172
A Practical Guide to Security Assessments
function. Below are generic questions that can be used as a starting point, which
can be used in security assessments (this will also be included in the appendices):
•
What technology are you responsible for and what business process does
it support?
With your knowledge of the business, you should have some
perspective on how the technology supports the business. However, the
IT person will be able to give you a different angle on how it supports
the business. In some cases, there might not be a specific business
process — e.g., a server that handles authentication into the network does
not necessarily support a particular business process — it is providing
access so users can do their job. In other cases, the technology owner
might be managing an application that supports a mission-critical business
process.
•
Where does it fit into the overall architecture?
Assuming that a network
topology diagram is in place, you should be able to see where the tech-
nology fits into the IT environment. This is very helpful because it gives
you a visual perspective and highlights the relationships with other parts
of the IT environment. The relationships with other parts of the IT envi-
ronment will likely generate other questions regarding integration points,
transmission of information, and other topics.
•
What are the key dependencies for the technology you manage?
The key
dependencies for any technology are the components that must be func-
tional for the technology in question to work properly. A simple example
is business to commerce (B2C). For B2C to be functional, access to the
Internet is required.
•
What are the security requirements from a security perspective — e.g.,
confidentiality, integrity, and availability? Are these requirements being
met?
From the discussions with the business process owners, you should
have a good sense for what these requirements are. The purpose of this
question is to determine whether the technology owner is aware of the
security requirements and whether those requirements are being met. One
thing to look for here is whether the process and technology owners have
the same perspective on security. If not, you can delve further into how
the different groups communicate with each other.
•
How is the technology secured?
This is a follow-up on the previous
question. When you are talking about how it is secured, a number of
aspects including access controls, physical security, and integrity controls
should be included in the discussion. The methods depend on the tech-
nology. This question will probably lead to a technical discussion, for
which it is important to be prepared to talk at a technical level.
•
How is security enforced?
If security is not enforced, its value is dimin-
ished significantly. Enforcement efforts can be automated or manual. To
the extent that enforcement can be automated, it should be. Other methods
of enforcement include periodic reviews and audits.
•
Does critical data reside on any system you manage? If so, how is it
secured?
From your business process interviews, you should know what
AU1706_book.fm Page 172 Tuesday, August 17, 2004 11:02 AM