Appendices
Security Questionnaires
and Checklists
In performing security assessments, questionnaires are very helpful to facilitate the
information gathering process. The questionnaires in these appendices provide key
questions related to common security-related processes to help you determine where
potential vulnerabilities might exist. The questionnaires should not be interpreted as
a complete list of questions because every company is different and there might be
different aspects that are not necessarily covered here. The questionnaires include
questions based on best practice standards such as the ISO 17799, industry best
practices, and past experience.
The purpose of these checklists is to provide guidance for security practitioners
and help in facilitating conversations and meetings with clients when performing a
security assessment. Because these questionnaires are meant for a broad range of
companies, they are generic in nature and should be considered a starting point when
developing question sets for clients
.
These checklists will not only provide relevant
information for the security assessment, but also spark conversation about other
business processes, other initiatives, and security issues that are relevant to the
assessment. They should be tailored for a given company based on the company’s
specific business processes.
The final questionnaires used in the assessment should be tailored for a company
as much as possible. These generic questionnaires should not be blindly used before
they are adequately modified to reflect the client’s business. Security consultants
should do their homework on a client. When modifying these questionnaires, irrel-
evant questions should be taken out and other questions should be added as deemed
appropriate based on the client’s business practices. Credibility is lost if the client
AU1706_book.fm Page 255 Wednesday, July 28, 2004 11:06 AM
256
A Practical Guide to Security Assessments
is asked questions that should obviously not be asked — i.e., if the consultant had
done the proper research, the consultant would already know that the question is
irrelevant.
QUESTIONNAIRE STRUCTURE
The questionnaires are essentially divided into two areas: Introduction and Ques-
tions. The Introduction provides some basic information about the subject of the
questionnaires and why it is important from a security perspective. The Introduction
provides basic information for you to familiarize yourself with the topic and educate
the client as necessary.
The next section contains the questions. In the majority of the questionnaires,
the questions contain four parts:
•
Question —
The questions should be used to spark discussion with clients.
In many cases, the questions are intentionally open ended with the goal
of generating discussions with clients about their business. These ques-
tions will lead to other questions relevant to the security assessment and
also help keep the discussion focused on security. As you listen to the
client responses, other discussion topics will be generated and new ques-
tions will be developed. These questions should be explored to the extent
that they are relevant for the security assessment.
•
Guidance —
The Guidance section provides specific information about a
given question. This information is useful in understanding the question
and why it is important. The guidance can be used in conjunction with
your existing knowledge of the company to provide an answer when the
client asks, “Why are you asking this question?” It is critical to understand
the Guidance sections and ensure that you can explain a question’s rele-
vance to clients. Not being able to explain why you are asking something
hurts your credibility. The client should not feel as though you are reading
from a questionnaire without understanding what is being asked.
•
Risk —
The risk is the impact to the company if there is a potential finding
related to a particular question. The risk is the potential consequences of
“what if” scenarios related to the question — e.g., what is the impact to
the business if I cannot recover data within 24 hours or what is the impact
to the business if the company’s e-commerce Web site is defaced?
Although findings are important, clients are ultimately interested in risk —
i.e., “How is the finding going to affect my business?” The risk is impor-
tant to understand when answering this question and when the client says
“So what?” when a finding is presented. Part of the methodology outlined
in this book is to determine the risk and calculate a risk score. The risks
outlined in the questionnaires will help you go through the thought process
of determining risk and calculating the risk score. The risks in the ques-
tionnaires are generic in nature and will need to be modified based on the
client’s business. Note that risks are not documented for all questions
AU1706_book.fm Page 256 Wednesday, July 28, 2004 11:06 AM
257
because some questions are there only for information gathering purposes
and there is no clear risk. In these cases, risks are marked “not applicable.”
•
Client Response —
The Client Response section is a blank area where
answers can be documented during client meetings. The idea is that
consultants can meet with clients, go through the questionnaires, and
document responses as clients provide them. As stated in the methodology,
properly documenting the information you gather in meetings is important
so you can perform the risk analysis.
These questionnaires are part of an iterative process when learning about the
business and performing the security assessment. The responses from these check-
lists should be used to develop the comprehensive list of findings, risks, and recom-
mendations, i.e., the security roadmap.
C
OMMON
Q
UESTIONS
IN
Q
UESTIONNAIRES
Most of the questionnaires have some common features, which are discussed below.
Four key topics addressed in most checklists include:
•
Policy —
One of the key points in this book is that the foundation of an
information security program is policies. Policies establish the basic direc-
tion of an information security program and provide a basis for assessing
and measuring an organization from a security perspective. Policies also
establish a basis for enforcing good security practices. When conducting
a security assessment, policies can be used as the basis for evaluating the
company’s information security posture. Consequently, a standard ques-
tion in most checklists is whether a formal policy exists related to the
topic being discussed.
•
Procedure —
Procedures provide detailed step-by-step information on
how a process is performed; they are important because:
– Documented procedures can be used as a basis for evaluating security
practices during a security assessment.
– Documented procedures provide a basis to enforce good security prac-
tices.
– If procedures are documented and kept up to date, there is less depen-
dency on specific people in the organization. If there is turnover,
another qualified person can do the same work by following the pro-
cedures, which is important from a security perspective.
•
Scope —
Some scope-related question should be asked to determine how
important and extensive a given process is. This question helps in deter-
mining how much you have to delve into this process, which in turn helps
you refine the scope of the assessment. One of the important aspects of
this security assessment methodology is to look at the business and related
security from a risk perspective — i.e., security should be commensurate
with the associated risk and criticality of a process. The scope-related
AU1706_book.fm Page 257 Wednesday, July 28, 2004 11:06 AM
258
A Practical Guide to Security Assessments
question should provide some sense of the criticality and associated secu-
rity risk related to the process.
•
Past security incidents —
Past security incidents are important because
they represent a vulnerability that was exploited. All aspects of past
security incidents including the vulnerability that was exploited, what the
impact was to the business, how the incident was handled, and what steps
were taken to fix the vulnerability should be discussed, as they can impact
the findings of the security assessment. Past security incidents provide
insight into how the business can be impacted and how the company
would potentially react to future security incidents. In addition, whether
or not the company addressed the security vulnerability that was exploited
can give an indication of the company’s general attitude about security.
Other parts of the checklists include questions specific to the subject matter and
are organized into logical groupings as appropriate. It is critical to understand that
these checklists are starting points
and that before using them, they should be
modified based on knowledge of the specific business practices of the company
being assessed.
There are two exceptions to the checklist format discussed above — the Initial
Questionnaire and the Health Insurance Portability and Accountability Act (HIPAA)
Security Questionnaire. The main difference in the format of these two question-
naires is that the questions do not have associated “risks” identified. The Initial
Questionnaire assumes minimal knowledge about the company for which the secu-
rity assessment is being performed and is for information gathering purposes and
thus, no risks were identified. The information from this questionnaire helps in
further refining the scope and in determining where to focus the effort in the
assessment. The questions in the HIPAA Security Questionnaire follow the HIPAA
security regulations directly from the Federal Register. Risks are not identified in
this questionnaire because the focus of the checklist is determining compliance with
the law.
AU1706_book.fm Page 258 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.