271
Appendix B
Generic Questionnaire
for Meetings with Business
Process Owners
This questionnaire is for meetings with business process owners. The questions are
meant to be specific for the processes in which they are involved. These questions
can be supplemented by the additional questionnaires in these Appendices. If you
are meeting with someone who has overall responsibility for a particular area where
there is a separate questionnaire, you should use that specific questionnaire.
BUSINESS PROCESS–RELATED QUESTIONS
1. Significant business processes and supporting technologies
• Describe how the business process works.
• What are the critical roles in the process and are there backups in the
event that key individuals are not present?
• What technology supports this business process?
• Who is responsible for managing the supporting technology?
• If the supporting technology was unavailable and this business process
could not occur, what are the impacts related to revenue, legal or
regulatory concerns, and reputation damage?
• What is the tolerable downtime?
• Are there any manual or other workarounds that can be done while the
technology is unavailable? For how long can the workaround be done?
• What critical data is generated as a result of this process and where
does it reside?
Guidance:
These questions are to be asked about specific business pro-
cesses. All of these questions should be answered because you will be
working with the client’s subject matter experts who should know this
information.
AU1706_book.fm Page 271 Wednesday, July 28, 2004 11:06 AM
272
A Practical Guide to Security Assessments
Client Response:
2. Integration with other departments.
• Dependencies between departments
• System integration and determination of single points of failure
•Transmission of information
Guidance:
Integration points are important to understand because they
often represent points of weakness. At integration points, roles and respon-
sibilities are not always clear, and as a result, key tasks are not performed,
and transitions between departments are not always smooth.
Client Response:
3. Past security incidents (questions for each incident).
• What was the nature of the security incident?
•How soon did you become aware of the incident? Did you find out
because of a documented process or by accident (e.g., happened to be
talking to somebody)?
• What was the reaction?
• What was the impact of the incident?
• What has been done to prevent such incidents from happening in the
future?
Guidance:
Past security incidents provide a good glimpse of what vul-
nerabilities exist and how well equipped the company is to handle security-
related incidents. This is especially important when considering risks such
as those related to terminations and disgruntled employees.
Client Response:
4. Planned initiatives. Some examples of initiatives that can be asked about
include:
•Offering services via the Internet — e.g., e-commerce, content
• Change in location
• Outsourcing processes and/or technology
• Use of Application Service Providers for key business processes
AU1706_book.fm Page 272 Wednesday, July 28, 2004 11:06 AM
Appendix B
273
• Deployment of a major application
•Will the company be required to comply with certain laws or regula-
tions in the future (Health Insurance Portability and Accountability Act
[HIPAA], Gramm–Leach–Bliley Act [GLBA], etc.)?
Guidance:
Planned initiatives can change the way you look at findings.
Both short-term and long-term planned initiatives will have an impact on
how you view the risk and what type of recommendation you make. Some
findings may not be as serious if the related business process will drasti-
cally change or go away in the short term. One aspect to look for is how
definite the schedule for an initiative is. Often, planned initiatives are not
necessarily set in stone. For this information, it is worth asking management.
Client Response:
5. Other interviewee-specific questions — This is a placeholder for addi-
tional questions based on the client’s specific business requirements.
• Questions can be added here that are specific to the business based on
what you have learned about the company so far.
SECURITY-RELATED QUESTIONS
Most of the questions below are covered in more detail in other questionnaires in
the Appendices. The questions here are high level and are meant to elicit some
perspective from business process owners who have limited involvement with these
tasks. This perspective also helps validate whether processes are working as intended.
6. User ID administration: What is your role in users gaining access to
systems — e.g., approval authority?
Guidance:
User ID administration is a process that touches almost every-
one in the company. For this reason, it is good to get the perspective of
different people in the company to help determine what opportunities exist
to improve the user ID administration process.
Client Response:
7. Employee termination.
• What do you do if an employee reporting to you is terminated?
• What are you accountable for?
• Is there a documented process for terminations that you follow?
AU1706_book.fm Page 273 Wednesday, July 28, 2004 11:06 AM
274
A Practical Guide to Security Assessments
Guidance:
Terminations represent a significant risk, especially as related
to disgruntled employees. A good termination process requires significant
cooperation from several people in an organization. The answer to these
questions will give you some perspective from those who are involved in
the process but who do not own it.
Client Response:
8. Data retention and classification.
• Are you aware of any policies related to data classification or data
retention?
• Are you the “owner” of any data?
• Do you specify retention or classification requirements for data you
are responsible for?
Guidance:
Many of the business process owners you interview will be
data owners. You will find that many do not do anything with classifying
data or ensuring that data is retained for the appropriate period of time.
Many data owners think that classification and retention are information
technology (IT) issues, which they are not.
Client Response:
9. Backup and recovery.
•For data that you own, do you specify any backup requirements for
that data?
• In the event of a disaster, what data would need to be restored for you
to become operational?
• Is that data readily available?
Guidance:
Similar to data retention and classification, backup and recov-
ery is something that is often viewed as an IT issue. This answer will help
you determine how backups are done and what opportunities for improve-
ment exist. The response to this question will also tell you how aware
process owners are about this topic.
Client Response:
AU1706_book.fm Page 274 Wednesday, July 28, 2004 11:06 AM
Appendix B
275
10. Business continuity and disaster recovery.
• Are you aware of any business continuity and disaster recovery plan?
• What is your involvement in it?
Guidance:
Business continuity and disaster recovery touch everyone in
the company and thus, there should be a general awareness of how the
plan (if one exists) works. Business process owners should understand
what to do in the event of a disaster and how they will become operational
in the event of a disaster.
Client Response:
11. Incident handling.
• Do you know what to do in the event of a security incident?
•To whom would you report an incident?
• Are you aware of any documented procedures for incident handling?
Guidance:
Incident handling is another process that touches most people.
Process owners should know to whom to go in the event of a security
incident and what the escalation path is. They should also know about
procedures to ensure that proper forensics can be done.
Client Response:
12. Change management.
• Do you follow a change management process?
• Are you aware of a documented process for change management?
Guidance:
Many people who do not have overall responsibility for change
management can normally initiate the change management process. If the
change management process is not done properly from the outset, there
is a risk that changes will not follow the change management process.
Process owners should understand how change management works, forms
that have to be filled out, etc.
Client Response:
AU1706_book.fm Page 275 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.