Risk Analysis and Final Presentation
213
can understand what it will take to implement them. The recommendations should
be documented in such a way that each recommendation or group of recommenda-
tions can be identified as separate initiatives, where costs and resources can be
defined. Ideally, the set of recommendations you present in the final report should
be used as a master plan for the company’s information security program.
In the context of the security assessment methodology, developing recommen-
dations is the final step but
something that is happening throughout the assessment
as you identify findings. Some findings you discover may be very clear, and as a
result, the recommendations might also be very clear. In other cases, the findings
might be more complicated, and the recommendation might not be very clear. In
these instances, you might start thinking about some options for recommendations.
In any case, you probably have some idea of what the recommendations are going
to be by the time you get to this phase of the security assessment. Note that in
previous phases, recommendations were to be documented to the extent you formu-
lated them. These preliminary recommendations are important because they lay the
groundwork for refining and finalizing them in the final phase of the assessment.
Developing recommendations is an iterative process when you are conducting
a security assessment because of the way you are gathering information and because
of how the business processes and technology are integrated. During Phases 2
through 4 — Initial Research, Business Process Review, and Technology Review —
information is gathered and findings are discovered. As these findings are discovered,
you will naturally start to think about potential ways to address the given risks. As
you gather more information, the previous recommendations might change because
of new information. This cycle keeps going during the assessment.
For example, you might discover a security weakness related to a firewall and
its configuration. The weakness happens to be related to the firewall rules and how
the firewall is set up incorrectly from an architecture perspective. At first glance, the
recommendations for changes to the rules and architecture might seem straightfor-
ward. Upon meeting with IT management, however, you might learn that there is
going to be a server consolidation, and new software including a new firewall is
going to be purchased in the next six months. If you originally had significant
recommendations regarding the firewall architecture or rule base configuration, this
might change. With this new information, you should inquire about the proposed
changes to the network and specifically the firewall. At this point, it is not appropriate
to spend a lot of time on the current firewall because of the upcoming changes. It
is, however, worth looking at what firewall is going to be purchased and the proposed
changes to the network. The recommendations will now have a slightly different
focus, as they will also reflect the planned changes to the environment.
The iterative process in developing the recommendations helps you sort through
the range of potential solutions and determine the best option. Part of this iterative
process is receiving input from the client during status meetings. During the regular
status meetings with the client, you can discuss recommendations as you develop
them. Client feedback during the assessment is very valuable because it can give
you an indication of what the client is prepared to do or whether there are things
with which the client disagrees. For example, some clients will not deal with certain
vendors, or there might be cultural issues that might make some recommendations
AU1706_book.fm Page 213 Tuesday, August 17, 2004 11:02 AM