259
Appendix A
Preliminary Checklist
to Gather Information
This checklist is a preliminary questionnaire designed to obtain general information
about a company’s operations, organizations, and supporting technologies. This
questionnaire can be discussed with a company at the beginning of onsite work or
it can be given to clients prior to beginning the face-to-face meetings. If the appro-
priate members of management and subject matter experts complete the question-
naire, it can provide some excellent information in preparation for meetings with
the client during the security assessment. If someone in the client’s organization has
the time to comprehensively read the questions and answer them, it can be of great
assistance. If the client is not able to complete this questionnaire, it can be used at
the beginning of the assessment to gather information.
The value of this preliminary questionnaire is that provides a basic understanding
of the key business processes and supporting technologies. It is in line with the
overall security assessment methodology, which starts with understanding the busi-
ness and then assessing the security posture based on the risks identified. The answers
to this questionnaire along with other preliminary research are enough to prepare
for face-to-face meetings with the client.
This questionnaire is a template that should be modified based on any informa-
tion you might already have about the client. There may be additional questions as
a result of research from the Internet, and other questions might not be appropriate
based on this same research. The more the questionnaire is tailored to the client, the
more valuable it will be.
Note that this questionnaire does not have any risks identified. This is because
most of these will be covered in greater detail in later checklists and because the
purpose of this questionnaire is to gain initial information regarding the company’s
operations and supporting technologies.
General Business Information
1. What are the business drivers for the security assessment and what are
you expecting from it?
Guidance:
This is very important in setting the tone of the assessment and
understanding the expectations of the client. The business drivers for a secu-
rity assessment can vary. Some typical examples of business drivers include:
AU1706_book.fm Page 259 Wednesday, July 28, 2004 11:06 AM