257
because some questions are there only for information gathering purposes
and there is no clear risk. In these cases, risks are marked “not applicable.”
•
Client Response —
The Client Response section is a blank area where
answers can be documented during client meetings. The idea is that
consultants can meet with clients, go through the questionnaires, and
document responses as clients provide them. As stated in the methodology,
properly documenting the information you gather in meetings is important
so you can perform the risk analysis.
These questionnaires are part of an iterative process when learning about the
business and performing the security assessment. The responses from these check-
lists should be used to develop the comprehensive list of findings, risks, and recom-
mendations, i.e., the security roadmap.
C
OMMON
Q
UESTIONS
IN
Q
UESTIONNAIRES
Most of the questionnaires have some common features, which are discussed below.
Four key topics addressed in most checklists include:
•
Policy —
One of the key points in this book is that the foundation of an
information security program is policies. Policies establish the basic direc-
tion of an information security program and provide a basis for assessing
and measuring an organization from a security perspective. Policies also
establish a basis for enforcing good security practices. When conducting
a security assessment, policies can be used as the basis for evaluating the
company’s information security posture. Consequently, a standard ques-
tion in most checklists is whether a formal policy exists related to the
topic being discussed.
•
Procedure —
Procedures provide detailed step-by-step information on
how a process is performed; they are important because:
– Documented procedures can be used as a basis for evaluating security
practices during a security assessment.
– Documented procedures provide a basis to enforce good security prac-
tices.
– If procedures are documented and kept up to date, there is less depen-
dency on specific people in the organization. If there is turnover,
another qualified person can do the same work by following the pro-
cedures, which is important from a security perspective.
•
Scope —
Some scope-related question should be asked to determine how
important and extensive a given process is. This question helps in deter-
mining how much you have to delve into this process, which in turn helps
you refine the scope of the assessment. One of the important aspects of
this security assessment methodology is to look at the business and related
security from a risk perspective — i.e., security should be commensurate
with the associated risk and criticality of a process. The scope-related
AU1706_book.fm Page 257 Wednesday, July 28, 2004 11:06 AM