277
Appendix C
Generic Questionnaire
for Meetings with
Technology Owners
Similar to the Generic Questionnaire for Business Process Owners, this is a set of
questions that can be addressed to any of the technology owners. Additional ques-
tions should be added based on your knowledge about the business.
1. What technology are you responsible for and what business process does
it support?
Guidance:
With your knowledge of the business so far, you should have
some perspective on how the technology supports the business. However,
the technology owner will be able to give you a different angle on this top-
ic. In some cases, there might not be a specific business process — e.g., a
server that handles authentication into the network does not necessarily
support a particular business process, it is providing access so users can do
their jobs. In other cases, the technology owner might be managing an ap-
plication that supports a mission-critical business process.
Client Response:
2. Where does it fit into the overall architecture?
Guidance:
Assuming that a network topology diagram is in place, you
should be able to see where the technology fits into the IT environment.
This is very helpful because it gives you a visual perspective and highlights
the relationships with other parts of the IT environment. These relationships
will likely generate other questions regarding integration points, transmis-
sion of information, and other topics where there are security implications.
AU1706_book.fm Page 277 Wednesday, July 28, 2004 11:06 AM
278
A Practical Guide to Security Assessments
Client Response:
3. What are the key dependencies for the technology you manage?
Guidance:
The key dependencies for any technology are the components
that must be functional for the technology in question to work properly. A
simple example is business to commerce (B2C). For B2C to be functional,
access to the Internet is required. Knowledge of dependencies is important
to understand when considering the availability requirements for a given
technology.
Client Response:
4. What are the security requirements related to the systems you manage —
e.g., confidentiality, integrity, and availability? Are these requirements
being met?
Guidance:
From the discussions with the business process owners, you
should have a good sense for what these requirements are. The purpose of
this question is to determine whether the technology owner is aware of the
security requirements and whether those requirements are being met. One
thing to look for here is whether the process and technology owners have
the same perspective on security. If not, you can delve further into why the
differences exist and whether there is an adequate level of security related
to the given system.
Client Response:
5. How is the technology secured?
Guidance:
This is a follow-up on the previous question. When talking
about how it is secured, there are a number of aspects including access
controls, physical security, integrity controls, and others. The methods
depend on the technology. This question will probably lead to a technical
discussion, where it is important to be prepared to talk on a technical level.
AU1706_book.fm Page 278 Wednesday, July 28, 2004 11:06 AM
Appendix C
279
Client Response:
6. How is security enforced?
Guidance:
If security is not enforced, its value is diminished significantly.
Enforcement efforts can be automated or manual. To the extent that en-
forcement can be automated, it should be. Other methods of enforcement
include periodic reviews and audits.
Client Response:
7. Does critical data reside on any system you manage? If so, how is it
secured?
Guidance:
From your business process interviews, you should know what
critical data exists and where it resides. This is an opportunity to get the
perspective of the technology owner, which should hopefully be in line with
what you know already. Once you learn how the information is secured,
you can determine if there is an appropriate level of security based on the
criticality of data.
Client Response:
8. If the systems you manage were not available, how quickly could they be
functional?
Guidance:
With this question, you will have to go through several differ-
ent scenarios because all system failures are not the same. The goal with
this question is to get a range of times for how long the systems can be un-
available and whether these ranges are acceptable based on the availability
requirements of the business. This is one of the areas where there is often
a disconnect between IT and the business. Availability requirements are of-
ten a budgeting issue. For example, consider a company’s e-mail function-
ality. There is a big difference between guaranteeing four-hour maximum
downtime and one business day maximum downtime. Many people will
AU1706_book.fm Page 279 Wednesday, July 28, 2004 11:06 AM
280
A Practical Guide to Security Assessments
tell you that they cannot do any work without e-mail and that half a day is
about all they can tolerate. When you start looking at what it costs to meet
a half-day maximum downtime requirement, the tolerable downtime will
likely change, and other methods of communication such as phones might
become more of a viable option.
Client Response:
9. What type of logging and monitoring activities do you perform?
Guidance:
For key machines or devices, some level of logging and monitor-
ing should take place. For example, for critical servers, does anyone review
any of the event logs or any of the other relevant logs? How much log review
and monitoring activity occurs provides some indication how proactive or
reactive the security measures are. The level of logging and monitoring is
often a function of how many people the client has to do the work and the
risks they face.
Client Response:
10. Is a formal change management process followed for any changes to the
technology?
Guidance:
Whether or not a change management process is followed is an
indicator of how controlled the environment is. If no change management
process is followed, it can lead to more questions depending on the tech-
nology. At a minimum, a lack of a change management process should be
flagged as an issue.
Client Response:
11. Have there been any security incidents with any of the technology you
manage?
Guidance:
This question is the same as what was asked to the process
owners. This information is valuable because it provides some clues about
AU1706_book.fm Page 280 Wednesday, July 28, 2004 11:06 AM
Appendix C
281
what vulnerabilities might exist, what the impacts are, and what manage-
ment did to ensure that incidents do not recur. If there was an incident, find
out the details about it and ask about how it was handled and what subse-
quent steps were taken to prevent it from happening again.
Client Response:
12. Are there any changes planned for the technology you manage? If so,
have the security implications been considered?
Guidance:
Planned changes can affect your evaluation depending on what
they are. Some examples include a major overhaul of the technology,
change in architecture, changes in organization, merger or acquisition ac-
tivity, and outsourcing. If any new initiatives exist, you should find out if
security is (was) being considered in the planning process. Any changes
that the technology owner is able to talk about are worth discussing be-
cause they will affect your evaluation.
Client Response:
AU1706_book.fm Page 281 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.