162 A Practical Guide to Security Assessments
EXECUTIVE SUMMARY
Business process review is the third phase in the security assessment methodology.
It is also the first time when significant interaction with the client occurs. In this
phase, the focus is to gain a good understanding of critical business processes at a
fairly detailed level. Another result of this phase is determining the key technology
dependencies, which will be reviewed in the next phase.
The key steps in this phase are:
• Generally review the company and key business processes — The purpose
of this step is to learn about the company, what it does, and how it does
it. In this step, you are trying to identify the mission-critical business
processes and their technology dependencies. In addition, you should also
learn about the strategic direction of the company and whether any
changes are planned that may have an impact on the existing information
security program. This is important, as it will affect the recommendations.
To obtain this information, it is essential that you meet with someone
from management who has a good “big picture” of the company and the
direction in which it is heading.
• Finalize question sets for process reviews — The question sets that are
used to facilitate the meetings with business process owners should have
been started during the last phase, initial information gathering, based on
initial research about the company. During this phase, after you identify
the critical business processes and gain other strategy-related information
about the company, you should modify your question sets as necessary
to reflect the new information learned. These modifications can include
addition, deletion, or modification of questions.
• Meet with business process owners — Using the question sets developed,
meetings with business process owners should take place next. In these
meetings, business processes and related security implications are dis-
cussed. An effective technique to capture process-related information is
to create a flowchart. Some of the items you should capture out of these
meetings are the criticality of the business processes, critical data and
how it is stored, access control, and tolerable downtime — i.e., how long
the client could withstand not being able to perform a given business
process. You should also be determining what the technology dependen-
cies are and whether any workarounds exist if the technology is not
available.
• Analyze information collected and document findings — With the data
collected from the business process owners, the next step is to analyze the
data and determine whether you have any findings. The findings should
be documented along with the associated risk and the recommendation (if
one has been formulated) straight into the report template that was devel-
oped in the previous phases. Documenting this way is efficient and leaves
more time for reviewing and refining the findings and recommendations.
AU1706_book.fm Page 162 Wednesday, July 28, 2004 11:06 AM