165
7
Technology Evaluation
The evaluation of the technology environment is the last part of the information-
gathering phase. The approach for the review of the technology environment is the
same as that for the business process. It starts with looking at the technology in
place from a “big picture” perspective and then drilling down and examining the
critical technologies in more detail. Based on where you are in the methodology,
you should know what the critical technologies are based on the interviews in the
last phase and the business process analysis.
At this point, most or all of the business process–related interviews should have
occurred. Per the methodology espoused in this book, it is critical that the business
process discussions happen before the technology discussions take place. The reality
is that schedules do not always go as planned, though, and as a result, some of the
activities from the business process analysis phase will probably carry over into the
technology review phase. This will usually happen to accommodate schedules of
the participants in the security assessment. As long as the number of business process
interviews not yet completed is small, you can proceed with the technology evalu-
ation. However, some technical reviews will have to wait until the outstanding
meetings from the last phase are completed. In approaching the security assessment,
you must be flexible in your approach.
The purpose of this phase is to evaluate the technology environment and assess
how secure it is based on the business processes it supports. All components in the
technology environment do not have to meet the same standard. Components that
support mission-critical business processes will clearly have higher standards to
meet. You will know the appropriate level of security based on what you learned
during interviews with business process owners. For example, if a mission-critical
application requires Internet connectivity, the security of the connection to the
Internet will be considered critical. Conversely, a server that is used to provide remote
access to users in an environment where the vast majority of workers do not work
remotely will not be very important from an availability perspective, but you might
look at who has administrative rights on the machine. It all depends on the business
process that the technology is supporting and the potential impact to the business in
the event of a security incident.
In evaluating the technology environment, you should be looking for security
measures that are commensurate with the degree of risk and the criticality of the
technology. Although we want to err on the side of conservatism by having more
security than required, you should try to ensure that the level of security is “appro-
priate” — neither too little nor too much. This idea of an “appropriate” level of
security ties into the concept of risk analysis and employing security measures that
are cost effective. In the next chapter, we will discuss the concept of “risk score,”
which will delve deeper into risk analysis.
AU1706_book.fm Page 165 Tuesday, August 17, 2004 11:02 AM
166
A Practical Guide to Security Assessments
The reason for bringing this up at this stage is to help frame your thinking as
you start to assess the technology. When reviewing the various security measures,
think along the lines of how the technology supports the critical business processes
and protects critical data and whether the level of security is appropriate.
We will now discuss the specific steps of this phase, which include the following:
• General review of technology and related documentation
• Finalizing question sets for technology reviews
• Meeting with technology owners and conducting detailed testing
• Analysis of information collected and documentation of findings
• Status meeting with client
Note that the steps in this phase are similar to the business process review. The
similarities include starting with a general review, drilling down into specifics,
analysis, and communication with the client. This approach of starting general and
then conducting detailed reviews in specific risk areas provides the opportunity to
get the “big picture” as well as a detailed look into critical areas.
The next sections discuss each step of this phase in detail.
GENERAL REVIEW OF TECHNOLOGY
AND RELATED DOCUMENTATION
The first step in this phase is to conduct a general review of the technology the
company is using and what the company’s plans are for future changes in technology
(Figure 7.1). This step has two components:
• Receiving an overview of technology from someone who has a manage-
ment role in information technology (IT)
•Reviewing any technology documentation
One problem you might run into is that there might not be any IT people who
are considered management. This is especially true in small companies where there
might be a very small number of users. In these small companies, the office admin-
istrator might be the person who is charged with IT. Even in these cases, it is good
to get this individual’s perspective on technology, its current use, and what the plans
are for the future.
As you speak to IT management, you will find that you know some of the
information already from speaking with the business process owners. It is still worth
going over this information again for two reasons. First, IT management might give
you some general information that the business process owners did not give. For
example, IT management might have insight into certain technology selections
and why they were made. This is good background information in helping you
understand how the different technologies are supposed to support the business. The
second reason is that it allows you to determine whether IT management and the
business process owners are on the same page as it relates to technology. If business
process owners and IT management do not have a common understanding about
AU1706_book.fm Page 166 Tuesday, August 17, 2004 11:02 AM
Technology Evaluation
167
FIGURE 7.1
General review of technology and related documentation.
Evaluate
Technology
Environment
General review
of technology
and related
documentation
Develop question
sets for technology
reviews
Meet with
technology owners
and conduct hands
on testing
Analyze
information
collected and
document findings
Status meeting
with client
AU1706_book.fm Page 167 Tuesday, August 17, 2004 11:02 AM
168
A Practical Guide to Security Assessments
technology, this is a potential finding that you should discuss with the client because
it could indicate a disconnect between IT and the business process owners.
To make the most of your time with the technology owners, you should first
review some key technology-related documentation that the client might have. You
should request the following documentation and review what is given:
•
Network topology diagram —
The topology diagram is the first thing you
should review because it will give you a good overview of what the
technology environment looks like. You should be able to look at this
diagram and see it how it relates to the business — i.e., how the technology
is supporting the business. Reviewing the network topology might uncover
potential single points of failure or raise other questions about the envi-
ronment that you can ask the technology owners when you interview them.
•
Copies of configurations, logs, and other operational documents —
These
are miscellaneous documents that you can review to look at what kind of
activity is going on. Some of these logs may include security and event
logs from servers, intrusion detection logs, or other operational documents.
You may find that some of this review is more appropriately performed
online. If you do decide to review this information online, make sure the
client knows and provides limited access for you to perform your job.
•
Recent audit reports —
Some companies have had previous security audits
performed, or some clients might have some level of security review based
on their financial audits. If any recent audit reports exist that provide any
information about the company’s security posture, it is good to have them
as they might provide you with information about security issues that the
company might have had.
When asking for documentation, such as the items listed above, remember that it
is confidential information. You must ensure that you are treating the documents
appropriately.
Once you have reviewed this documentation, you are in a position to have a
meeting with IT management. As stated before, it is very important to speak with
someone in a managerial capacity who can give you the “big-picture” view of the
technology environment and show you how everything fits together and how it has
evolved to what it is today. This information should be especially meaningful now
that you have learned about the business in some detail. Note: You might have gone
over some of this information during the Initial Information Gathering phase when
you went over the questionnaire with the client. Some of this information is worth
going over again with IT management.
The topics that you should discuss during your meeting with IT management
include:
• Describe how the network and the general IT environment are set up.
– Discuss the network topology diagram.
– Gain a historical perspective as to how the environment evolved to
where it is today.
AU1706_book.fm Page 168 Tuesday, August 17, 2004 11:02 AM
Technology Evaluation
169
• Describe what security architecture is in place.
– Are there security technologies such as firewalls, intrusion detection
systems, or other devices in place?
– Who administers these devices?
• Describe any security-related procedures that are in place.
– Examples of security-related procedures include log review and change
management.
• Where does the critical data reside?
– Based on your meetings from the last phase, you should be able to
identify what data is critical and have IT management tell you where
it resides. You might know this already; even if that is the case, it is
worth confirming.
– What security measures are in place to protect the critical data?
–How is access to this data controlled?
• Where do the critical applications reside?
– Based on your meetings, you should be able to identify the critical
applications and have the client tell you where they reside.
–How is access control for the applications handled?
• Describe the high-level roles and responsibilities within IT.
– Is there ownership for key systems?
– Who owns security from an IT perspective — e.g., duties such as log
review, ensuring that servers have the appropriate security settings,
anti-virus administration?
– Who owns the responsibility for the information security program (if
one exists)?
– Does someone in the company have the ultimate responsibility for
security?
• What are your key vendor relationships?
– Determine who the key vendors are and how those relationships are
managed. This is important because of the technical and other support
a vendor can offer.
– Does someone own the responsibility of managing the key vendor
relationships?
– What warranties and service contracts do you have in place with key
vendors?
• Where does the security function fit into the IT organization?
– Are there any positions dedicated to security?
– Is security incorporated into people’s job responsibilities?
•Have there been any security incidents? What mechanisms do you have
in place to detect security incidents?
–How was the incident handled?
– Is there a documented incident handling process?
– What measures were put in place to prevent similar incidents from
happening again?
AU1706_book.fm Page 169 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.