provides the client an
opportunity to respond to the issue and provide you with additional infor-
mation that might be relevant. In the following example, the client was able
to provide feedback indicating that the risk related to a finding was lower
than anticipated.
Example:
You may cite a critical finding because there is no real process for ensuring
that terminated employees’ access is removed. You might not have considered the fact
that user access lists are reviewed every two weeks, allowing the customer to find out
which terminated employees still have access. With this mitigating control, the risk is
reduced.
•
Clients
are not surprised when they see the final report —
When man-
agement reviews reports, there is usually a focus on security weaknesses,
which is reasonable because the purpose of the security assessment is to
discover weaknesses in the security posture of the company. The client
should not be surprised by these findings for two reasons. First, it makes
business process owners uncomfortable because they might not know how
to answer questions posed by management regarding the security weak-
nesses identified. Second, the client may point out something that you did
not catch, and the finding either has to change or be taken out altogether.
Either situation is not good for any of the parties involved.
S
TATUS
B
ASED
ON
P
ROJECT
P
LAN
You should now use the project plan you developed to track where you are relative
to the original timing. This is also the time to discuss any scheduling issues you
might be having. It is good for the client to see progress or lack thereof. Tracking
against the project plan is especially critical because you are very dependent on the
client to coordinate all of the meetings and facilitate the process from a client
perspective. If things are not going as planned, there should be clear accountability
for it. Project plans help establish that accountability.
DISCUSSION OF CRITICAL TECHNOLOGIES
One of the outcomes of this phase of the security assessment is to finalize what
critical technologies you plan to test during the next phase of the assessment. It is
useful to discuss these technologies with your point of contact so the required
scheduling can begin. Depending on the testing, there might be a potential for
AU1706_book.fm Page 160 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation 161
disrupting service, or you might need certain people to be with you while you do
the testing. The client can begin making these arrangements to help ensure that the
technology evaluation phase of the security assessment is done in an efficient manner.
Depending on the size and complexity of the organization, scheduling the resources
from a systems perspective can be challenging. This is especially true because you
will be reviewing systems that are critical to the business.
Having a security assessment status meeting at the end of this phase is critical.
However, the first phase may have taken a couple of weeks. If that is the case, you
should have a quick status meeting with the client at least on a weekly basis to
discuss findings and determine how progress is going according to the project plan.
If you go too long without giving status information to the client, you risk not
meeting the expectations of the client.
POTENTIAL CONCERNS DURING THIS PHASE
Concerns that you should be aware of as you progress through this phase include:
• Lack of cooperation from the client business process owners — Business
process owners may not be forthcoming with information for several
reasons. First, they may not have been forewarned about the security
assessment, so they may be caught off guard. In this case, you should
inform your point of contact, so that this person can educate the business
process owners about why the security assessment is being done. Another
reason is that the security assessment might not be a welcome process for
people in the company. Again, in this case, you should ask your point of
contact or the executive sponsor to educate client personnel.
• Your findings do not reflect accurate information — If you document a
finding and do not discuss it with the client early in the process through
a status meeting or some other means, the client will not have the oppor-
tunity to let you know about any facts you might have missed. The remedy
for this issue is communication with the client. If you have an important
finding, you need not wait for the status meetings.
• The client feels that you are not well informed about the company or the
assessment — This is an issue of credibility that you may have with the
client. One of the reasons is a lack of research about the company, which
is the second phase of the security assessment methodology. In talking
with the business process owners, you should already have a good idea
about the company and thus, you should not be asking general questions
that have been covered. Another reason this issue with the client might
occur is a lack of communication among the team performing the security
assessment. It is possible that someone else from the team already asked
the information you are asking about. Consequently, communication
within the team is important, just as communication with the client is.
AU1706_book.fm Page 161 Wednesday, July 28, 2004 11:06 AM
162 A Practical Guide to Security Assessments
EXECUTIVE SUMMARY
Business process review is the third phase in the security assessment methodology.
It is also the first time when significant interaction with the client occurs. In this
phase, the focus is to gain a good understanding of critical business processes at a
fairly detailed level. Another result of this phase is determining the key technology
dependencies, which will be reviewed in the next phase.
The key steps in this phase are:
• Generally review the company and key business processes — The purpose
of this step is to learn about the company, what it does, and how it does
it. In this step, you are trying to identify the mission-critical business
processes and their technology dependencies. In addition, you should also
learn about the strategic direction of the company and whether any
changes are planned that may have an impact on the existing information
security program. This is important, as it will affect the recommendations.
To obtain this information, it is essential that you meet with someone
from management who has a good “big picture” of the company and the
direction in which it is heading.
• Finalize question sets for process reviews — The question sets that are
used to facilitate the meetings with business process owners should have
been started during the last phase, initial information gathering, based on
initial research about the company. During this phase, after you identify
the critical business processes and gain other strategy-related information
about the company, you should modify your question sets as necessary
to reflect the new information learned. These modifications can include
addition, deletion, or modification of questions.
• Meet with business process owners — Using the question sets developed,
meetings with business process owners should take place next. In these
meetings, business processes and related security implications are dis-
cussed. An effective technique to capture process-related information is
to create a flowchart. Some of the items you should capture out of these
meetings are the criticality of the business processes, critical data and
how it is stored, access control, and tolerable downtime — i.e., how long
the client could withstand not being able to perform a given business
process. You should also be determining what the technology dependen-
cies are and whether any workarounds exist if the technology is not
available.
• Analyze information collected and document findings — With the data
collected from the business process owners, the next step is to analyze the
data and determine whether you have any findings. The findings should
be documented along with the associated risk and the recommendation (if
one has been formulated) straight into the report template that was devel-
oped in the previous phases. Documenting this way is efficient and leaves
more time for reviewing and refining the findings and recommendations.
AU1706_book.fm Page 162 Wednesday, July 28, 2004 11:06 AM
Business Process Evaluation 163
• Hold a status meeting with the client — The final step in this phase is to
have a status meeting with the client to communicate the findings and
discuss the project status based on the project plan. Status meetings are
important because they give the client a chance to provide feedback on
findings that have been discovered and to ensure that you are meeting the
client’s expectations regarding the security assessment. Status meetings
should be held as often as necessary, or at least once a week so that the
client is aware of what is happening with the assessment. In some cases,
you might even have informal meetings with the client to go over project
status or a significant finding. The key is to always make sure the client
is well informed.
AU1706_book.fm Page 163 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.