228 A Practical Guide to Security Assessments
client can easily determine how and what resources will be required to
implement them. Ideally, the client should be able to take the list of
recommendations and use it as a “security roadmap” for the short and
long term. The recommendations along with the risks should be docu-
mented in the final report to be discussed with the client.
• Discuss draft report with the client. Before sharing the report with the
broader audience including senior management, you should review it with
the client. This step is beneficial for both you and the client. The client
has the opportunity to see the report and be prepared for the final meeting,
and the client can provide constructive feedback so you can make any
necessary final changes to the report. This step is a win-win situation for
all.
• Present final report to management. This is the final step of the security
assessment, when the results are presented to management. This meeting
is critical as it is a culmination of your efforts in conducting the security
assessment. This is the main opportunity you have to show the value of
the security assessment. To facilitate this meeting, a presentation should
be developed in which you discuss the scope, methodology, and findings,
risks, and recommendations. Because the main audience is management,
the meeting should focus on how the findings and risks discovered affect
the business. In addition, recommendations should be discussed in terms
of how they address risk from a cost-benefit perspective. It is important
that management attend this meeting as that will increase the chance that
the recommendations made will be considered.
NOTES
1. CIO Magazine — Coming up ROSI, by Scott Berinato; October 26, 2001 —
http://www.cio.com/security/edit/a102601_rosi.html
2. CIO Magazine, Finally, a Real Return on Security Spending, by Scott Berinato;
http://www.cio.com/archive/021502/security_sidebar.html
3. “Security Takes Sides with the Business,” by Eric Ogren — February 2004 —
http://www.csoonline.com/analyst/report2241.html
AU1706_book.fm Page 228 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.