Appendix A
269
Client Response:
24. Are there any programs that promote security awareness? Are new
employees provided with any orientation to make them familiar with
security policies? Are there any security awareness campaigns?
Guidance:
Security policies are more likely to be followed if they are
properly communicated so employees are aware of them and understand
them. In companies where employees are not aware of company security
policies, awareness programs are critical in educating employees and creat-
ing a culture where information security is an integral part of the business.
Client Response:
25. Does someone own the responsibility of updating security policies as the
business changes? If so, how are the changes communicated?
Guidance:
As business changes, so do the risks. Many of these changes
could warrant changes to the security policy. When discussing this ques-
tion, look for whether both business and IT representatives jointly make
and approve changes to the policy and whether the cost of implementing a
security policy is considered. Having both business and IT personnel in-
volved helps ensure that any changes to policies are feasible from both the
technology and the process perspectives. In addition, this collaboration
also helps ensure that new security measures are cost effective and aligned
with the business requirements.
Client Response:
26. Describe your security architecture.
• Firewall
• Intrusion detection/prevention
• Anti-virus
• Other security architecture — e.g., proxy servers, vulnerability man-
agement
Guidance:
The security architecture is a key component in determining
the security posture of a company. The items above are only a few examples
AU1706_book.fm Page 269 Wednesday, July 28, 2004 11:06 AM
270
A Practical Guide to Security Assessments
of the more traditional security technologies in use today. There may be
others depending on the client’s IT infrastructure. The security architec-
ture can be reviewed from a number of different angles. First, are the se-
curity architecture and the technologies appropriate for the environment?
Does the architecture require any redesign to provide better security? Sec-
ond, are the security technologies in place configured according to compa-
ny security policies and business requirements? The answer to this
question will provide the required preliminary information about the secu-
rity architecture to help in planning the Technology Review phase of the
assessment.
Client Response:
27. What security-related logs are enabled — e.g., system-specific logs, fire-
wall logs — and are they reviewed on a regular basis?
Guidance:
Regular log review is an indication that the client takes a pro-
active approach to security, which is positive. Log review requires man-
power, and you may find that companies do not review logs unless
something happens, and then the review is after the fact. Some companies
use tools that parse the log data and provide reports of events that might
require follow up. The answer to this question will provide information on
what logs are enabled, which will help in planning the detailed technology
review in the Technology Review phase of the assessment. It will also pro-
vide some indication of how the client views security, i.e., whether they are
proactive or reactive and what type of resources are devoted to security.
Client Response:
AU1706_book.fm Page 270 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.