266
A Practical Guide to Security Assessments
18. Describe your remote access environment.
•How many remote access users do you have?
• What percentage are home users and how many travel?
•How are the users obtaining remote access — e.g., virtual private
network (VPN), dial-up
• What resources are users accessing remotely?
• Do third parties remotely access your systems?
• What technology is being used for remote access?
• Are there any planned changes for remote access?
Guidance:
The workforce is becoming more mobile than ever. Telecom-
muting is becoming very common, as employees work from home, allow-
ing companies to save money and have some flexibility in their hiring
practices. Employees are traveling and remotely accessing internal network
resources to do their jobs. Understanding the nature of these other connec-
tions and what they are accessing remotely can help scope some of the
technical parts of the security assessment. Some security concerns related
to remote access are related to:
•
Availability
— Availability is a major issue because some employees,
such as telecommuters, might be totally dependent on remote access
to do their jobs.
•
Access Control
— Similar to access control in a regular network envi-
ronment, users’ access should be limited to what they need to do their jobs.
At this stage, you may not receive answers to all of the remote access ques-
tions, as some of them are a little detailed.
Client Response:
19. Do you have any business-to-business (B2B) partner arrangements?
Guidance:
B2B arrangements pose a whole new set of security risks be-
cause other companies are accessing the company’s systems. Ensuring that
business partners can only access what they need access to is a challenge
that requires cooperation between both the client and the business partner.
The technology and processes must be in place to ensure the confidential-
ity and integrity of information and the availability of the B2B connection.
If the client is engaged in B2B activities, a separate, more detailed evalu-
ation should be done that reviews the nature of the relationship, supporting
IT infrastructure, applications, and any other aspects of the IT environment.
There is a separate questionnaire for B2B activities later in Appendix K.
AU1706_book.fm Page 266 Wednesday, July 28, 2004 11:06 AM