165
7
Technology Evaluation
The evaluation of the technology environment is the last part of the information-
gathering phase. The approach for the review of the technology environment is the
same as that for the business process. It starts with looking at the technology in
place from a “big picture” perspective and then drilling down and examining the
critical technologies in more detail. Based on where you are in the methodology,
you should know what the critical technologies are based on the interviews in the
last phase and the business process analysis.
At this point, most or all of the business process–related interviews should have
occurred. Per the methodology espoused in this book, it is critical that the business
process discussions happen before the technology discussions take place. The reality
is that schedules do not always go as planned, though, and as a result, some of the
activities from the business process analysis phase will probably carry over into the
technology review phase. This will usually happen to accommodate schedules of
the participants in the security assessment. As long as the number of business process
interviews not yet completed is small, you can proceed with the technology evalu-
ation. However, some technical reviews will have to wait until the outstanding
meetings from the last phase are completed. In approaching the security assessment,
you must be flexible in your approach.
The purpose of this phase is to evaluate the technology environment and assess
how secure it is based on the business processes it supports. All components in the
technology environment do not have to meet the same standard. Components that
support mission-critical business processes will clearly have higher standards to
meet. You will know the appropriate level of security based on what you learned
during interviews with business process owners. For example, if a mission-critical
application requires Internet connectivity, the security of the connection to the
Internet will be considered critical. Conversely, a server that is used to provide remote
access to users in an environment where the vast majority of workers do not work
remotely will not be very important from an availability perspective, but you might
look at who has administrative rights on the machine. It all depends on the business
process that the technology is supporting and the potential impact to the business in
the event of a security incident.
In evaluating the technology environment, you should be looking for security
measures that are commensurate with the degree of risk and the criticality of the
technology. Although we want to err on the side of conservatism by having more
security than required, you should try to ensure that the level of security is “appro-
priate” — neither too little nor too much. This idea of an “appropriate” level of
security ties into the concept of risk analysis and employing security measures that
are cost effective. In the next chapter, we will discuss the concept of “risk score,”
which will delve deeper into risk analysis.
AU1706_book.fm Page 165 Tuesday, August 17, 2004 11:02 AM