Phase 1

The Grunt Work of Security

There is an old saying that success is doing what’s right at the right time. While the individual who created this quote may not have been thinking of security in particular, security professionals can most certainly learn from this saying. Security is about doing the right thing at the right time. Before you can run a password-cracking tool, perform penetration tests, or fire up a vulnerability scanner, you must cover some basic groundwork. That grunt work is the subject of this first phase.

The groundwork of security requires that you know what is worth securing. Companies don’t have unlimited funds, so a big part of the security process is finding what is most critical to the organization and focusing your security efforts on these assets. Finding what’s critical is only the first step. You will next need to write a policy that matches up to your findings. Is that enough? No. Policies have no meaning if users don’t know they exist. That’s where user awareness comes in. Finally, you can have great ideas, but unless they are written down they have little value. In other words, documentation is important in everything you do. These are the tasks that we will examine in this phase of the security process. Let’s get started by performing a basic risk assessment.

The tasks in this phase map to Domain 2 in the objectives for the CompTIA Security+ exam (www.comptia.org/certifications/listed/security.aspx).