security assessment case studies for implementing the nsa iam phần 10 pot

Integrating Lessons Learned into the Business Process NSA does not provide information in the structure if the IATRP regarding how organizations should integrate lessons learned.This act

Trang 1

What Was Good?

Positive results should be put on your Good list.These are processes that you

might never have tried before during an assessment but that worked out well.

These include such things as the change in interview style we mentioned earlier.

Another example might be a new interviewer on the team who performed well

and can added to the list of team leaders for your company Our goal is to

iden-tify the good attributes of our assessment process.

NOTE

Good lessons are just as important to understand as the negativeslessons I’ve seen many organizations that approach the analysis oflessons learned as a pessimistic activity that generally only points outnegative activities This couldn’t be further from a healthy approach Thetruth of the matter is that the process needs at least as much positivereinforcement as negative

Consider some of the activities that might have seemed “spur of themoment” when they were performed but eventually added value to theassessment process This is important because it reassures team mem-bers that individual thought about the way our process assessmentunfolds is a good attribute Team members with positive attitudes will

do much more to improve the process than those with negative tudes

atti-What Requires Improvement?

Negative results should be put on your Poor list Negative items might include

processes that perform poorly in certain situations or the lack of a needed process

altogether.These aren’t necessarily things you’ve known about for months, which

is why we call them lessons learned.Your team will pick up these tidbits of

infor-mation through experience and from assessing a variety of customers and

indus-tries In actuality, you should view these lessons as positive since they give the

team an opportunity to improve immature processes.

www.syngress.com

Tying Up Loose Ends • Chapter 11 389

Trang 2

Utilizing Lessons Learned

Now you’ve created these lists of the lessons you’ve learned during the ment process and you’re trying to figure out what to do with them How do we integrate lessons learned into the IAM? The lessons we learn during assessments,

assess-if analyzed properly and taken advantage of, can lead to continuous process improvement After all, continuous improvement of our processes will create a better product and hopefully generate more business for our company.

Integrating Lessons Learned into the Business Process NSA does not provide information in the structure if the IATRP regarding how organizations should integrate lessons learned.This activity is normally a business process and should be considered unique to each organization But there are a few things that appear to remain the same, regardless of the organization, when

we try to integrate lessons learned.These things are:

■ Identifying lessons that provide value

■ Integrating the solution into normal procedures

■ Providing tracking of the process for future assessments The first step is deciding which lessons learned during the assessment actually provide value As you analyze your lists, try to envision how each item can provide value What does the lesson give us that we don’t have covered in other processes? Is the lesson a result of not fully implementing or conducting processes that already exist, or is it a totally new process that needs to be considered? If our lesson is something that can be addressed in a process we already perform, it probably makes sense to adjust the existing process to address our lesson If the process is something we haven’t previously utilized, we should consider integrating it into our normal assessment procedures.

The integration of a new process can be difficult for an inexperienced ment team New team members don’t always adjust as well as we’d like and can forget new procedures We know from experience that consultants in any field

assess-are liable to work on autopilot, allowing themselves to be carried through the

process by their own habits.

To counter this possibility, the organization conducting the assessments

should consider creating methods for tracking the assessment process, including each individual process that occurs.The easiest method for doing something like this is to create a master checklist of activities that must be performed As the

390 Chapter 11 • Tying Up Loose Ends

Trang 3

IAM assessment progresses, each team member will find themselves responsible

for different pieces of the assessment process If we include processes designed to

address previous lessons learned, we ensure that each process is seen and

addressed by the team members A sample checklist is shown in Figure 11.3.

NOTE

Figure 11.3 is not a complete checklist but instead provides a sample ofwhat can be done to track assessment activities The actual documentused should be customized to your organization’s own

Figure 11.3 Sample Assessment Checklist

Customer Mission and Data:

1 The assessment team and the customer have come to anunderstanding of:

■ The scope of the assessment

■ The way the assessment process works

■ The level of detail required in recommendationsDocument name/location:

2 The assessment team understands the customer mission,goals, and objectives

Document name/location:

3 The assessment team and the customer have defined the types

of information the customer processes

4 The assessment team and the customer have come to anunderstanding as to the perceived value of the customer dataand information to the customer

Customer Criticality Matrices:

5 The assessment team and the customer have determined whatinformation is critical to the customer mission and the systemscontaining that data

Continued

Trang 4

Figure 11.3 Sample Assessment Checklist

6 The assessment team has worked with the customer to definethe impact values associated with the OICM

Consider the confusion new consultants may encounter when they first start using your organization’s methodology One method for countering this learning curve is to add an easy-to-follow checklist that provides a foundation for assessment activities.This allows newer team members to gain a better understanding

of the events that are supposed to occur within the assessment In the end, the customer will have a higher-quality product and your team members will be more confident in their work Hopefully this will also contribute to a more pro- ductive and cohesive team environment.

Certainly there are other methods for ensuring that the processes are able Creating standard processes and documenting these processes, in some form

repeat-or another, will aid in creating an environment repeat-or repetition Whether you use a checklist similar to the example in Figure 11.3 or you create something totally new, standardizing your activities will ensure that each assessment is conducted similarly, all team members are comfortable with the way the assessment is conducted, and the customer receives the same level of service regardless of what individuals are on the team.

Trang 5

The value of repeatable processes cannot be overstated Organizationssuch as the ISO have created criteria and certification programs for orga-nizations that want to improve and demonstrate their ability to continuefunctioning Repeatable processes and the documents that define theseprocesses are key Having the ability to maintain a higher level of perfor-mance over an extended period of time indicates maturity within thebusiness and assures customers that they will receive the same level ofproduct and service

Case Study: The University of Science

The University of Science is a typical higher education institution focused on

providing return value to the various industries the university supports through

education, research, and development Our organization was contracted several

months ago to provide an IAM-based assessment of this educational institution.

The assessment process went well and uncovered a large number of issues of

which the customer was not previously aware.

Understanding the Requirements

According to our contract and statement of work with the customer, we did not

have an obligation to provide document retention services.The customer had not

expressed an interest in the service until the assessment was in full swing.The

problem was that our company does not offer this service as a core competency.

In order to help the customer in this area, we recommended a partner pany to the customer Our partner has been providing these services for the past

com-five years as part of its business continuity offering.The partner was appropriately

equipped and able to offer this service to our client But the piece of this

recom-mendation that we could help the customer with concerns deciding what

docu-mentation should be kept and what docudocu-mentation should be destroyed.

What Should We Keep?

Initially, we concentrated on those documents that should be retained as part of

the security trend for the customer organization We recommended that the final

report be retained as part of a good security program because it provides legacy

Trang 6

information on where the customer organization began addressing security and its progress thus far.The technical information and recommendations belong to the customer Retaining this information depends heavily on the customer goals regarding the information In this situation, the customer decided that once current findings have been resolved, the technical information will be retained as legacy documentation All documents will be kept for three years to provide his- torical data for future assessment efforts.

What Should We Destroy?

The decision about what documents would be destroyed was relatively easy.The customer already had copies of all the standards and regulations used during the assessment process.Those documents could be destroyed since no new versions

of those documents were released.The documents we created during the ment in relation to our interviews were to be destroyed.The NSA IAM teaches that any notes taken during the assessment process should remain anonymous in order to keep the assessment process in a state of nonattribution.The customer was made aware of these issues during the development of the statement of work According to our contract with the customer, the interview notes would

assess-be destroyed.The only exception is the information in the final report, which was combined from all the individual sources.

Designating a Followup POC

Since the delivery of the final report at the beginning of last week, we haven’t heard back from the customer We’ve about reached the point when we need to consider following up with the customer.The team leader previously designated the POC for each area of the assessment and now gives the go-ahead to each team member to begin the followup process.

The team POCs were selected based on their knowledge of the subject areas

we dealt with during this assessment Mike was selected to provide followup on the disaster recovery area because he has years of experience in this area and should be able to provide knowledgeable help to the customer Sarah was chosen

to follow up regarding the UNIX heavy environment at the customer location The team leader will follow up with the customer POC concerning any issues

or questions related to the final report, its format, or any other assessment-related questions.

Trang 7

What Have We Learned?

Our last step is to analyze the lessons we learned during the assessment process.

As in most assessments, some of our lessons learned are positive, others are of a

more negative nature.The team leader lists the lessons learned in order to

eval-uate their eventual value to our assessment process All the team members have

the freedom to submit issues as lessons learned Each lesson is then analyzed one

by one to determine its value and relevance to our assessment process.

Our lessons learned include a new report format that seems a better fit for the assessment work being performed and a method of holding interviews in a

group setting.The team sits down together to judge the value of these two

lessons.The new suggested report format is actually just an expansion of what is

already being done.The value provided is the customer’s clearer understanding of

report findings.The team agrees to integrate this lesson into future assessments by

including the new information in the template for our final reports.

The second lesson deals with holding group interviews for the user nity at large organizations.This allows us to get a better overall feel for the actual

commu-understanding of the customer security environment while making it clear to

users that if there are concerns, they can contact the team offline to discuss the

issues in private.The team discusses this second lesson and determines that this

activity already occurs and does not require integration into the current

assess-ment process.

Trang 8

Document retention is not directly covered in the NSA IAM beyond simply stating that the information is customer proprietary and does not belong to the organization conducting the assessment If you’re performing these assessments, consider all documentation sensitive Documents should never be held by the assessing organization beyond a 90-day period.This time period enables you to answer any customer concerns or questions.

Special conditions may exist where the customer has asked you to provide document retention services.There is a significant level of liability associated with maintaining sensitive documentation regarding customer security postures Special storage requirements may exist, such as physical security concerns, storage space, and file system security Other concerns include the backup and restora- tion of this information for business continuity purposes or understanding the ramifications of a compromise of customer data on your organization.The long- term retention of sensitive customer information is discouraged unless this is a

core competency of your organization and is not covered by NSA in the IAM

To ensure the highest quality of followup with the customer, the team

member performing the activity needs to show appropriate concern for the tomer’s situation Remember to be tactful in all your dealings with the customer Don’t make statements that can be misconstrued or misinterpreted.Try to remain friendly during the process Assessments can be frustrating, but keep in mind that the customer is paying the bill and will likely talk to friends and colleagues concerning the assessment.Your ability to provide responsive and caring followup could provide opportunities for more work.

cus-Although not addressed in detail by NSA during the IAM training, the cess of evaluating lessons learned is important for ensuring the continuing

pro-growth and evolution of your assessment services Lessons can be negative or positive and should be integrated into your processes only if they provide ade- quate value In some cases, lessons can be integrated into processes that already partially meet our requirements.

Trang 9

Best Practices Checklist

Examining Document Retention

Understand the contract requirements for document retention.

Understand the liability for accepting responsibility for document retention.

Organize your documentation by areas: public domain, customer, and generated.

Consider the security requirements of retaining sensitive documentation.

Look into alternatives and partnerships if document retention is not a core competency of your business.

Performing Customer Followup

Followup is a great method for eliminating customer confusion and ensuring customer satisfaction.

Express genuine concern for the issues the customer is facing.

Ask the right questions to obtain useful answers Consider creating a baseline list of questions to begin the followup process.

Designate responsible team members for each portion of the lowup process, and communicate the information to the team to ensure they’re prepared.

fol-Track the followup process to ensure that no customer questions or concerns fall through the cracks.

Evaluating Lessons Learned

Analyzing the lessons we learn during the assessment process helps create maturity within the process.

Lessons we learn during each assessment can be either positive or negative.

Trang 10

Negative lessons indicate areas that need improvement or ment.

enhance-Positive lessons promote team involvement and assessment process evolution.

Integrate the lessons that provide value into the overall assessment process so that they will continue to be used in future endeavors.

Q: Does your company provide document retention services, and if not, why not?

A: Document retention is simply not one of our core competencies, and until

we decide to focus on that business area, we’re ill equipped to deal with the logistics or legalities of storing sensitive customer information When customers inquire about this service, we refer them to partner entities that focus

on this area and can provide better value From a business perspective, this strategy allows us to remain strong in those areas we’re best at without get- ting sidetracked just to earn a dollar.

Q: Does followup need to be performed on every size of customer organization,

or should we really only concentrate on larger customers?

A: As a business, we do follow up with every customer organization, regardless

of size In the end this is really a business decision, but we don’t feel that smaller customers are any less important than our larger customers It’s takes a little extra time and it can be uncomfortable sometimes, but it’s worth it when the customer is satisfied with the results.

Q: The example you give for an assessment checklist seems pretty generic Do you know of any better examples?

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book,are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts Tohave your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form You will

also gain access to thousands of other FAQs at ITFAQnet.com

Trang 11

A: We provide a generic example just to convey the idea of what a checklist

should cover What you create in your business depends heavily on how your organization conducts these assessments It’s never smart to simply cut and paste someone else’s checklist into your own processes, since your requirements are most likely different from those of your competitor.

Q: Have you run into situations where the customer has expressed distinct

con-cerns but your team finds it difficult to get in touch with the customer to help resolve the concerns? If so, how did you deal with the situation?

A: Yes, there will always be customers that have too much going on in their

everyday business world.The resolution of assessment concerns often loses priority because the customer has to face more pressing issues on a daily basis We like to continue trying to resolve the issues for as long as possible.

We use calls to the customer’s desk phone and cell phone and e-mail sages in the majority of cases to attempt to make contact In some limited cases we’ll use postal mail to contact the customer, but this tends to be tedious and extremely slow for a timely assessment process In the end it’s really up to the customer to respond to your offers of help.

mes-Q: Can an assessing organization legitimately make decisions about what

docu-ments should be kept or destroyed?

A: No.You cannot make any decisions for the customer during an IAM-based

assessment.The customer knows best about their own business, but your team should provide guidance and expertise on procedures that should be considered When it comes to document retention or destruction, you can make recommendations to the customer, but the final decision should be the customer’s to make.

Q: Can a single team member be the POC for multiple areas of the assessment

process?

A: Yes.The members of the assessment team should be able to cover multiple

areas of knowledge within the assessment process For example, there is a good chance that the team member with Windows or UNIX experience will likely have network knowledge as well Assigning that team member the responsibility of following up with the customer in those two areas is not uncommon.

Trang 13

Forms, Worksheets, and Templates

NOTE

In addition to copying the documents available on thenext few pages, you can download versions of the docu-ments from the Syngress Solutions Web site for the title

Security Assessment: Case Studies for Implementing the NSA IAM.

Appendix A

401

Trang 14

IAM Pre-Assessment Site Visit Checklist

Organization Name: Date:

Assessment Team Leader: Assessment Team Members:

Organization Primary Point of Contact (POC):

TitleAddressDesk PhoneMobile Phone/PagerE-mail

Organization Representative:

402 Appendix A • Forms, Worksheets, and Templates

Trang 15

1 IAM Planning Survey Customized and delivered

to client?

Received and reviewed?

2 Travel Arrangements Air?

Hotel?

Car?

3 Team Composition: Technical personnel available

Technical and scheduled?

4 Team Composition: Industry-knowledgeable

Industry personnel available and

scheduled?

5 Customer Scheduling All appropriate customer

personnel available and scheduled for visit?

2 Organizational Performed and documented

Information Criticality with organization

3 System Information Performed and documented

Criticality with organization

4 System Security Documented and verified with

Trang 16

IAM Planning Survey

Organization Name: Date:

The purpose of this survey is to collect information relating to a target nization and system in order to prepare for an IAM assessment Please com-plete this document to the best of your ability, answering questions as briefly,yet as completely, as possible If you have questions regarding this process,please contact your appointed representative at the phone number or e-mailaddress listed below

orga-Assessment Team Point of Contact (POC):

Organization Primary Point of Contact (POC):

2 Do you believe there will be

a need for travel to remote sites? If so, how many of them?

3 Do you currently outsource any

functions of IT? If so, what functions?

4 Do you have an IT Security

department? If so, what positions are included?

Trang 17

5 How many employees are

located at each site?

6 Please list any organizational

information you feel pertinent

to the assessment that might not have been requested

Information Technology (IT) Environment

For this section, please describe aspects of your infrastructure architecture

1 What networking protocols are

in use? (TCP/IP, SNA, IPX/SPX, etc.)

2 What network elements (NE) are

in use? (Cisco, 3COM, Foundry, etc.)

3 What types of mainframe or

terminal-based systems are

in use?

4 What server-level operating

systems (OSs) are in place?

(Windows, Novell, Solaris, etc.)

5 How many server-level systems

are located at each site?

6 What desktop-level Oss are

in place?

(Windows, Mac, Linux, etc.)

7 How many desktop-level

systems are located at each site?

8 What services are made available

externally? (FTP, HTTP, SMTP, etc.)

9 What applications support

external services?

(Exchange, Netscape, Apache)

10 What services are made available

internally? (FTP, HTTP, SMTP, etc.)

11 What applications support

internal services?

(Exchange, Netscape, Apache)

12 What remote access is permitted,

and through what medium?

(ISDN, RAS, VPN, etc.)

Forms, Worksheets, and Templates • Appendix A 405

Trang 18

13 What internal domain

structuring is in use?

(NT Domain, AD, NDS, etc.)

14 What wireless technology is in

use? (802.11, Bluetooth, etc.)

15 Are any third-party connections

in place? (Customer, partner, etc.)

16 Is Voice over IP (VoIP) in use?

17 Is converged network

architecture implemented?

18 Please list any infrastructure

information you feel is pertinent

Technical Security Environment

For this section, please describe aspects of your infrastructure architecture

1 Are boundary firewalls in place?

(Raptor, PIX, Checkpoint, etc.)

2 Are firewalls used internally

for compartmentalization?

3 What intrusion detection systems

(IDSs) are in use?

(Real Secure, Snort, etc.)

4 What types of IDS agents are

used? (Network, host, or hybrid)

5 What types of encryption,

strength, and methods are in use?

(WEP, HTTPS, PKI, 3-DES, etc.)

6 What types of centralized

security have been implemented?

(SecureLogin, BindView, etc.)

7 What types of added identification

authentication measures are in use?

(Token, digital signature, etc.)

Trang 19

8 Please list any infrastructure

information you feel is pertinent

Industry Guidance Environment

For this section, please respond in accordance with any and all legislation,

regulation, or guidance the organization is compelled to comply with

1 Health Insurance Portability

and Accountability Act (HIPAA) Yes No

2 Gramm-Leach-Bliley (GLB) Yes No

3 Financial Management and

Accountability Act (FMA Act) Yes No

4 Sarbanes-Oxley Yes No

5 Family Educational Rights

and Privacy Act (FERPA) Yes No

6 Federal Information Security

Management Act (FISMA) Yes No

7 National Institute of Standards

and Technologies (NIST) Yes No

8 Please list any and all local, state,

and federal regulations the organization is obligated to comply with (PDD-63, OMB A-130, FIPS, Clinger-Cohen Act)

9 Please list all guidelines followed

but not previously mentioned

Trang 20

Types of Documents

That Require Tracking

This section presents samples of documents an assessment team needs to perform

an assessment.This section is designed to provide a guide for some of the titles that we have seen Specific naming of documents is organizationally dependent,

so this list may not include all the names you may encounter All documents should be logged on a simple document-tracking sheet.

Policy Documents

■ Acceptable-Use/Internet Usage Policy

■ Business Strategy

■ Corporate Mission

■ Employee Code of Conduct

■ Information Security Policy

■ Information Systems Security Policy

■ Internet Usage Policy

■ IT Strategy

■ Mission Statement

■ Organization Chart

■ Organizational Description

■ Organizational Security Policy/Procedures

■ Personnel Security Policy

■ Physical Security Policy

Trang 21

■ Concept of Operations (CONOPs)

■ HR Procedures (Hiring,Transfer, Retirement,Termination)

■ List and Description of HW, SW, FW, OS, DB, GOTS, COTS, DOI/NBC Unique Applications

■ Maintenance Standards/Change Control

■ Mission Needs Statement (MNS)

■ Network Connection Rules (External)/ External Connection MOU/MOA

■ Operational Requirements Document (ORD)

■ Security Concept of Operations (SECCONOPS)

■ Security Department/Committee Mandates

■ Security Programming/Testing Standards

■ Technical Standards/Guidelines System Security Plan Documents

■ Contingency Plan/Continuity of Operations Plan (COOP)

■ Configuration Management Plan

■ Network Diagrams/Architecture with Narrative

■ Network Diagram (High and Low Level) Required

■ Personnel Security Plan

■ Physical Security Plan

■ Prior Assessment (Threat/Risk/Security)

Tiêu đề	Security Assessment Case Studies For Implementing The NSA IAM Phần 10 Pot
Trường học	Syngress Publishing
Chuyên ngành	Information Assurance Management
Thể loại	Bài luận
Năm xuất bản	2003
Thành phố	Not Specified

Định dạng
Số trang	42
Dung lượng	858,56 KB