... questions
that will help the assessment team gain the needed information and identify the
organization’s vulnerabilities .The first resource for questions comes from the
security expertise of the assessment ... feedback from the departments that the assessment was
going better than they expected and that they found value in the information
that was being collected.Th...
... drive the
assessment effort. Ultimately, the majority of information is the same in either
www.syngress.com
Laying the Foundation for Your Assessment • Chapter 1 3
Contracting and the NSA IAM
NSA ... of
performing assessments the way NSA does.
To recap, the IAM trains the individuals in the IAM standard, while the IA-
CMM appraises the organization’s ab...
... have to map the finding to the OICM, or can you just map it
to the SICM?
A: As you have already learned, the impact definitions are the same for both the
OICM and the SICM.Therefore, the findings ... client.They are now all on the same page when it comes to their critical
systems and critical information.They are all aware of the issues or vulnerabilities
they have within t...
... directly from
the integration of the organization’s mission with the IAM process and security
www.syngress.com
46 Chapter 2 • The Pre -Assessment Visit
Figure 2.1 The IAM Timeline: The Pre -Assessment ... phases of the IAM assessment.
This allows the assessment plan to be used as the scoping input for the
onsite assessment contract.
Understanding Scoping...
... have the appropriate pieces in place to create the OICM.This is
one of the primary deliverables of the IAM assessment; it defines much of the key
information that lays the foundation for the remainder ... the time the
IAM engagement gets into full swing, however, the main customer POC
is often the biggest proponent of the process.
Who Is the Assessment Team L...
... 3:25 PM Page 1 07
In the majority of assessments, the values for each block within the SCMs
will be carried directly over from the OICM. Because of the top-down nature of
the NSA IAM, the OICM already ... the
columns across the top of the matrix with the names of the impact attributes
we’ll be using for the assessment. The rows are labeled along the left...
... up the TAP, since it can be considered the core outcome of
the pre -assessment site visit .The TAP is the primary deliverable created during
the pre -assessment phase .The TAP combines all the information ... practices.
Understanding the Purpose
of the Technical Assessment Plan
The TAP document is designed to tie together all aspects of an IAM between the
customer...
... adjustments to the assessment approach to be able
to accomplish the effort
■
Reiterates the benefits of the assessment process
www.syngress.com
Customer Activities • Chapter 7 2 27
286 _NSA_ IAM_ 07. qxd 12/12/03 ... have the opportunity to return to home base and prepare for the onsite
portion of the assessment. The focus of the pre -assessment site visit and th...
... conduct
the assessment. In our case, we describe the NSA IAM as the methodology used
to conduct the assessment and the basis for the assessment process. Since this is
the main document, the assessment ... anal-
ysis. Security Horizon utilized the National Security Agency (NSA) Information
Security Assessment Methodology (IAM) to conduct the organizati...