259
Appendix A
Preliminary Checklist
to Gather Information
This checklist is a preliminary questionnaire designed to obtain general information
about a company’s operations, organizations, and supporting technologies. This
questionnaire can be discussed with a company at the beginning of onsite work or
it can be given to clients prior to beginning the face-to-face meetings. If the appro-
priate members of management and subject matter experts complete the question-
naire, it can provide some excellent information in preparation for meetings with
the client during the security assessment. If someone in the client’s organization has
the time to comprehensively read the questions and answer them, it can be of great
assistance. If the client is not able to complete this questionnaire, it can be used at
the beginning of the assessment to gather information.
The value of this preliminary questionnaire is that provides a basic understanding
of the key business processes and supporting technologies. It is in line with the
overall security assessment methodology, which starts with understanding the busi-
ness and then assessing the security posture based on the risks identified. The answers
to this questionnaire along with other preliminary research are enough to prepare
for face-to-face meetings with the client.
This questionnaire is a template that should be modified based on any informa-
tion you might already have about the client. There may be additional questions as
a result of research from the Internet, and other questions might not be appropriate
based on this same research. The more the questionnaire is tailored to the client, the
more valuable it will be.
Note that this questionnaire does not have any risks identified. This is because
most of these will be covered in greater detail in later checklists and because the
purpose of this questionnaire is to gain initial information regarding the company’s
operations and supporting technologies.
General Business Information
1. What are the business drivers for the security assessment and what are
you expecting from it?
Guidance:
This is very important in setting the tone of the assessment and
understanding the expectations of the client. The business drivers for a secu-
rity assessment can vary. Some typical examples of business drivers include:
AU1706_book.fm Page 259 Wednesday, July 28, 2004 11:06 AM
260
A Practical Guide to Security Assessments
• There was an audit recommendation to do a security assessment.
• There was a security incident and management decided to take a more
comprehensive look at security.
• Although a security incident has not taken place, management wants
to be proactive and address security concerns before something happens.
•A potential business partner might require a security assessment before
working with company.
•Laws (such as the Health Insurance Portability and Accountability Act
[HIPAA] or the Gramm–Leach–Bliley Act [GLBA]) might require a
security assessment.
Each of the business drivers above will make the focus of the security
assessment a little different, and this information will allow you to better
tailor your questions in meetings with the client.
Client Response:
2. Describe what the company does.
Guidance:
This should be a high-level description of what the company
does — e.g., does it manufacture and sell a product, or is it a services-based
company. This question is meant to serve as a starting point for further dis-
cussion about the critical operations of the company.
Client Response:
3. What are your mission-critical operations and what are the supporting
technologies?
Guidance:
The mission-critical operations will be a point of focus for the
assessment, and that will be discussed in Phase 3 — Business Process
Review. Depending on the time that is allotted for the security assessment,
knowing the mission-critical operations will help in prioritizing the tasks
of the security assessment. The technologies supporting the mission-criti-
cal operations will help determine where the effort will be focused in
Phase 4 — Technology Review.
Client Response:
AU1706_book.fm Page 260 Wednesday, July 28, 2004 11:06 AM
Appendix A
261
4. Describe any future business initiatives that may be impacted by technol-
ogy (e.g., increasing number of employees, adding locations, introducing
a new service or product).
Guidance:
This question should provide information about the direction
of the company from a business perspective. The future plans may provide
some additional areas to review, which might result in recommendations
from the security planning perspective. This is of tremendous value to a
customer as security is often overlooked in the planning phase of a tech-
nology-related project.
Client Response:
5. Do you have any regulatory requirements that govern your business and
if so, what steps have been taken to achieve compliance?
Guidance:
With the amount of security-related legislation, there is a
chance that the company is subject to regulatory requirements. Some of the
more common information security–related regulations are HIPAA and
GLBA. If you already know that the company is subject to a law or regu-
lation, questions can be tailored accordingly.
Client Response:
6. Have you had any security incidents? If not, how do you know?
Guidance:
This is listed in Question 1 as a potential driver for a security
assessment. A security incident will be an eye-opener for companies and
might drive them to do a security assessment. If there was an incident, it
gives an indication of management’s tolerance for risk and an area of vul-
nerability. The company’s reaction to the incident gives an idea of how
management views security. If the client answers that there was no incident,
they might talk about mechanisms they have in place to detect incidents.
In many cases, however, the answer is that they do not really know if they
have had a security incident because they have no way of knowing — i.e.,
they do not have the appropriate software or security monitoring proce-
dures in place.
Client Response:
AU1706_book.fm Page 261 Wednesday, July 28, 2004 11:06 AM
262
A Practical Guide to Security Assessments
7. What security issues are you concerned with (e.g., confidentiality of
information, availability of systems, integrity of data, compromise of sen-
sitive information.) What is your expectation for the security assessment?
Guidance:
The security issues in the eye of the client gives an idea of what
concerns them from a security perspective. These concerns will probably
have some bearing on what they expect from the security assessment. In
performing the security assessment, this information also allows you to
manage the expectations of the client. In addition, the client may commu-
nicate some areas of concern related to security that you may not have
known about thus far.
Client Response:
ORGANIZATIONAL INFORMATION
The organizational information questions allow you to gain a sense of the size and
structure of the organization and how it potentially impacts security. This question-
naire reviews the organization and roles and responsibilities at a high level. As the
business processes are discussed in greater detail in the specific questionnaires,
specific roles and responsibilities will be discussed.
8. How many employees do you have? Break down into business units and
locations if information is available.
Guidance:
The size of the organization has impact on several security
areas such as user ID administration, as well as security administration and
awareness. Based on the how the users are divided into business units, this
information can start to provide some indication of how the company is set
up organizationally and a high-level understanding of where people are de-
ployed in the organization. This information will be useful when you start
planning whom to interview.
Client Response:
9. Can you provide a high-level view of the organizational structure?
Guidance:
The organizational structure provides the foundation of the
roles and responsibilities of the company. One of the key areas to look for
is where information technology (IT) and the security function sit in the
AU1706_book.fm Page 262 Wednesday, July 28, 2004 11:06 AM
Appendix A
263
organization and whether they are centralized or decentralized. Each of
these scenarios has different implications from a security perspective.
Depending on where IT and security fit into the organization, different
questions might be appropriate regarding roles and responsibilities.
Client Response:
10. What are the high-level roles and responsibilities in the IT staff?
Guidance:
The high-level roles and responsibilities will give you an
understanding of whether there is ownership of key IT functions. The
response to this question will also give you some guidance about whom to
interview in the assessment from an IT perspective. This question might
also spark discussion about ownership of the security function.
Client Response:
11. Who is responsible for information security?
Guidance:
Where responsibility for information security resides is impor-
tant information for the security assessment. Potential answers range from
having a separate dedicated function with its own budget to where security
is a part of the system administrator’s job responsibility. Based on this
question, the client should provide names of key people to talk to during
the assessment. You should also gain some insight about how seriously se-
curity is taken at the company.
Client Response:
12. Is there an IT audit function that examines information security?
Guidance:
The audit department is important because it is an independent
function reviewing the operations of a company. Because of the detailed
review of processes that an audit group performs, they are an excellent
source of information about a company. As part of the overall audit group,
the IT audit function is good source of information about the security risks
the company is facing and what security measures have been implemented
AU1706_book.fm Page 263 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.