security assessment case studies for implementing the nsa iam phần 6 pdf

www.syngress.com 208 Chapter 6 • Understanding the Technical Assessment Plan Figure 6.4 The DEV BOR System ABCS and BISS Criticality Matrices Medium Medium High Medium Medium High Curren

Modifying the Nine NSA-Defined Areas

One way to customize the TAP is through changes in the composition of the

TAP By default, you may not remove sections and still be within the IAM

guidelines.The components discussed are considered by NSA to be minimum

requirements for any plan to be used in an assessment If a conflict arises and a

section cannot be completed, the reasons or events leading to these issues need to

be clearly documented.The section will remain, but the information detailed will

be in regard to the lack of completion, not the actual topic itself

Adding sections is entirely up to the customer Several items may be added asrequested or as part of an overall independent business practice Just a few that

can be used to add value to the document are these:

■ Executive summaries Summaries can go a long way toward viding descriptions and instructions on how to read and understand theplan.They can also be used to summarize the methodology or providebackground into the purpose or goal of this particular assessment

pro-■ Version history information This can be very useful when dealingwith very fluid engagements where change is the standard In theexample in the appendices, you’ll notice that a version control page wascombined with approval authority to demonstrate acceptance andunderstanding of each change on one simple page

Level of Detail

The level of detail is a very important aspect of the IAM TAP It can depend on

many things, such as the level of involvement the customer organization wants to

have with the assessment process A hands-on approach may dictate requirements

for a very detailed plan as well as increase the chances for multiple revisions

down the road

What is included as detail should be based on interactions with the customer

This should be worked out early on in the pre-assessment site visit, and an

intro-duction to a sample TAP during initial meetings would not be overboard.The

amount of information recorded in each section is flexible, as long as all required

aspects are included

The format of this document is almost entirely up to you Certain basic rulesshould apply, such as the inclusion of a cover sheet and the original order oftopics, but most of this is fair game for adjustment based on what is more effec-tive in a given scenario

Some organizational assessments can be so large, with multiple assessmentteams in action, that an overall TAP is created as the main repository, with severaldetailed plans attached as appendices Some systems may be in such revolvingstates and of sufficient size to warrant breaking out diagrams and detailed tech-nical descriptions or inventories into subdocuments for ease of management.The TAP is a tool Whatever helps improve the efficiency or usability of thetool should be considered appropriate, as long as you account for all requiredcomponents

Case Study: The Bureau

of Overt Redundancy

We’re back to the Department of Excess Verbiage (DEV) BOR offices In

Chapter 2 we went through the pre-assessment site visit with the BOR, detailingsome of the concerns and issues regarding their environment as well getting tounderstand the culture and requirements.This case study is geared toward a singledocument, the primary deliverable from that meeting: the TAP

The BOR TAP

As the customer requested, we have included a document-tracking section in theTAP (see Figure 6.1).The BOR would like us to maintain a version history ofthe document, including change details and dates For peace of mind, we’ve also

added an approval section! Remember, this is a custom addition, not part of any

NSA requirements for the TAP

www.syngress.com

202 Chapter 6 • Understanding the Technical Assessment Plan

Contact Information

The next section, Contact Information, is a true requirement of the NSA IAM

As you can see in Figure 6.2, we have decided to include alternates for both the

customer and the assessing teams.This gives the customer a second line of attack

in the event an emergency arises, as well as giving the assessing team a second

contact with either the authority to make decisions or access to decision makers,

should any unforeseen events arise

Figure 6.2 Contact Information Worksheets

DEV BOR Organization ContactsDEV BOR Primary Point of Contact: Justin Phun

Address 3608 1 st Nactoobia Ln

Mobile Phone/Pager 555.555.8365 E-mail justin.phun@bor.dev.nactoobia

Figure 6.1 The BOR Document-Tracking Sheet

Approval

Version Update Infomation

Pages Affected

2003

Justin Phun, ITSM Bill High , SCE Team Lead

Pre-Assessment

Continued

Figure 6.2 Contact Information Worksheets

DEV BOR Organization ContactsDEV BOR Alternate Point of Contact: Cole Ishin

Address 3608 1 st Nactoobia Ln

Mobile Phone/Pager 555.555.8344 E-mail cole.ishin@bor.dev.natcoobia

SCE Organization ContactSCE Primary Point of Contact: Bill M High

Title Principal Security Consultant

Mobile Phone/Pager 555.555.3762

SCE Alternate Point of Contact: Lynn X Roulls

Title Senior Security Consultant

Mobile Phone/Pager 555.555.3162 E-mail lx.roulls@sec.cons.extra

Mission

Next we move on to the second point of the IAM TAP, the mission statement

We discussed the mission statement and tried to develop it into a more detailedproduct in Chapter 2 Here we display our final understanding of the missiongoals as well as the formal statement the customer uses.The added detail in

regard to the mission is another custom addition to this case study, so if in other

scenarios it does not fit, it is certainly acceptable to leave it out.The DEV BORmission statement is as follows:

To ensure that all products available to the Nactoobian people include maximum redundancy for maximum safety and maximum reliability at minimum cost.

www.syngress.com

204 Chapter 6 • Understanding the Technical Assessment Plan

Through group discussions with DEV BOR management, we identified cific detailed mission objectives and requirements.These have been broken into

spe-three detailed components that will assist in defining the direction and level of

focus of current and future organizational INFOSEC programs:

■ Mandate private sector organization requirements for redundancy,quality, and durability within products

■ Introduce legislation and requirements to control industries

■ Research products for improvement opportunities

■ Publish reports detailing benefits of adoption and hazards of adoption

non-■ Maintain private sector organization costs or defray those costs withoutwidespread public knowledge or understanding

■ Assess risk versus cost of improvements

■ Introduce methods of industry standardization for cost reduction

■ Manipulate private sector “conclusions” into legislation

■ Manage public “voting” community safety concerns in domestic sumable products

con-■ Validate private sector research and conclusions in terms of guards for consumers

safe-■ Ensure that private sector movements and initiatives are properlymarketed to consumers

After mission comes the organizational information criticality Again, inChapter 2 we discussed the types of information that the customer, the BOR,

might use, and we rolled them into unique categories In this section we publish

those results, from specific to rollup, as well as their importance to the customer

We also include the definitions used in creating these matrices, which we defined

in detail in Chapter 3 As demonstrated earlier, you’ll see that the OICM includes

each and every information type determined

To combat the confusion that often surrounds the organizational versussystem criticality discussions, notice the brief description included at the begin-

ning of the section

Organization Information Criticality

This section discusses the perceived impact of the loss of confidentiality, integrity,

or availability in regard to the information types stored, processed, and mitted within the DEV BOR organization.This includes a listing of informationtypes and definitions for CIA, as shown in Figure 6.3 Custom definitions ofHigh, Medium, and Low are included as well

trans-BOR Information Types

■ Low An impact of Low consequence is one that may cause the loss offinancial assets less than $25,000 and basic impedance of day-to-dayoperations.

Figure 6.3 The DEV BOR Organizational Criticality Matrix

Medium

Medium Medium High

High Watermark

Confidentiality Integrity Availability

Medium Completed

Projects

High Corporate

Partners

Medium Medium Medium

Legal

System Information Criticality

This section discusses the perceived impact of the loss of CIA in regard to theinformation types stored, processed, and transmitted within specific denoted sys-tems of the DEV BOR organization.This sections works directly off much ofthe information in the previous section, so there is no need to be overly redun-dant (although maybe this customer would appreciate that?) Notice in Figure6.4 that the section description again comes into play to avoid confusion withthe organizational information criticality Note too that these systems will bedescribed in detail in the System Configuration section We have broken theinformation into two matrices: one for the Active Bureau Campaigns System(ABCS) and a second for the Bureau Information Support System (BISS), whichwe’ll discuss in greater detail in a moment

www.syngress.com

208 Chapter 6 • Understanding the Technical Assessment Plan

Figure 6.4 The DEV BOR System ABCS and BISS Criticality Matrices

Medium Medium High

Medium Medium High

Current Projects

High Watermark

Confidentiality Integrity Availability

Medium Low High

Corporate Partners

Low Low Medium

High High Medium

High Medium Medium

Human Resources

Finance

High Watermark

Low Low Medium

Completed Projects

Medium Medium Medium

Legal

Confidentiality Integrity Availability

Concerns and Constraints

This section discusses specific concerns of the DEV BOR organization and

pos-sible methods to directly address those concerns Constraints that need to be

taken into consideration are discussed as well, including workarounds We need

to make sure that we include all the concerns our customer may have; this way

we keep on track with requested priorities and reassure the customer that we’re

tracking the things that are important to them

Concerns

Three main concerns have been discussed in relation to DEV BOR INFOSEC

practices Antivirus, configuration management, and backup procedures have all

been found lacking in results compared with the requirements of the DEV BOR

security team Extra due process will be spent to determine current procedures

and their implementation levels in regard to these concerns.They will be

com-pared with standard industry best practices, and recommendations will be made

to improve lacking processes that may be leading to ineffective measures

Recommendations will also be validated to fit within any required industry

reg-ulations or legislation

Constraints

The only true constraint is the ABCS DEV BOR is currently involved in a

major campaign, and crucial deadlines loom on a weekly basis.There must be

virtually nothing that hinders the 24 x 7 required operation of this system Any

system demonstrations and interviews need to be performed when system

opera-tors and administrations staff are available SEC understands this requirement and

has arranged to perform some work outside standard business operating hours

during the onsite visit to better fit within DEV BOR time frames

System Configuration

The System Configuration section discusses the system configurations that will

be addressed by this INFOSEC assessment Included are hardware and software

inventories, site information, architectures, and the like Here we display our

understanding of the customer’s system Boundaries, hardware and software

inventories, site information, architectures, and more are all relevant pieces of

information to include here

The Active Bureau Campaigns System

The ABCS provides daily operations of currently active redundancy campaignprograms.The system consists of two P12H servers operating Custom KernelClusterer 3.8.22.This system contains the most sensitive information within theBOR in terms of confidentiality.The system is protected by two N2 standardfirewalls working redundantly to protect the environment from any incidencesthat may occur on the BOR network.The system functions using internallydeveloped and maintained code and is backed up regularly using RedundantRedundancy+ 2.3 Users connect through the firewalls via HTTP using a ter-minal client that operates in any Web browser

The Bureau Infrastructure Support System

The BISS provides general IT support for daily administration activities andorganizational support functionality.The system consists of a local area network(LAN) managed by eight Cisco Catalyst switches ranging between the 2900,

4000, and 6000 series Also in the system are eight Windows 2000 Servers lizing active directory services, Exchange 2000 for e-mail services, and Sloth AV4.8 for server and mail antivirus protection In addition, residing on the networkare approximately 1500 workstations varying in operating system among

uti-Windows 98, uti-Windows NT, and uti-Windows 2000; all of which are likely to be atdiffering patch levels Sloth AV 4.8 clients are required on all workstations.The Interview List

The Interview List section contains the list of individuals at BOR who we haveselected to interview (see Figure 6.5).You’ll notice that not all the job positionshave yet been defined Due to the large number of employees, we determinedthat we can decide on average users during the onsite visit, based on manage-ment schedules In this instance, the Address/Location section may not be ter-ribly important, since all the individuals reside in the same office In larger,distributed organizations, this information becomes much more important, and itcan often be helpful to divide interviewees into groups based on location forscheduling and tracking purposes

www.syngress.com

210 Chapter 6 • Understanding the Technical Assessment Plan

Figure 6.5 The Interview List

Phone/

Justin Phun IT security manager 3608 1 st Nactoobia Ln 555.555.1234

Justin.Phun@

bor.dev.

nactoobia CIO 3608 1 st Nactoobia Ln TBD TBD Systems administrator 3608 1 st Nactoobia Ln TBD

TBD Systems administrator 3608 1 st Nactoobia Ln TBD

TBD Lead systems 3608 1 st Nactoobia Ln TBD

administrator Cole Ishin Network manager 3608 1 st Nactoobia Ln 555.555.1622

cole.ishin@

bor.dev.

natcoobia TBD System security 3608 1 st Nactoobia Ln TBD

administrator TBD Lead help desk 3608 1 st Nactoobia Ln TBD

technician TBD System operators 3608 1 st Nactoobia Ln TBD

TBD Functional users 3608 1 st Nactoobia Ln TTBD

Documentation

After the interviewees comes the Documentation section In Figure 6.6 we have

listed each and every document we have received Again, the details you decide

to track are up to you, but for the purposes of this case study, we decided to

track numbers, dates, formats, and the name of the individual who gave the

doc-ument to us Also notice the comment at the bottom, where we clearly define an

agreed-on standard for maintaining disposal security controls

Figure 6.6 The BOR Document-Tracking Sheet

Item Document Title Internal Tracking Format Received From Date

D-1 Shipping Confidential BOR-P&P-012 Paper Justin Phun 3 June 2003

Records via UPS D-2 Disaster Recovery Plan BOR-P&P-035 Paper Justin Phun 4 June 2003

Digital Cole Ishin D-3 Termination of BOR-P&P-007 Paper Justin Phun 4 June 2003

Employment D-4 Disciplinary Process BOR-P&P-006 Paper Justin Phun 3 June 2003

D-5 Safety BOR-P&P-002 Paper Justin Phun 3 June 2003

D-6 Threats and Violence BOR-P&P-024 Paper Justin Phun 3 June 2003

D-7 Substance Abuse BOR-P&P-053 Paper Justin Phun 3 June 2003

D-8 Storage and Retention BOR-P&P-011 Paper Justin Phun 3 June 2003

of Records D-9 New Hire Orientation BOR-P&P-002 Paper Justin Phun 3 June 2003

and Processing D-10 Internal Audit BOR-P&P-028 Digital Cole Ishin 4 June 2003

D-11 Tape Backup and BOR-P&P-012 Digital Cole Ishin 4 June 2003

Media Destruction Schedule

D-12 Systems Development BOR-P&P-015 Digital Cole Ishin 4 June 2003

Methodology D-13 Help Desk BOR-P&P-031 Digital Cole Ishin 4 June 2003

Agreement of disposal: All documents reviewed in paper format shall be appropriately destroyed using a

shredder within 90 days of the delivery of the final report All digital versions of software residing on SCE

equipment shall be thoroughly deleted, while any removable media (diskette, CD-ROM, etc.) will be

destroyed using conventional methods within 90 days of the delivery of the final report CD-ROM dimplers

and diskette shredders are considered acceptable methods of destruction.

Events Timeline

The Events Timeline section discusses he timeline for events that the assessment

process will follow as discussed during the pre-assessment site visit.This section

includes dates and times for any deliverables or milestones for tracking as well as

site visits and reporting Because unforeseen customer constraints can arise, some

items may shift slightly.The timeline shown in Figure 6.7 is a rather generic one,

but it does cover all the required events We’ve even gone so far as to add

“place-holders” to remind us of important meetings that will need to be scheduled as

we near the close of the project

Figure 6.7 The BOR Events Timeline

Organizational discussionsMission/goals (INFOSEC objectives)Information type determination and definitionsOICM

SICMApproval for TAP

Planning for onsite visitsTeam requirements decisionsSchedule for onsite visits

Organizational assessment 2 June 2003–27 June 2003

Review of documentationReview of requirements/standards/regulations

Interviews System demonstrations Review of documentation

Continued

Figure 6.7 The BOR Events Timeline

Report generation 14 July 2003–1 August 2003

Review of documentationAnalysis of gathered dataResearch of findings and recommendations

(Conference to be scheduled later)

(Conference to be scheduled later)

(Conference to be scheduled later)

So there we have a finished IAM TAP for our customer From the document,you can see that we have followed all the rules and guidelines set out by NSA,but we have really been able to customize specifically to fit the BOR situation

As stated in several other chapters, this process emphasizes one of the main cepts of the IAM: flexibility Now once we get the TAP signed, and we’re off andrunning to the onsite visits!

con-www.syngress.com

214 Chapter 6 • Understanding the Technical Assessment Plan

In the IAM, a great deal of focus is directed toward the technical assessment plan,

or TAP It is the most important tool assessment teams use to verify that value is

being placed in the work and the deliverables It is a conglomeration of charts,

diagrams, and pieces of information that have been gathered during the

pre-assessment site visit and compiled to act as a guide for completing the INFOSEC

posture assessment

Understanding the background of the TAP or the goals behind it will aid inputting together a plan that will efficiently manage the activities of the IAM

assessment.The realization that the TAP is a working document should allow you

to create a document that can be used and updated smoothly as the project rolls

on With the assessment beginning under the added assurance of an approved and

signed IAM TAP, both parties should have a better understanding of the level of

effort and final products required to successfully complete the assignment

The nine core concept areas covered by the IAM TAP should encompassmost of the required information to keep a good handle on the job With the

POC information, you know where to direct questions, and the remaining

sec-tions should supply everyone with information ranging from mission objectives

to system configurations and diagrams Detailed definitions and explanations

fur-ther describe the story of this engagement Boundaries have been set, and the

likelihood of scope drift has been minimized with a signed agreement

demon-strating the included systems

With the amount of flexibility granted by the IAM, we can modify the TAP

in many ways to fit the needs of our business practices as well as the customer’s

requirements Understanding that the core nine topics may not be removed, we

can then add any pieces we deem necessary

In the case study, we again are involved in a fictitious IAM assessment,putting together the TAP for an industry organization.The example TAP created

with case study information should give you a better direct look at what your

IAM TAP should contain It is by no means a fully functional plan, but it is a

definite grounding point that covers all the key aspects the TAP requires

After this discussion centered around the IAM TAP, your understanding ofNSA’s expectations in terms of planning and assessment guidelines should be

solid If you like, feel free to use the example plan provided to create your own

IAM TAP template It is a great exercise and can assist both you and your

organi-zation in preparing to perform an IAM assessment

Best Practices Checklist

Understanding the Purpose

of the Technical Assessment Plan

Be sure that the plan is sufficiently introduced to the customer duringthe pre-assessment site visit and that ease of use for the customer istaken into consideration

Verify and agree on document security controls from the beginning.The TAP is an important tool to improve the performance of an IAM-

based assessment, so use it.

Understanding the Format of the TAP

Begin with a solid template to ensure that all components are accountedfor

Make sure all customer concerns are documented in the TAP.

If system diagrams do not exist, create simple summary diagrams forinclusion in the system configuration

For recording purposes, include dates within such sections as Interviewsand Documentation

Customizing and Modifying

the TAP to Suit the Job at Hand

Determine the level of detail required by the environment and thecustomer organization’s needs

Address all components of the TAP, even if it is just to explain the

reason for a lack of information

www.syngress.com

216 Chapter 6 • Understanding the Technical Assessment Plan

Q: Who should be involved in signing the TAP?

A: A representative from both sides should sign approval to the TAP, at

min-imum Often a decision maker, information owners, and the primary tomer POC are involved as well In any event, just be sure that the highestrequired level is on board to confirm management buy-in

cus-Q: If multiple people are involved with approval, how do you address

adden-dums or revisions to the TAP, especially if multiple sites are involved as well?

A: If multiple people have approved the original from the customer point of

view, you might consider naming an official “approver” for modifications

Usually this is the customer POC who, with the approval of management,has been granted the ability to approve project-related changes It also wouldnot hurt to document this understanding under the section that discussespoints of contact

Q: Normally, how many pages should comprise the plan?

A: Well, that really depends on the scenario and your customer involvement, but

on average, for a small to medium-sized company, the plan should be around15–20 pages Keep in mind that this number will vary depending on thingssuch the number of systems, number of sites, custom additions, and the like

Q: Does NSA provide any templates for the IAM TAP?

A: At this time NSA does not provide any templates.The agency’s goal is to

provide the framework for an INFOSEC assessment, and it relies on yourindustry experience and understanding of best practices Some templatesbased on a combination of business practices and the NSA requirements areincluded with this book, but feel free to come up with your own or to alterthese to suit your purposes

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book,

are designed to both measure your understanding of the concepts presented in

this chapter and to assist you with real-life implementation of these concepts To

have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form You will

also gain access to thousands of other FAQs at ITFAQnet.com.

Customer Activities

Solutions in this Chapter:

■ Preparing for the Onsite Phase

■ Setting the Onsite Tone

■ NSA IAM Baseline INFOSEC Classes and Categories

■ The Fine Art of the Interview

■ Case Study: Interviews with a University Staff

■ Best Practices Checklist

Chapter 7

Summary Frequently Asked Questions

This chapter introduces the reader to the onsite assessment phase of the IAM andassociated activities By the end of this chapter, the reader should have an under-standing of the preparation necessary to conduct the onsite activities, the impor-tance and necessity of setting the tone of the assessment, the basics of the NSABaseline Classes and Categories, and the process of conducting the security inter-views.This process is intended to help the customer be comfortable and not runaway from the assessment team

NSA has emphasized the importance of the assessment team developing astrong relationship with the customer when conducting the IAM process

Through experience, we have seen how important connecting with the customercan be in creating a positive assessment environment and getting the most usefulinformation out of the customer.This relationship building starts with the firstintroduction made during the contracting process and continues through thepre-assessment, onsite, and post-assessment phases

Preparing for the Onsite Phase

On completion of the pre-assessment site visit, the assessment team will fully have the opportunity to return to home base and prepare for the onsiteportion of the assessment.The focus of the pre-assessment site visit and the focus

hope-of the onsite phase are different.The pre-assessment phase is focused on fying business mission, critical information, and critical systems, whereas theonsite phase is focused on gathering information about the organization’s secu-rity posture.The pre-assessment phase helps the assessment team understand thecustomer’s business objectives and the underlying infrastructure that supportsthese business objectives.This type of information is critical to establishing thescope of the effort and defining impacts on the business operations.The onsitephase takes this information into account to determine whether the customer ismeeting their objectives related to security or if additional actions need to betaken to improve the organization’s overall security.To address the differencesbetween the two phases, the assessment team will have to shift gears.They mayalso need to add or change team members to conduct the onsite portion of theassessment.The assessment team will not know what exactly has to be accom-plished until they conduct the pre-assessment site visit.Technically, NSA definesthis preparation time as the end part of the pre-assessment process Figure 7.1shows the preparation time as part of the IAM pre-assessment process

identi-www.syngress.com

220 Chapter 7 • Customer Activities

Preparation gives the team time to review information collected during thepre-assessment site visit.This time should be used to decide how to address the

customer focus areas or concerns and to collect the necessary questions and tools

to conduct the assessment Preparation time also gives the team leader time to

address assessment focus areas and work out any issues remaining from the

pre-assessment site visit.This preparation time is beneficial to both the pre-assessment

team and the customer Proper preparation is the best way to reduce the number

of problems that will be experienced during the assessment process

WARNING

Ideally, the assessment team has the luxury of conducting preparations between the pre-assessment site visit and the onsite phase However, often the pre-assessment site visit and the onsite phase are conducted simultaneously Although NSA recognizes that this can happen, it is important to understand that when it does, some of the benefits of preparation are lost and the process must be closely monitored In assessments NSA performs on its own federal customers, the agency can use a flexible timeline, but the reality in the commercial world is that we don’t always have as much flexibility Assessment teams need to address their own timeline needs based on consultant experience and customer needs.

Assessment Team Preparation

A successful assessment obviously depends on a prepared assessment team.The

time allocated for assessment team preparation must be used wisely to address the

required administrative and technical planning that should take place during this

Figure 7.1 The IAM Timeline for Preparation

2-4 Weeks 1-2

Weeks 2-8 WeeksPre-Assessment On-Site Post Assessment

Pre-Assessment Visit 1-5 Days

time Administrative planning includes actions necessary to arrange travel, ance passing, and other non-technical types of functions.Technical planningaddresses the technical needs of the client by assuring the right kind of experi-ence with customer operating systems and applications, as well as, assuring

clear-backups are completed in case of a disaster as a result of crashed systems.Theteam leader should be responsible for making sure assignments are made to theassessment team and appropriately follow-up to make sure the preparation tasksare being accomplished Preparation can be broken out into administrative andtechnical activities.The following represents a “to do” list for the assessment teampreparation:

■ Send security clearances

■ Schedule travel

■ Schedule hotel

■ Schedule transportation

■ Identify assessment team members

■ Coordinate schedules with the customer

■ Assign onsite responsibilities to the assessment team

■ Identify assessment team backups in case of emergency

■ Schedule the dog for the kennel

■ Pack your bags

Administrative Planning

The administrative activities associated with planning and preparation are marily focused on the organization’s business needs and assuring that you coverall the details required to conduct the onsite assessment phase.The planning pro-cess also addresses the “care and feeding” of the assessment team to ensure ahappy team:

pri-■ Coordination with the customer As we said in previous chapters,communication with the customer is critical throughout the entireassessment During the preparation activities, the team leader and someteam members will have to communicate closely with the customerrepresentative.The primary purpose of this activity is to ensure thatschedules for interviews and meetings are arranged to meet the needs of

www.syngress.com

222 Chapter 7 • Customer Activities

both the assessment team and the customer and that the team has alocation to work while on site.This communication should occur aminimum of once per week with the customer and the week before theonsite begins Communication will probably occur daily, even if just for

a “sanity check” and to ensure that everything is ready to go.This dination effort is also used to request and gather additional documenta-tion needed for completing the assessment Documentation will need to

coor-be coordinated throughout the entire assessment

■ Travel arrangements Don’t forget about the simple things, like airlineand hotel reservations Consider the location of accommodations andtimes of travel for the team while making travel schedules.The hotelwill be their home for the next two-plus weeks, so ensure that the basicamenities are there Important considerations may include proximity torestaurants, entertainment, gym and pool in the hotel, and high-speedInternet access

■ Care and feeding of the team Don’t underestimate the value of thelittle considerations for the assessment team.These not only include acomfortable hotel room but also healthy snacks and appropriate bever-ages for the team members For example, many technical people survive

on products like Mountain Dew and coffee Make sure that these areavailable Brain-boosting snacks may also be appropriate for those timeswhen team members need a little picker-upper.Think and plan ahead,and you will have a much happier (and therefore more efficient) assess-ment team

Technical Planning

The technical planning process focuses on those activities directly related to

determining the customer vulnerabilities.This activity will apply to any activity

not occurring in the administrative planning process:

■ Assigning responsibilities The team leader generally has the bility for assigning tasks that will need to be accomplished, during boththe preparation activities and the onsite assessment itself.These tasksinclude the team selection process mentioned previously.The pre-assess-ment site visit will identify several focus areas for the team Based on theteam expertise, certain individuals will be assigned to interview customer