security assessment case studies for implementing the nsa iam phần 3 ppt

Defining Roles and ResponsibilitiesOver the course of an assessment, you will work with a multitude of people atthe customer organization who have different roles and responsibilities re

Defining Roles and Responsibilities

Over the course of an assessment, you will work with a multitude of people atthe customer organization who have different roles and responsibilities regardinginformation security It is essential that you understand who is in what role andwho can do what to make sure the project progresses smoothly Many of thepeople placed in the roles described in this section will be of your choosing.Others will not; however, we can at least discuss with the customer our expecta-tion for these roles in an effort to maintain customer expectations and help themappoint people we’ll need to be successful As stated earlier in the book, theassessment is a team effort, and the quality of the final report is heavily depen-dent on customer involvement Some of the roles we discuss here and their rela-tionships with security are:

■ Decision maker

■ Customer POC

■ Upper-level management

■ Functional area representatives

■ Senior INFOEC manager

■ And many more

■ Regular practice Imagine—some organizations include an

assessment as part of a good overall security practice! In this case you usually run into a fairly open and knowledgeable staff.

Again, your understanding of the customer organization’s motives

is an additional piece of information you can use to do a better job When we assess security controls, we tend to inspect them rather

closely, and rightfully so In a manner of speaking, we are security

con-trols as well We should also look for any way to improve our processes and our work.

Who Is the Decision Maker?

The decision maker is the key player when it comes to setting the scope of the

assessment process and determining relevant boundaries He or she is likely the

person who authorized funding to bring in an independent team.The decision

maker normally has his or her own objectives in relation to the assessment

outcome

The decision maker will ultimately authorize the direction and scope of ourassessment process Early in the IAM process, during potentially intense debates

among departments about information criticality (which we address later, in

Chapter 3), you will often see one individual who has to that point been rather

quiet raise their hand and end the debate by making a decision based on that

person’s interpretation of the conversations up to that point.You have just found

your decision maker.The role is not always based on position or title.You may

see a chief information security officer (CISO) or a CIO defer judgment to an

ITSM Every organization is different, but this individual can be very influential

in assisting your success Make sure you take note of this person because you may

need his or her direction or clarification later in the process

The decision maker is one of the integral components in securing ment buy-in When this individual makes it known that your project is going to

manage-be manage-beneficial to the organization, you will get much manage-better response from

indi-viduals on the org chart below him or her Without adequate buy-in at this level,

don’t expect too much support from any level as the process continues!

Who Is the Main Customer POC?

The main POC for the customer is an extremely important person in this

pro-cess He or she is your liaison to the customer as well as your window into the

customer’s organizational culture of the organization Because you will rely so

heavily on this person, this is an important relationship to establish early.The

cus-tomer organization’s POC will work as a member of both the cuscus-tomer team

and the assessment team He or she will also be involved from the beginning of

the project and beyond completion

The role this person normally occupies should not be either too high on the

“food chain” or too low Usually middle management is a good place to start

looking for a candidate Upper managers will usually not have the time necessary

to dedicate to this project to make it successful Lower levels of administration

will not have the authority to manage your needs in the organization A manager

in the IT or IT security departments is usually a good place to start looking, ifyou are allowed any input.The customer organization may already have someone

in mind, which is fine, but you need to verify that they understand everythingthat will be expected of the customer POC

The customer POC’s level of involvement in the assessment is significant Anyissues that arise from either the assessment team or the customer team will be fun-neled through this person As a member of the customer team and the assessmentteam, he or she will be involved in almost all group meetings and interviews.ThePOC is responsible for seeing that all requests from the assessment team are han-dled in an appropriate manner and that all concerns of the customer team are dealtwith Assistance with coordination of the onsite visit is crucial as well in terms oftime management across multiple interview schedules.This role is almost that of aquality control or project manager, considering the purposes behind the responsi-bility and the requirement to manage needs as they arise

The POC’s duty as a member of the assessment team is also to ensure thatyour goals and objectives stay on course with the customer organization’s goalsand objectives Assessment projects can often become sidetracked due to possiblylarge teams and the large number of people involved Importance and priority ofdata to its owners can be a very emotional topic Maintaining level heads and aclear vision moving forward depends on the customer and assessment POCs

NOTE

Interestingly, the main customer POC usually starts out with one of two predisposed attitudes: intense doubt or anticipation By the time the IAM engagement gets into full swing, however, the main customer POC

is often the biggest proponent of the process.

Who Is the Assessment Team Leader?

The main POC for the assessment team is the role with the most involvement.This is often the team leader or project leader In reciprocal comparison to thecustomer POC, the assessment team leader is responsible for handling any cus-tomer issues or concerns He or she is also the individual with the importantduty of managing customer expectations.The assessment team leader will workvery closely with both sides of the engagement and must have an appropriate

personality.This may seem a little “picky” at first, but with the amount of

involvement, the opportunities for argument, the goal of customer satisfaction,

and the number of interviews geared toward extracting information, it really is a

serious concern Excellent problem management and people skills are musts in

the personality of any team leader

The assessment team leader is usually the individual with the most NSA IAMexperience and will frequently be best suited to the role of lead interviewer as

well, due to the high level of charisma required for the position.The leader’s role

is as a facilitator in the opening meetings to discuss the engagement and the

organization as well as to ensure that the process stays on track and is efficient

enough to complete tasks in the short time allotted

Suggestions for the Assessment Team

For the PASV, you will want to bring along a team leader (often the assessment

team POC) and one or two team members.The team leader will run most

meetings; the other members will take notes and offer information in supporting

roles.This is one reason you garnered all that information during your

prepara-tion.Your team should be staffed with people who are experienced in the

industry of the customer organization and familiar with similar technical

envi-ronments.These people may or may not be a part of the team during all phases

of the assessment, but their knowledge will be vital to facilitating the activities

detailed in Chapters 3–6

Ultimately, the customer POC should be considered a member of your team

If and when he or she has suggestions or questions, listen not based on technical

or security-related experience alone but on the POC’s knowledge of the

envi-ronment you are attempting to help protect.The person in this role will not

always want to have a great involvement with the actual assessment side of the

product outside assisting the team and facilitation of scheduling and introduction

issues, but any assistance you can garner while “getting to know” the customer

organization is always beneficial

Possible Members of the Customer Team

The customer team will be very active in the PASV portion of the engagement

You are planning to accomplish several tasks and need to collect a wealth of

information that only key parties can give, and now is the time to do so

Remember, many of these people are high-level representatives, and you are not

likely to get much time beyond this to speak with them.There are five main

roles you should look for to be involved with the PASV meetings:

■ Upper-level management Involved to provide overall mission ance and promote appropriate management buy-in.The decision maker

guid-is usually a member of thguid-is group as well.Thguid-is group or individual willverify that you are headed in the right direction and can disseminateinstructions of cooperation downward on your behalf

■ Functional area representatives These people will provide edge in regard to specific information types, functional roles of theirdepartments, and sensitivity of department-owned information

knowl-Information ownership frequently resides at this level

■ Senior system manager This role will be able to provide you tion in regard to the current footing of INFOSEC in day-to-day opera-tions Others may define policies and procedures, but ultimately this teammember is the one who implements them (or at least is supposed to!)

informa-■ Senior INFOSEC manager This is the party responsible forauthoring and relaying all the documentation you will be reviewingover the next few months.This person is usually the most security-lit-erate member of the customer team and is often there to validate yourapproach to, and understanding of, upper management in the first fewdays.You will likely be heavily involved with this person throughout theprocess when requesting documentation or clarification of text

■ Customer POC The POC usually has a vested interest in the ceedings and is often a member of one of the aforementioned groups,since this person is at the right level within the customer organization

pro-to facilitate the success of the assessment If not, he or she should be apart of these proceedings as well to ensure that everyone understandsthe process that is about to unfold

Planning for the Assessment Activities

The amount of work that needs to be performed in such a short period of time

is extensive and can lead to long, stressful days if proper preparation and planning

are not performed In this section, we cover the activities that you will perform

during the PASV Appendix A contains a PASV template that will assist you in

organizing and scheduling the limited amount of time you have during your site

visit.These are the main points we address:

■ Developing mission identification

■ Determining organizational criticality

■ Determining system criticality

■ Defining system boundaries

■ Defining goals and objectives

■ Creating the assessment plan

■ Setting the scope and coordinating the assessment

The Importance of a Team Atmosphere

Nothing can destroy a good security assessment faster than emotional flare-ups They can happen on both sides of the project fence as security and information ownership topics are hotly debated People can become passionate about the security of their own information assets, which is

a good thing; yet tempers must always be kept in check The team needs

to maintain and provide a united front We have witnessed

engage-ments where members of the assessment team and the customer team

spend hours per day arguing proper security controls and methods This

is not at all beneficial to the project or the customer and will ultimately result in a poor-quality product, if it ever gets to the final report phase

at all.

From the Trenches…

Once these tasks have been achieved, you will be well on the way to forming an assessment Remember, you can add to this list in whatever way ithelps your organization or conforms with your business processes.This is simply

per-a foundper-ation of the minimum goper-als you should hper-ave for your pre-per-assessment sitevisit

NOTE

As mentioned already in the chapter, we provide a template in Appendix

A for your use as a checklist to maintain the integrity of the process It can be fully customized to fit your organizational or business model needs It is a place to start when you are in the beginning phases of the project while also allowing a centralized location for notes and contact information At a minimum, it is an excellent tool for disseminating pro- ject information among team members as well as maintaining expecta- tions Portions of this checklist will be explained in greater detail in Chapters 3–6.

Also included is an IAM PASV Planning Survey template for your review This is a wonderful tool for requesting information prior to arriving at the customer organization’s location Distributed to the client early in the process, it will make the job of estimating time requirements and planning timelines much easier.

Developing Mission Identification

To properly perform an assessment and make recommendations for any tion, you need to have a strong understanding of that organization’s mission It isalso important to understand the business functions that drive the organizationand the industry space in which the company operates Numerous factors candefine a customer organization’s mission Examples of major organizationalattributes that will figure in defining its mission are:

organiza-■ Profit versus nonprofit

■ Publicly traded versus privately held

■ Customer demographic

■ Customer satisfaction

■ Small business versus large corporation

■ Industry market share

■ Service offerings versus product offeringsTwo players in the same industry and with similar attributes can still have dif-ferent missions based on what got them to where they are today and where they

see themselves going in the future Defining this mission is something that you

must do with the customer.The mission priorities are organizationally specific;

because the mission statement helps define priorities regarding information types,

it cannot be completed by outside parties with little experience in the customer

culture Every organization has a brief mission statement, but these statements

never come close to telling you all the nuances of how the organization operates

and what it considers a priority in completing its mission

A large part of the process in the pre-assessment phase involves building anunderstanding of, or defining, what you believe is the security posture of the

organization Later, during the onsite visit and documentation review, you will

get to validate your understanding of the current environment Before you even

begin to define the posture, you need to review the organization’s mission with

the customer team.Your first meeting should begin with a discussion of mission

objectives and industry function

Understanding Industry Differences

Each industry is different from all others and therefore has different information

security standards it must meet Disparate industries value security in different

aspects based on what information is important to their operations All aspects of

information security are important, but part of the resulting information gathered

from the IAM offering is the prioritization of data and the controls protecting

this data Some examples of differing industries are:

■ Government (on multiple levels)

■ Financial institutions

■ Hospitality

■ UtilityThese are just a few of the industries you will encounter.You can see howthese examples would relate back to the standard concepts of CIA A financialinstitution may place more importance on integrity due to its large number oftransactions Medical institutions may emphasize the need for confidentiality due

to privacy requirements, and so on

Relating the Mission to

Pre-Assessment Site Visit Products

Defining the mission objectives will enable you to begin working on the fourmain products, or deliverables, that are created during the PASV In fact, it is theunderlying requirement for all of them Mission objective definition is the basisfor completing the deliverables Each one of these is discussed in greater detaillater in the book, but here are some brief introductions to them:

■ Organizational priorities Chapter 3: Organization InformationCriticality—Using the information you have learned in regard to theorganization and its industry and mission, you can define priorities forthe organization

■ System priorities Chapter 4: System Information Criticality—Just asyou prioritize the organizational components, you funnel that informa-tion down to more detailed system-based priorities

■ Customer Environment Chapter 5: System Security Environment—Definition of the customer environment is based on multiple compo-nents such as boundaries, customer constraints, and customer concerns

■ Assessment Plan Chapter 6: Assessment Plan—The assessment plan isthe agreement built during the PASV that defines the processes, theorganization, and the scope of the project

These products are customized based on priorities the customer organizationdefines.These can be considered guidelines for the remaining assessment process aswell as the foundation for any future INFOSEC programs Again, these productsare built by both the assessment team and appropriate customer representatives.You

are there to provide your knowledge of overall security implications and best

prac-tices.The customer has the detailed knowledge of their organization and what

drives it Working together is the only true way to get an assessment road map that

is balanced between organizational needs and in-depth security experience

Defining Goals and Objectives

Once you’ve completed all the investigative and customer orientation components

of the pre-assessment site visit, it is now time to take that information and

deter-mine a high level set of goals and objectives for the customer organization’s

secu-rity program.These goals will assist in determining requirements for the

organization’s security controls, whether they are technical, operational, or

manage-rial Organizational policies are often created to supplement any legislation or

regu-lations that may fall more in line with the customer’s overall mission and goals In

addition, if some guidance is found to be too stringent or too lenient in contrast to

the defined environment, this can and should be documented as a finding, with

recommendations as to proper control requirements Any additional local policies

and procedures should also be used in setting detailed system security objectives

Understanding the Effort: Setting the Scope

One of the final pieces that will begin to take shape is a full understanding of the

level of effort that will be required to perform the assessment.The entire group,

including both customer and assessment team members, must agree with the

aspects of the remaining work Now you can work with the customer to finalize

delivery dates, project milestones, and the like

One thing to remember when developing your final timeline is the level of

involvement with recommended solutions.This includes the level of research and

detail requested, but more important at this point, the implementation of those

solutions If you are at a customer’s location and you find multiple issues with

currently implemented security controls that must be mitigated immediately, are

you willing, and do you have the time, to jump in and assist with correcting this

situation?

Information Request

Requesting information will not likely be the last thing you do during a PASV,

but it is one of the last things you should verify, in that actions have been taken

to assist you in gathering documentation for review Again, the IAM relies

heavily on the review of policies and procedures to perform an assurance check;therefore, you will rely heavily on access to that documentation to perform thereview Best practice would be to ask for documentation early and often.ThePASV is the perfect time to gather as much documentation as possible.

Coordinate

After the PASV is completed, you can begin coordinating the remaining phases

of the assessment.You may have multiple sites and teams, so this is not always asimple or easy task A good deal of management tends to be involved with thisprocess, resting on the team leader’s shoulders.Typical items that need action aretravel components (airfare, lodging, ground transportation), site issues (schedulingcustomers, security clearances, briefings), and personnel requirements

Establish Team Needs

for Remaining Assessment

At this point, you should now know as much as possible without having actuallyreviewed any of the customer organization’s documents Now begins the process

of coordinating team members for the remainder of the project as needed Somemembers will come and go as the project progresses, and others may stay on forthe duration, depending on the needs of the environment

Industry and Technical Considerations

You should now know with which industry or governmental regulations, lines, and legislation the customer is obliged to comply Make sure you haveavailable personnel with a strong background in whatever guidance may berequired Distributing any guidance to your team and keeping any and all regula-tions on hand throughout the process are important, of course, for understandingany current security implementations and recommendations to be made As anaside, it also boosts the customer’s level of comfort with your services becausethey know that you can relate to and understand the current issues or constraintswith which they might feel they have been saddled

guide-Don’t forget to take into account all the information you have gathered

regarding the technical nature of the customer organization’s environment It reallywould not go over well to have a group of Microsoft Certified System Engineers(MCSE) show up to begin interviewing a group of IBM AS400 operators inregard to their day-to-day operations! The possibility of a common understanding

between the teams would be very low As early as possible, you need to make sure

you have the right skill sets available to slip into the schedule without delaying the

customer

Case Study: The

Bureau of Overt Redundancy

As you can understand, the case studies presented here are made up, since customer

findings are considered proprietary and held in the strictest confidence However,

we do incorporate experiences gained from actual performances of the IAM

assess-ment to illustrate the different points addressed in this chapter So with that caveat,

meet our newest customer: the Bureau of Overt Redundancy (BOR)

The Organization

We’ve been contacted by Justin Phun, an ITSM for BOR, which operates as a

bureau within the Department of Excess Verbiage (DEV) Apparently, Justin has

recently begun to see signs that his security measures are not quite up to snuff In

the last six months he has been hit with several viruses, backup failures, and loss of

rather expensive networking equipment Justin doesn’t believe the equipment has

been stolen—he believes that the system has simply broken down someplace and it

has been appropriated for invalid use As we should all be aware, knowing how and

where a number of systems are implemented is key to system inventory,

contin-gency planning, and disaster recovery efforts, to name just a few important matters

Rogue systems can have varied and dangerous consequences Justin feels that this

situation warrants bringing in an independent review team to assess the

organiza-tion’s policies and procedures, then offer recommendations where possible

Justin has received appropriate management buy-in and authorization from thebureau CIO and is eager to get started as quickly as possible With an extremely

long and painful RFP process now in the past, you begin scheduling dates for your

pre-assessment visit with Justin and filling him in on who needs to be present and

why As you do so, take notes of the names, titles, and contact information of each

person you agree to involve Since Justin is the one lobbying internally for the

assessment, he has gone out of his way to acquire funding for it, and obviously he

has the connections to help you work with upper management and the technical

administrative staff—so doesn’t it make sense that he become your customer POC?

He obviously has a vested interest and has shown the initiative that makes him a

perfect candidate for this role

While you are waiting for Justin to get back to you with optimal times toperform the pre-assessment site visit, you begin researching the BOR to puttogether an IAM Planning Survey.You find out that the BOR is the entityresponsible for those annoying mandates in the land of Nactoobia, such as the

requirement for three tags on every mattress, just in case somebody pulls off the first two prior to reading the warning label.The organization is obviously very

dedicated to what they perceive to be a priority service in Nactoobia: trueredundancy for the masses.You also find several directives from the Nactoobiangovernment regulating specific aspects of information security.There are severalquestions you need answered, so in a brief e-mail you ask Justin to answer thesequestions as succinctly yet as descriptively as possible.This survey should provideyour team with valuable insight and not cost the POC more than a few hours:

Q: What antivirus applications are in use?

A: Sloth AV 4.8 Q: What backup hardware and applications are in use?

A: Redundant Redundancy+ 2.3 Q: What server-level OSs are in use?

A: Custom Kernel Clusterer 3.8.22 Q: How is physical access to the data center controlled?

A: Armed guard, closed-circuit TV, proximity badge Q: What kind, if any, of IDSs are in place to detect malicious traffic? A: None

Q: Are you bound by Nactoobian Directive 34?

A: Yes Q: What level security clearance is required, if any?

A: None Q: Please list all federal regulations your organization must comply

with

A: All federal Nactoobian regulations

Notice how we address some of Justin’s chief concerns in the very first questions The best way to help the customer meet his objectives is to make them your objectives This also conveys to him that you are paying attention and striving to meet his needs.

Once you get a response to your IAM Planning Survey and a formallyaccepted time frame, you can begin some of the mundane tasks of preparing for

your visit.You, of course, schedule time with one of your lead contractors, Bill M

High, who has a background in Nactoobian federal government experience, as

well as your lead operating system contractor, Lynn X Roulls Luckily, Lynn also

has some experience with Redundant Redundancy 2.2 Seeing as how backups are

a major customer complaint, it would have been wise to have Lynn study the

product prior to the visit had she not already been familiar with it As it is, we

should ask our team members to familiarize themselves with the antivirus software

in use Luckily, security clearance levels are not required within the BOR

In order to update Bill and Lynn, you send them a copy of the completedIAM Planning Survey as well as your notes and customer contact information in

the IAM PASV Checklist.This allows your team to familiarize itself with aspects

of the customer without requiring you to relay everything you and Justin had

discussed directly It also gives them detailed notes that they can use to research

any products or regulations with which they may not yet feel comfortable

The day comes at last, and we all travel to the land of Nactoobia to meet withJustin and the team at the BOR In the first meeting we begin discussing the orga-

nization’s mission and what it is that drives their motivation Recognizably, it is a

Nactoobian federal government institution, so profit is of little concern Multiple

directives, legislation, and regulation forcing the adoption of some wide-ranging

standards drive them as well.The agency also believes that acceptance of its goals is

predominantly dependent on the private sector companies footing the cost of their

requirements for community well being.The BOR is mandated to keep the cost,

or noticeable cost, to the customer as low as possible.The standards they are

attempting to implement are geared toward a return to products from the “good

old days.”Tired of a disposable society, Nactoobia has undertaken these efforts to

force production of higher-quality, longer-lasting products

The official mission statement declares that the BOR will strive “to ensure allproducts available to the Nactoobian people include maximum redundancy for

maximum safety and maximum reliability at minimum cost.”This mission

state-ment touches on some of the points already discussed, but not all.There is also acomponent, safety, declared that did not really seem to be of great concernwithin the organization A combined team agreement of mission goals would betwo major goals supported by multiple objectives:

■ Mandate private sector organization requirements for redundancy,quality, and durability of products

1 Introduce legislation and requirements to control industries

2 Research products for improvement opportunities

3 Publish reports detailing benefits of adoption and hazards of adoption

non-■ Maintain private sector organization costs or defray those costs withoutwidespread public knowledge or understanding

1 Assess risk versus cost of improvements

2 Introduce methods of industry standardization for cost reduction

3 Manipulate private sector “conclusions” into legislation

As you can infer, the BOR has a large staff of lobbyists, lawyers, and

accoun-tants What now becomes clear as well is that the BOR doesn’t really define all

the standards they publish or suggest, but it takes them under advisement fromprivate industry rather than employing multiple teams to run independent tests.This can seriously alter original perceptions of the customer’s goals for security.Following these mission goals, it is clear that confidentiality should be con-sidered rather high, due to the methods by which they arrive at conclusions andpossible flare-ups within the voting community We will not delve any deeper,but this portion illustrates the difference between a public mission and an undoc-umented private mission

At this point we can now begin scheduling activities for the remainder of theassessment process With the customer we can now begin coordinating teamtravel, site personnel interviews, delivery dates, and milestones

The remaining activities performed during this assessment are discussed ingreater detailed in Chapters 3–6 At this point we’ll assume that we have com-pleted them satisfactorily with the customer, and it is now time to move on tothe later stages.The advantages of using items such as the IAM Planning Surveyand the IAM PASV Checklist should be a little clearer to you, and you probablyhave some thoughts on how you might modify the templates to fit your businessmodel and suit your clients

It may seem that the pre-assessment site visit team leader must be a motivational

speaker or a psychologist, with all the emphasis this chapter placed on managing

customer expectation and facilitating customer discovery of their own priorities

In part, there is a bit of truth to that It has been said that the outcome of many

sporting events is decided in the first few actions.That is definitely true in regard

to the IAM process.The quality of the final product of an assessment is

com-posed of two main factors: the experience of the security professionals involved

and the level of input from the customer Managing these two goals and getting

things moving smoothly are two primary points that the PASV incorporates into

its process

Preparation is a major factor in achieving those goals.The PASV, in relation

to the rest of the IAM process, is a very brief stage.The amount of rampup time

is basically nil.The level of preparation can make or break the assessment As a

basic strategy, you need to be aware of the environment you are walking into, the

requirements within that environment, and the constraints put thereon If you

can discuss freely the base aspects of the client’s business, infrastructure, and

regu-lations, the customer will open up to you more quickly.This will enable you to

learn specifics faster and produce the deliverables faster as well

Consideration of events, personnel, expectations, and requirements can helpmaintain your level of preparation through this stage and to the end of the assess-

ment Properly accounting for issues that have a customer cost associated with

them, such as time, materials, and travel, will help keep in line customer

expecta-tions.You may have heard the expression “It is better to ask forgiveness than

per-mission.” In an assessment situation, that is completely backward Discuss any

issues with your POC at a minimum to ensure that your client is in informed

and up to date on the process and its activities

The PASV activities become the tools you’ll use to work on the rest of theproject Defined by the customer with assistance from the assessment team, they

should have a solid footing in both security best practices as well as custom client

concerns Define a security-related mission statement to build these products as

well as create a solid foundation of guidance for future security programs

The case study is meant to be a lighthearted model for relaying a few of thekey aspects of the pre-assessment site visit It is obviously not a true representa-

tion of any organization, but it should give you a better understanding of the

purpose and use of some of the tools

With the topics discussed here, you should feel comfortable in your efforts toperform an IAM pre-assessment site visit.There is no way to prepare someonefor all the things they may encounter during an assessment, but we have coveredmany of the major concepts that will enable you to work through any situationsthat arise.

Best Practices Checklist

Preparations

Define the network, security, and organizational environments as early asyou are able to assist in staffing the industry and technical resources youneed

Use the IAM Planning Survey and IAM PASV Checklist as datainformation repositories and a method of communicating objectivesbetween team members

Make sure that all parties can and will be available during your visit toeliminate playing catchup from the beginning of the project

Understand the background of why this assessment is being performed

at this time and how that may affect your working capabilities

Activities

Understanding the customer organization’s mission objectives is key toperforming all activities in the pre-assessment site visit

Proper coordination is often given a low priority but remains a highlyresponsible factor for letdowns in the process.

Given the higher understanding of the required level of effort, make sureall parties involved are on the same page regarding the remaining work

Q: Have you ever been involved with an organization from which you simply

could not get cooperation? If so, how did you handle it?

A: This situation will obviously have to be handled differently based on your

business practices, but yes, we have faced scenarios in which cooperationfrom a site or an organization was just not forthcoming In one instance, con-stant communication with the organization’s leadership finally resulted in theremoval of that site from the assessment.You have to weigh the overall valuethe customer is receiving from your persistence and make a combined deci-sion as to whether certain aspects of the assessment should be modified

Q: Can you have different goals and objectives within the same industry?

A: Absolutely.You will encounter differing goals at almost every organization

you visit, even if they are in the same industry.They all did things a little ferently to get where they are today, and they put different priorities on dif-ferent subjects Understanding the industry is simply a place to begin whenyou’re trying to narrow down a customer’s goals and expectations

dif-Q: How do you manage to maintain skill sets for all the possible situations you

might face?

A: Well, it tends to vary based on your own organizations In a larger firm, we

have been able to simply call for assistance from “bench” employees (thosenot currently contracted out) Being part of a smaller, more specialized firm,

we don’t have the operational overhead to carry a bench, so we partner with

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book,

are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts To

have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form You will

also gain access to thousands of other FAQs at ITFAQnet.com.

those we have found to be experienced and capable through past ment.This includes both organizational and single professional partnerships.

involve-Q: With all of the information you don’t really ascertain until you are forming the pre-assessment site visit, how do you manage to provide properestimates or project hour totals for the completion of an assessment?

per-A: This will vary based on your customer’s comfort level and the adaptability ofyour business model One method that seems to work well, especially forlarge multisite organizations, is to offer a statement of work (SOW) for thepre-assessment visit and add a complete project SOW as another deliverablefrom this beginning stage.This is very beneficial to those organizationsworking with a fixed-price model, because you get a greater feel and under-standing of what is involved after you have performed the visit

Q: What if, during the course of an assessment, I discover that the customer nization is not in compliance with state or federal laws? What if the customer,

orga-or an employee within the orga-organization, is deliberately breaking the law?

A: This situation can lead back to issues regarding the no-fault concept in theIAM First and foremost, the number-one recommendation is to work out apolicy with your legal department If you do not have a computer or dataspecialized attorney, it would definitely show due diligence to have yourpolicy reviewed by an expert If you implement policies and procedures tocombat this issue, we recommend sharing them with the client so there is fullunderstanding of all procedures followed, should this situation occur Otherthan seeking expert legal advice and always following all local, state, and fed-eral laws yourself, we can’t really give you much more guidance on the issue.The rule of thumb we follow: If something causes you concern, contact yourlegal counsel

Q: What if, after I provide the SOW, the customer organization requires istic timelines?

unreal-A: This situation tends to come up quite often Some organizations want to

extend an assessment over the course of a year or so in order to defer costs.

Some organizations want to have an assessment performed on an extremelylarge system or organization In the first instance, other possibilities are outthere, but performing an assessment over an extended period of time is notacceptable in the IAM process and is a waste of money for the client.You are

looking to attain the security posture by taking a snapshot Any findings or

recommendations will likely have little value after an extended time periodhas passed.The second instance requires a business process to alleviate

Subcontracting is the norm in government contracting, even though manyprivate sector organizations do not agree with the practice.This is ultimatelyyour decision

Q: What if the POC is lacking in communicating objectives to the customer

organization? Should I step in and facilitate this communication? What ifthere is no clear POC?

A: Address the subject with the POC first and try to resolve any issues directly

If that is not possible or does not help, look toward the decision maker youidentified earlier in the process However, you should think of this in terms

of “chain of command.”You must have a critical purpose for going over yourPOC’s head

Determining the Organization’s Information Criticality

Solutions in this Chapter:

■ Identifying Critical Information Topics

■ Identifying Impact Attributes

■ Creating Impact Attribute Definitions

■ Creating the Organizational Information Criticality Matrix

■ Case Study: Organizational Criticality at TOOT

■ Best Practices Checklist

Chapter 3

81

Summary Frequently Asked Questions

In this chapter, we cover the basic activities that must be accomplished to plete the Organizational Information Criticality Matrix (OICM).The OICM isbased on customer decisions about the information types within their own orga-nization that are critical for the completion of their mission and meeting organi-zational goals.The activities we cover in this discussion include:

com-■ Identifying the critical information at the customer organization

■ Identifying the mission of the customer organization

■ Creating impact definitions

■ Creating the OICM

■ Determining the high-water mark for the OICMDefining an organization’s information criticality is one of the most impor-tant steps in the IAM assessment process.This process gives the customer a clearunderstanding of how their own organization operates and what informationshould be protected.These activities typically represent the first in-depth interac-tion between the assessment team and the customer.The customer should knowthey are in control of the assessment process and that they have the final word onthe outcome of the assessment.The decisions they make will directly impact thequality of the final report your team delivers at the end of this project.Theassessment team should not make these decisions because that often wouldrequire the team to make assumptions about how the customer organizationconducts business and what their business goals are In the world of commercialsecurity assessments, poor assumptions on the part of the security consulting firmcould result in a liability to the customer should a security incident occur

Instead, the assessment team leader acts as a facilitator to make tions to the customer throughout the assessment process based on the leader’sown experience in the field of information security As we learned in Chapter 1,the team leader should have a good deal of experience in overall informationsecurity practices but also preferably in the industry in which your current cus-tomer works.The majority of customers your team will work with during theassessment process will not have a significant amount of in-depth informationsecurity experience.Technical teams at customer sites are tuned to operationalpriorities that often do not include adequate security considerations Even thosecustomers with a highly technical and informed staff may lack the experience