278
A Practical Guide to Security Assessments
Client Response:
3. What are the key dependencies for the technology you manage?
Guidance:
The key dependencies for any technology are the components
that must be functional for the technology in question to work properly. A
simple example is business to commerce (B2C). For B2C to be functional,
access to the Internet is required. Knowledge of dependencies is important
to understand when considering the availability requirements for a given
technology.
Client Response:
4. What are the security requirements related to the systems you manage —
e.g., confidentiality, integrity, and availability? Are these requirements
being met?
Guidance:
From the discussions with the business process owners, you
should have a good sense for what these requirements are. The purpose of
this question is to determine whether the technology owner is aware of the
security requirements and whether those requirements are being met. One
thing to look for here is whether the process and technology owners have
the same perspective on security. If not, you can delve further into why the
differences exist and whether there is an adequate level of security related
to the given system.
Client Response:
5. How is the technology secured?
Guidance:
This is a follow-up on the previous question. When talking
about how it is secured, there are a number of aspects including access
controls, physical security, integrity controls, and others. The methods
depend on the technology. This question will probably lead to a technical
discussion, where it is important to be prepared to talk on a technical level.
AU1706_book.fm Page 278 Wednesday, July 28, 2004 11:06 AM