Risk Analysis and Final Presentation 223
FIGURE 8.4
Discuss draft report with client.
Risk Analysis
and Final
Presentation
Risk analysis &
Risk Score
calculation
Finalize wording
for findings and
risks
Develop
recommendations
and prepare draft
report
Discuss draft
report with
client
Present final
report to
management
AU1706_book.fm Page 223 Tuesday, August 17, 2004 11:02 AM
224 A Practical Guide to Security Assessments
client just has to do a final review of the content in the report and ask any questions
to clarify points made in the report.
This preliminary view of the report is also a professional courtesy that should
be given to the client. The core group you worked with to conduct the assessment
will be the ones questioned when the broader audience, which includes senior
management and key stakeholders, reviews the final set of findings and recommen-
dations. The last thing you want is for your key client contacts to be blindsided by
the content in the report.
This meeting is beneficial to both you and the client. From your perspective,
the feedback provided by the client can be invaluable. Some of the benefits and
feedback the client can provide include:
• Supplemental information — Information about recommendations (some
of this should have been done) and their feasibility — e.g., whether
something has been tried before, other factors about which you may have
been unaware.
• Report expectations — The executives who authorized the security assess-
ment probably have some expectations regarding the type of information
they expect to see in the final report. Your client contacts can provide
some insight into this. Note, however, that this feedback should not sub-
stantively change the content of your report; only the structure should be
affected.
• Buy-in — During the kickoff meeting, one of the things you discussed
was the security assessment methodology, and one of the steps was to
have certain client personnel review the draft deliverable before it went
to the broader audience. The fact that the report has been reviewed and
essentially approved by client personnel creates a level of buy-in from
executives.
During this final status meeting, it is essential you maintain your independence.
The client’s expectation is that you will remain independent; that is one of the reasons
to have a separate group perform the security assessment. Ideally, this meeting should
have few surprises, as the client should have seen much of what is in the report.
After this review, you should make the final changes to the report. Once that is
complete, it is ready for the final step, which is to present it to the client.
PRESENT FINAL REPORT TO MANAGEMENT
Once the final report is complete, you should present it to the broader audience,
which includes senior management, the executive sponsor of the assessment, and
other key individuals (Figure 8.5). It is important to have these key people in the
room, as they will ultimately be the ones approving any security initiatives resulting
from the assessment.
When presenting the final report, it is a good idea to do a formal presentation
using PowerPoint or similar software rather than go through the report. Because the
AU1706_book.fm Page 224 Tuesday, August 17, 2004 11:02 AM
Risk Analysis and Final Presentation 225
FIGURE 8.5
Present final report to management.
Risk Analysis
and Final
Presentation
Risk analysis
& Risk Score
calculation
Finalize wording
for findings and
risks
Develop
recommendations
and prepare draft
report
Discuss draft
report with client
Present final
report to
management
AU1706_book.fm Page 225 Tuesday, August 17, 2004 11:02 AM
226 A Practical Guide to Security Assessments
report can be very long, it is not worth spending the time to go over the actual
document. It is best to pick out the key points from the report and discuss them with
the group. The key points that should be covered include:
• Scope
• Methodology
• Findings, risks, and recommendations
The bulk of the time should be spent discussing the findings, risks, and recom-
mendations; this is really what the client is interested in. The reason for going over
the scope and methodology is to make sure that everyone is on the same page
regarding what was covered in the assessment and how the results were obtained.
Because there is a time lapse between the kickoff meeting and the final presentation,
it is worth clarifying the scope and methodology for the group.
If you focus on discussion of the findings, risks, and recommendations, client
management will have a good sense for the “security roadmap” and the opportunity
to ask any questions regarding it. It is important for client management to understand
the nature of the findings, the risks facing the organization, and the remedies pro-
posed to address the risks because client management will ultimately make the
decisions about what initiatives to pursue.
When developing the presentation for client management, specifically the find-
ings, risks, and recommendations, focus on how they impact the business. Remember
that the audience might not fully understand the technical nuances of security and
they probably do not care to. They are interested in what risks the company faces
from a business perspective.
In delivering the presentation, you should be prepared to answer detailed ques-
tions about the findings and risks and specifically on the cost-benefit analysis related
to the recommendations. You should be prepared to answer the question “So what?”
when discussing a finding. The final presentation is absolutely critical in the security
assessment process. As stated several times in this book, when clients purchase
security assessment services, they are purchasing expertise. The final report docu-
ment and the presentation to the client are your main opportunities to show your
value.
POTENTIAL CONCERNS DURING THIS PHASE
As with the last two phases of the security assessment, there are some potential
concerns during this phase that you should look out for, including the following:
• Links between findings, risks, and recommendations are not clear. This is
something that might happen when you lose focus and the discussions
related to findings, risks, and recommendations go off on tangents. The
way to ensure that there is a clear link between findings and risks and
recommendations is to take a step back and put yourself in the client’s
shoes and see if it makes sense. You can also have someone else not
connected with the security assessment review the report as if he or she
AU1706_book.fm Page 226 Tuesday, August 17, 2004 11:02 AM
Risk Analysis and Final Presentation 227
were the client to see if it makes sense. Although the client will review
it from this perspective before the report is finalized, it is worth going
through this exercise on your own before showing the report to the client
in the discussion of the draft deliverable.
• Revenue and expense numbers used in risk analysis are not accurate.
Quantifying risks can make a very compelling argument. However, verify
the numbers you are using, and make sure they are right. The client should
validate these numbers before they make it to the report. Using the wrong
numbers can create a very embarrassing situation and possibly change the
way you view a risk.
• Key management is not present at final presentation. When making the
final presentation, you should do what you can to ensure that key man-
agement is present at the final presentation. Having them there adds
significant credibility to the assessment process and helps ensure that the
recommendations made will be considered. It also provides management
with the opportunity to ask questions about the results of the assessment.
EXECUTIVE SUMMARY
The Risk Analysis and Final Presentation is the final phase of the security assessment.
This is also the phase where much of the analysis is done as it relates to determining
risks and recommendations. The key steps in this phase include the following:
• Complete risk analysis and risk score calculation. Risks must be clearly
documented and expressed in terms of potential impacts to the business
as they relate to findings that have been discovered. To the extent that
risks can be quantified, they should be. Some of the typical quantifications
include impact on revenue, as well as costs related to remediation in the
event of a security incident. In addition, it is also worth considering the
intangible risks such as reputation damage and loss of customers. The
risk score is an attempt to make the risk objective. There are several
subjective factors, including the potential business impact related to a risk,
the likelihood of a security incident, and what security measures are in
place to mitigate those risks. The risk score is eventually used to classify
a finding as a high, medium, or low risk.
• Finalize findings and risks. It is important to ensure that the wordings of
the findings and risks are appropriate. The wording must be clear and
concise so it clearly articulates the findings and associated risks. The
findings should not only include the vulnerability but also any controls
that the client has in place that mitigate the risk. As for risks, they must
be stated in terms of impact to the business. If the impact can be quantified,
it should be done, as that provides the most compelling argument.
• Develop recommendations and prepare draft report. Recommendations
are the “security roadmap” resulting from the security assessment. It is
critical that recommendations specifically address the related risks in a
cost-effective manner. Recommendations should be worded so that the
AU1706_book.fm Page 227 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.