Defining Roles and Responsibilities Over the course of an assessment, you will work with a multitude of people at the customer organization who have different roles and responsibilities regarding information security. It is essential that you understand who is in what role and who can do what to make sure the project progresses smoothly. Many of the people placed in the roles described in this section will be of your choosing. Others will not; however, we can at least discuss with the customer our expecta- tion for these roles in an effort to maintain customer expectations and help them appoint people we’ll need to be successful. As stated earlier in the book, the assessment is a team effort, and the quality of the final report is heavily depen- dent on customer involvement. Some of the roles we discuss here and their rela- tionships with security are: ■ Decision maker ■ Customer POC ■ Upper-level management ■ Functional area representatives ■ Senior INFOEC manager ■ And many more www.syngress.com 60 Chapter 2 • The Pre-Assessment Visit ■ Regular practice Imagine—some organizations include an assessment as part of a good overall security practice! In this case you usually run into a fairly open and knowledgeable staff. Again, your understanding of the customer organization’s motives is an additional piece of information you can use to do a better job. When we assess security controls, we tend to inspect them rather closely, and rightfully so. In a manner of speaking, we are security con- trols as well. We should also look for any way to improve our processes and our work. 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 60 Who Is the Decision Maker? The decision maker is the key player when it comes to setting the scope of the assessment process and determining relevant boundaries. He or she is likely the person who authorized funding to bring in an independent team.The decision maker normally has his or her own objectives in relation to the assessment outcome. The decision maker will ultimately authorize the direction and scope of our assessment process. Early in the IAM process, during potentially intense debates among departments about information criticality (which we address later, in Chapter 3), you will often see one individual who has to that point been rather quiet raise their hand and end the debate by making a decision based on that person’s interpretation of the conversations up to that point.You have just found your decision maker.The role is not always based on position or title.You may see a chief information security officer (CISO) or a CIO defer judgment to an ITSM. Every organization is different, but this individual can be very influential in assisting your success. Make sure you take note of this person because you may need his or her direction or clarification later in the process. The decision maker is one of the integral components in securing manage- ment buy-in. When this individual makes it known that your project is going to be beneficial to the organization, you will get much better response from indi- viduals on the org chart below him or her. Without adequate buy-in at this level, don’t expect too much support from any level as the process continues! Who Is the Main Customer POC? The main POC for the customer is an extremely important person in this pro- cess. He or she is your liaison to the customer as well as your window into the customer’s organizational culture of the organization. Because you will rely so heavily on this person, this is an important relationship to establish early.The cus- tomer organization’s POC will work as a member of both the customer team and the assessment team. He or she will also be involved from the beginning of the project and beyond completion. The role this person normally occupies should not be either too high on the “food chain” or too low. Usually middle management is a good place to start looking for a candidate. Upper managers will usually not have the time necessary to dedicate to this project to make it successful. Lower levels of administration will not have the authority to manage your needs in the organization. A manager www.syngress.com The Pre-Assessment Visit • Chapter 2 61 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 61 in the IT or IT security departments is usually a good place to start looking, if you are allowed any input.The customer organization may already have someone in mind, which is fine, but you need to verify that they understand everything that will be expected of the customer POC. The customer POC’s level of involvement in the assessment is significant. Any issues that arise from either the assessment team or the customer team will be fun- neled through this person.As a member of the customer team and the assessment team, he or she will be involved in almost all group meetings and interviews.The POC is responsible for seeing that all requests from the assessment team are han- dled in an appropriate manner and that all concerns of the customer team are dealt with. Assistance with coordination of the onsite visit is crucial as well in terms of time management across multiple interview schedules.This role is almost that of a quality control or project manager, considering the purposes behind the responsi- bility and the requirement to manage needs as they arise. The POC’s duty as a member of the assessment team is also to ensure that your goals and objectives stay on course with the customer organization’s goals and objectives.Assessment projects can often become sidetracked due to possibly large teams and the large number of people involved. Importance and priority of data to its owners can be a very emotional topic. Maintaining level heads and a clear vision moving forward depends on the customer and assessment POCs. N OTE Interestingly, the main customer POC usually starts out with one of two predisposed attitudes: intense doubt or anticipation. By the time the IAM engagement gets into full swing, however, the main customer POC is often the biggest proponent of the process. Who Is the Assessment Team Leader? The main POC for the assessment team is the role with the most involvement. This is often the team leader or project leader. In reciprocal comparison to the customer POC, the assessment team leader is responsible for handling any cus- tomer issues or concerns. He or she is also the individual with the important duty of managing customer expectations.The assessment team leader will work very closely with both sides of the engagement and must have an appropriate www.syngress.com 62 Chapter 2 • The Pre-Assessment Visit 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 62 personality.This may seem a little “picky” at first, but with the amount of involvement, the opportunities for argument, the goal of customer satisfaction, and the number of interviews geared toward extracting information, it really is a serious concern. Excellent problem management and people skills are musts in the personality of any team leader. The assessment team leader is usually the individual with the most NSA IAM experience and will frequently be best suited to the role of lead interviewer as well, due to the high level of charisma required for the position.The leader’s role is as a facilitator in the opening meetings to discuss the engagement and the organization as well as to ensure that the process stays on track and is efficient enough to complete tasks in the short time allotted. Suggestions for the Assessment Team For the PASV, you will want to bring along a team leader (often the assessment team POC) and one or two team members.The team leader will run most meetings; the other members will take notes and offer information in supporting roles.This is one reason you garnered all that information during your prepara- tion.Your team should be staffed with people who are experienced in the industry of the customer organization and familiar with similar technical envi- ronments.These people may or may not be a part of the team during all phases of the assessment, but their knowledge will be vital to facilitating the activities detailed in Chapters 3–6. Ultimately, the customer POC should be considered a member of your team. If and when he or she has suggestions or questions, listen not based on technical or security-related experience alone but on the POC’s knowledge of the envi- ronment you are attempting to help protect.The person in this role will not always want to have a great involvement with the actual assessment side of the product outside assisting the team and facilitation of scheduling and introduction issues, but any assistance you can garner while “getting to know” the customer organization is always beneficial. Possible Members of the Customer Team The customer team will be very active in the PASV portion of the engagement. You are planning to accomplish several tasks and need to collect a wealth of information that only key parties can give, and now is the time to do so. Remember, many of these people are high-level representatives, and you are not likely to get much time beyond this to speak with them.There are five main roles you should look for to be involved with the PASV meetings: www.syngress.com The Pre-Assessment Visit • Chapter 2 63 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 63 ■ Upper-level management Involved to provide overall mission guid- ance and promote appropriate management buy-in.The decision maker is usually a member of this group as well.This group or individual will verify that you are headed in the right direction and can disseminate instructions of cooperation downward on your behalf. ■ Functional area representatives These people will provide knowl- edge in regard to specific information types, functional roles of their departments, and sensitivity of department-owned information. Information ownership frequently resides at this level. ■ Senior system manager This role will be able to provide you informa- tion in regard to the current footing of INFOSEC in day-to-day opera- tions. Others may define policies and procedures, but ultimately this team member is the one who implements them (or at least is supposed to!). ■ Senior INFOSEC manager This is the party responsible for authoring and relaying all the documentation you will be reviewing over the next few months.This person is usually the most security-lit- erate member of the customer team and is often there to validate your approach to, and understanding of, upper management in the first few days.You will likely be heavily involved with this person throughout the process when requesting documentation or clarification of text. ■ Customer POC The POC usually has a vested interest in the pro- ceedings and is often a member of one of the aforementioned groups, since this person is at the right level within the customer organization to facilitate the success of the assessment. If not, he or she should be a part of these proceedings as well to ensure that everyone understands the process that is about to unfold. www.syngress.com 64 Chapter 2 • The Pre-Assessment Visit 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 64 Planning for the Assessment Activities The amount of work that needs to be performed in such a short period of time is extensive and can lead to long, stressful days if proper preparation and planning are not performed. In this section, we cover the activities that you will perform during the PASV. Appendix A contains a PASV template that will assist you in organizing and scheduling the limited amount of time you have during your site visit.These are the main points we address: ■ Developing mission identification ■ Determining organizational criticality ■ Determining system criticality ■ Defining system boundaries ■ Defining goals and objectives ■ Creating the assessment plan ■ Setting the scope and coordinating the assessment www.syngress.com The Pre-Assessment Visit • Chapter 2 65 The Importance of a Team Atmosphere Nothing can destroy a good security assessment faster than emotional flare-ups. They can happen on both sides of the project fence as security and information ownership topics are hotly debated. People can become passionate about the security of their own information assets, which is a good thing; yet tempers must always be kept in check. The team needs to maintain and provide a united front. We have witnessed engage- ments where members of the assessment team and the customer team spend hours per day arguing proper security controls and methods. This is not at all beneficial to the project or the customer and will ultimately result in a poor-quality product, if it ever gets to the final report phase at all. From the Trenches… 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 65 Once these tasks have been achieved, you will be well on the way to per- forming an assessment. Remember, you can add to this list in whatever way it helps your organization or conforms with your business processes.This is simply a foundation of the minimum goals you should have for your pre-assessment site visit. NOTE As mentioned already in the chapter, we provide a template in Appendix A for your use as a checklist to maintain the integrity of the process. It can be fully customized to fit your organizational or business model needs. It is a place to start when you are in the beginning phases of the project while also allowing a centralized location for notes and contact information. At a minimum, it is an excellent tool for disseminating pro- ject information among team members as well as maintaining expecta- tions. Portions of this checklist will be explained in greater detail in Chapters 3–6. Also included is an IAM PASV Planning Survey template for your review. This is a wonderful tool for requesting information prior to arriving at the customer organization’s location. Distributed to the client early in the process, it will make the job of estimating time requirements and planning timelines much easier. Developing Mission Identification To properly perform an assessment and make recommendations for any organiza- tion, you need to have a strong understanding of that organization’s mission. It is also important to understand the business functions that drive the organization and the industry space in which the company operates. Numerous factors can define a customer organization’s mission. Examples of major organizational attributes that will figure in defining its mission are: ■ Profit versus nonprofit ■ Publicly traded versus privately held ■ Customer demographic ■ Customer satisfaction www.syngress.com 66 Chapter 2 • The Pre-Assessment Visit 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 66 ■ Small business versus large corporation ■ Industry market share ■ Service offerings versus product offerings Two players in the same industry and with similar attributes can still have dif- ferent missions based on what got them to where they are today and where they see themselves going in the future. Defining this mission is something that you must do with the customer.The mission priorities are organizationally specific; because the mission statement helps define priorities regarding information types, it cannot be completed by outside parties with little experience in the customer culture. Every organization has a brief mission statement, but these statements never come close to telling you all the nuances of how the organization operates and what it considers a priority in completing its mission. A large part of the process in the pre-assessment phase involves building an understanding of, or defining, what you believe is the security posture of the organization. Later, during the onsite visit and documentation review, you will get to validate your understanding of the current environment. Before you even begin to define the posture, you need to review the organization’s mission with the customer team.Your first meeting should begin with a discussion of mission objectives and industry function. Understanding Industry Differences Each industry is different from all others and therefore has different information security standards it must meet. Disparate industries value security in different aspects based on what information is important to their operations.All aspects of information security are important, but part of the resulting information gathered from the IAM offering is the prioritization of data and the controls protecting this data. Some examples of differing industries are: ■ Government (on multiple levels) ■ Military ■ Law enforcement ■ State versus federal ■ Academic ■ Health and medical www.syngress.com The Pre-Assessment Visit • Chapter 2 67 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 67 ■ Financial institutions ■ Hospitality ■ Utility These are just a few of the industries you will encounter.You can see how these examples would relate back to the standard concepts of CIA. A financial institution may place more importance on integrity due to its large number of transactions. Medical institutions may emphasize the need for confidentiality due to privacy requirements, and so on. Relating the Mission to Pre-Assessment Site Visit Products Defining the mission objectives will enable you to begin working on the four main products, or deliverables, that are created during the PASV. In fact, it is the underlying requirement for all of them. Mission objective definition is the basis for completing the deliverables. Each one of these is discussed in greater detail later in the book, but here are some brief introductions to them: ■ Organizational priorities Chapter 3: Organization Information Criticality—Using the information you have learned in regard to the organization and its industry and mission, you can define priorities for the organization. ■ System priorities Chapter 4: System Information Criticality—Just as you prioritize the organizational components, you funnel that informa- tion down to more detailed system-based priorities. ■ Customer Environment Chapter 5: System Security Environment— Definition of the customer environment is based on multiple compo- nents such as boundaries, customer constraints, and customer concerns. ■ Assessment Plan Chapter 6: Assessment Plan—The assessment plan is the agreement built during the PASV that defines the processes, the organization, and the scope of the project. These products are customized based on priorities the customer organization defines.These can be considered guidelines for the remaining assessment process as well as the foundation for any future INFOSEC programs. Again, these products are built by both the assessment team and appropriate customer representatives.You www.syngress.com 68 Chapter 2 • The Pre-Assessment Visit 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 68 are there to provide your knowledge of overall security implications and best prac- tices.The customer has the detailed knowledge of their organization and what drives it. Working together is the only true way to get an assessment road map that is balanced between organizational needs and in-depth security experience. Defining Goals and Objectives Once you’ve completed all the investigative and customer orientation components of the pre-assessment site visit, it is now time to take that information and deter- mine a high level set of goals and objectives for the customer organization’s secu- rity program.These goals will assist in determining requirements for the organization’s security controls, whether they are technical, operational, or manage- rial. Organizational policies are often created to supplement any legislation or regu- lations that may fall more in line with the customer’s overall mission and goals. In addition, if some guidance is found to be too stringent or too lenient in contrast to the defined environment, this can and should be documented as a finding, with recommendations as to proper control requirements. Any additional local policies and procedures should also be used in setting detailed system security objectives. Understanding the Effort: Setting the Scope One of the final pieces that will begin to take shape is a full understanding of the level of effort that will be required to perform the assessment.The entire group, including both customer and assessment team members, must agree with the aspects of the remaining work. Now you can work with the customer to finalize delivery dates, project milestones, and the like. One thing to remember when developing your final timeline is the level of involvement with recommended solutions.This includes the level of research and detail requested, but more important at this point, the implementation of those solutions. If you are at a customer’s location and you find multiple issues with currently implemented security controls that must be mitigated immediately, are you willing, and do you have the time, to jump in and assist with correcting this situation? Information Request Requesting information will not likely be the last thing you do during a PASV, but it is one of the last things you should verify, in that actions have been taken to assist you in gathering documentation for review.Again, the IAM relies www.syngress.com The Pre-Assessment Visit • Chapter 2 69 286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 69 [...]... adequate security considerations Even those customers with a highly technical and informed staff may lack the experience www.syngress.com 286 _NSA_ IAM_ 03. qxd 12/11/ 03 3:25 PM Page 83 Determining the Organization’s Information Criticality • Chapter 3 level required to help define the potential impact of a security compromise on an organization For these reasons, the assessment team will facilitate the assessment. .. great pride in their work; this attitude includes each employee’s belief that the information and/or systems he or she works with are some of the most critical within the organization .The goal of the IAM www.syngress.com 286 _NSA_ IAM_ 03. qxd 12/11/ 03 3:25 PM Page 85 Determining the Organization’s Information Criticality • Chapter 3 assessment is to define the information types that truly have the greatest... Determining the Organization’s Information Criticality the assessment process by looking at the organization from the 50,000-foot level That’s why we try to start with the information the organization uses We’ll cover the actual information systems in Chapter 4 NOTE It is common for customers to lean toward defining information within their company based on the system in which the information resides The assessment. .. Finance Information www.syngress.com 89 286 _NSA_ IAM_ 03. qxd 90 12/11/ 03 3:25 PM Page 90 Chapter 3 • Determining the Organization’s Information Criticality Associating Information Types with the Mission You’ll remember from Chapter 2 that the assessment team has already helped the customer identify their mission .The mission defines the reason the organization exists Now we need to specifically relate to the. .. control of the assessment process and that they have the final word on the outcome of the assessment. The decisions they make will directly impact the quality of the final report your team delivers at the end of this project .The assessment team should not make these decisions because that often would require the team to make assumptions about how the customer organization conducts business and what their business... addition, the information created during this piece of the IAM assessment will be used to create the System Criticality Matrices, explained in Chapter 4 The IAM course gives students guidelines for the length of time required to complete each phase of the IAM process NSA specifically states that the preassessment visit should last one or two days However, most teams that have perform these assessments... complete the pre -assessment visit.You should keep in mind that this process is normally easier in theory or in the classroom than it will be in the real world Carefully consider the time window you allocate for this work to help avoid the issues we previously mentioned Figure 3. 1 demonstrates where the pre -assessment visit fits into the rest of the IAM assessment process Figure 3. 1 The Pre -Assessment. .. mentioned in Chapter 1, keeping the customer informed and involved in all aspects of the assessment process can help alleviate these issues before they become a real problem The definition of organizational information criticality is one of the primary milestones in the pre -assessment phase .The activities we cover in this chapter actually occur during the pre -assessment visit (The pre -assessment visit is covered... goals are In the world of commercial security assessments, poor assumptions on the part of the security consulting firm could result in a liability to the customer should a security incident occur Instead, the assessment team leader acts as a facilitator to make recommendations to the customer throughout the assessment process based on the leader’s own experience in the field of information security As... different information types All of these information types are similar and connected, which means that the team can roll them up into a single broader category of Customer Information Using this type of process, the team works with the customer to develop the proper division of information types www.syngress.com 286 _NSA_ IAM_ 03. qxd 12/11/ 03 3:25 PM Page 89 Determining the Organization’s Information Criticality . the time the IAM engagement gets into full swing, however, the main customer POC is often the biggest proponent of the process. Who Is the Assessment Team Leader? The main POC for the assessment. unfold. www.syngress.com 64 Chapter 2 • The Pre -Assessment Visit 286 _NSA_ IAM_ 02.qxd 12/11/ 03 3:24 PM Page 64 Planning for the Assessment Activities The amount of work that needs to be performed in such a short. concerns. ■ Assessment Plan Chapter 6: Assessment Plan The assessment plan is the agreement built during the PASV that defines the processes, the organization, and the scope of the project. These products