Modifying the Nine NSA-Defined Areas One way to customize the TAP is through changes in the composition of the TAP. By default, you may not remove sections and still be within the IAM guidelines.The components discussed are considered by NSA to be minimum requirements for any plan to be used in an assessment. If a conflict arises and a section cannot be completed, the reasons or events leading to these issues need to be clearly documented.The section will remain, but the information detailed will be in regard to the lack of completion, not the actual topic itself. Adding sections is entirely up to the customer. Several items may be added as requested or as part of an overall independent business practice. Just a few that can be used to add value to the document are these: ■ Executive summaries Summaries can go a long way toward pro- viding descriptions and instructions on how to read and understand the plan.They can also be used to summarize the methodology or provide background into the purpose or goal of this particular assessment. ■ Version history information This can be very useful when dealing with very fluid engagements where change is the standard. In the example in the appendices, you’ll notice that a version control page was combined with approval authority to demonstrate acceptance and understanding of each change on one simple page. Level of Detail The level of detail is a very important aspect of the IAM TAP. It can depend on many things, such as the level of involvement the customer organization wants to have with the assessment process. A hands-on approach may dictate requirements for a very detailed plan as well as increase the chances for multiple revisions down the road. What is included as detail should be based on interactions with the customer. This should be worked out early on in the pre-assessment site visit, and an intro- duction to a sample TAP during initial meetings would not be overboard.The amount of information recorded in each section is flexible, as long as all required aspects are included. www.syngress.com Understanding the Technical Assessment Plan • Chapter 6 201 286_NSA_06.qxd 12/15/03 11:32 AM Page 201 Format The format of this document is almost entirely up to you. Certain basic rules should apply, such as the inclusion of a cover sheet and the original order of topics, but most of this is fair game for adjustment based on what is more effec- tive in a given scenario. Some organizational assessments can be so large, with multiple assessment teams in action, that an overall TAP is created as the main repository, with several detailed plans attached as appendices. Some systems may be in such revolving states and of sufficient size to warrant breaking out diagrams and detailed tech- nical descriptions or inventories into subdocuments for ease of management. The TAP is a tool. Whatever helps improve the efficiency or usability of the tool should be considered appropriate, as long as you account for all required components. Case Study: The Bureau of Overt Redundancy We’re back to the Department of Excess Verbiage (DEV) BOR offices. In Chapter 2 we went through the pre-assessment site visit with the BOR, detailing some of the concerns and issues regarding their environment as well getting to understand the culture and requirements.This case study is geared toward a single document, the primary deliverable from that meeting: the TAP. The BOR TAP As the customer requested, we have included a document-tracking section in the TAP (see Figure 6.1).The BOR would like us to maintain a version history of the document, including change details and dates. For peace of mind, we’ve also added an approval section! Remember, this is a custom addition, not part of any NSA requirements for the TAP. www.syngress.com 202 Chapter 6 • Understanding the Technical Assessment Plan 286_NSA_06.qxd 12/15/03 11:32 AM Page 202 Contact Information The next section, Contact Information, is a true requirement of the NSA IAM. As you can see in Figure 6.2, we have decided to include alternates for both the customer and the assessing teams.This gives the customer a second line of attack in the event an emergency arises, as well as giving the assessing team a second contact with either the authority to make decisions or access to decision makers, should any unforeseen events arise. Figure 6.2 Contact Information Worksheets DEV BOR Organization Contacts DEV BOR Primary Point of Contact: Justin Phun Title IT Security Manager Address 3608 1 st Nactoobia Ln Desk Phone 555.555.1234 Mobile Phone/Pager 555.555.8365 E-mail justin.phun@bor.dev.nactoobia www.syngress.com Understanding the Technical Assessment Plan • Chapter 6 203 Figure 6.1 The BOR Document-Tracking Sheet Version Date Signature Approval Version Update Infomation Pages Affected V1.00 6June 2003 Justin Phun, ITSM Bill High , SCE Team Lead Pre-Assessment Site Visit Creation All Continued 286_NSA_06.qxd 12/15/03 11:32 AM Page 203 Figure 6.2 Contact Information Worksheets DEV BOR Organization Contacts DEV BOR Alternate Point of Contact: Cole Ishin Title Network Manager Address 3608 1 st Nactoobia Ln Desk Phone 555.555.1622 Mobile Phone/Pager 555.555.8344 E-mail cole.ishin@bor.dev.natcoobia SCE Organization Contact SCE Primary Point of Contact: Bill M. High Title Principal Security Consultant Address 87234 NW Safe Pl. Desk Phone 555.555.6832 Mobile Phone/Pager 555.555.3762 E-mail bm.high@sec.cons.extra SCE Alternate Point of Contact: Lynn X. Roulls Title Senior Security Consultant Address 87234 NW Safe Pl. Desk Phone 555.555.6826 Mobile Phone/Pager 555.555.3162 E-mail lx.roulls@sec.cons.extra Mission Next we move on to the second point of the IAM TAP, the mission statement. We discussed the mission statement and tried to develop it into a more detailed product in Chapter 2. Here we display our final understanding of the mission goals as well as the formal statement the customer uses.The added detail in regard to the mission is another custom addition to this case study, so if in other scenarios it does not fit, it is certainly acceptable to leave it out.The DEV BOR mission statement is as follows: To ensure that all products available to the Nactoobian people include maximum redundancy for maximum safety and maximum reliability at minimum cost. www.syngress.com 204 Chapter 6 • Understanding the Technical Assessment Plan 286_NSA_06.qxd 12/15/03 11:32 AM Page 204 Through group discussions with DEV BOR management, we identified spe- cific detailed mission objectives and requirements.These have been broken into three detailed components that will assist in defining the direction and level of focus of current and future organizational INFOSEC programs: ■ Mandate private sector organization requirements for redundancy, quality, and durability within products ■ Introduce legislation and requirements to control industries ■ Research products for improvement opportunities ■ Publish reports detailing benefits of adoption and hazards of non- adoption ■ Maintain private sector organization costs or defray those costs without widespread public knowledge or understanding ■ Assess risk versus cost of improvements ■ Introduce methods of industry standardization for cost reduction ■ Manipulate private sector “conclusions” into legislation ■ Manage public “voting” community safety concerns in domestic con- sumable products ■ Validate private sector research and conclusions in terms of safe- guards for consumers ■ Ensure that private sector movements and initiatives are properly marketed to consumers After mission comes the organizational information criticality. Again, in Chapter 2 we discussed the types of information that the customer, the BOR, might use, and we rolled them into unique categories. In this section we publish those results, from specific to rollup, as well as their importance to the customer. We also include the definitions used in creating these matrices, which we defined in detail in Chapter 3. As demonstrated earlier, you’ll see that the OICM includes each and every information type determined. To combat the confusion that often surrounds the organizational versus system criticality discussions, notice the brief description included at the begin- ning of the section. www.syngress.com Understanding the Technical Assessment Plan • Chapter 6 205 286_NSA_06.qxd 12/15/03 11:32 AM Page 205 Organization Information Criticality This section discusses the perceived impact of the loss of confidentiality, integrity, or availability in regard to the information types stored, processed, and trans- mitted within the DEV BOR organization.This includes a listing of information types and definitions for CIA, as shown in Figure 6.3. Custom definitions of High, Medium, and Low are included as well. BOR Information Types ■ Human resources ■ Personnel files ■ Applications and résumés ■ Finance ■ Payroll ■ Accounts payable and receivable ■ Current projects ■ Lobbyists (partners, plans, marketing, etc.) ■ Goals ■ “Research” ■ Completed projects ■ Lobbyists (partners, plans, marketing, etc.) ■ Goals ■ “Research” ■ Corporate partners ■ Partner information ■ Partner submissions ■ Partner “Research” ■ Legal ■ Litigation as a tool ■ Litigation as a defense www.syngress.com 206 Chapter 6 • Understanding the Technical Assessment Plan 286_NSA_06.qxd 12/15/03 11:32 AM Page 206 Definitions ■ Confidentiality The property that the existence of an object and/or its contents is not made available or disclosed to unauthorized subjects. ■ Integrity The property that data has not been altered or destroyed in an unauthorized manner. ■ Availability The property of an object being accessible and usable on demand by an authorized subject. ■ High An impact of High consequence is one that may cause the loss of financial assets in excess of $100,000, loss of trust among partners, or loss of autonomy resulting from forced involvement of DEV or higher authority. ■ Medium An impact of Medium consequence is one that may cause the loss of financial assets in excess of $25,000 but less than $100,000, loss of trust among the public voting community, or lessened autonomy resulting from forced involvement of DEV or a higher authority. ■ Low An impact of Low consequence is one that may cause the loss of financial assets less than $25,000 and basic impedance of day-to-day operations. www.syngress.com Understanding the Technical Assessment Plan • Chapter 6 207 Figure 6.3 The DEV BOR Organizational Criticality Matrix Low LowMedium Medium MediumHigh High HighMedium High MediumHigh Human Resources Finance Current Projects High Watermark Confidentiality Integrity Availability Low LowMedium Completed Projects Medium LowHigh Corporate Partners Medium MediumMedium Legal 286_NSA_06.qxd 12/15/03 11:32 AM Page 207 System Information Criticality This section discusses the perceived impact of the loss of CIA in regard to the information types stored, processed, and transmitted within specific denoted sys- tems of the DEV BOR organization.This sections works directly off much of the information in the previous section, so there is no need to be overly redun- dant (although maybe this customer would appreciate that?). Notice in Figure 6.4 that the section description again comes into play to avoid confusion with the organizational information criticality. Note too that these systems will be described in detail in the System Configuration section. We have broken the information into two matrices: one for the Active Bureau Campaigns System (ABCS) and a second for the Bureau Information Support System (BISS), which we’ll discuss in greater detail in a moment. www.syngress.com 208 Chapter 6 • Understanding the Technical Assessment Plan Figure 6.4 The DEV BOR System ABCS and BISS Criticality Matrices Medium MediumHigh Medium MediumHigh Current Projects High Watermark Confidentiality Integrity Availability Medium LowHigh Corporate Partners Low LowMedium High HighMedium High MediumMedium Human Resources Finance High Watermark Low LowMedium Completed Projects Medium MediumMedium Legal Confidentiality Integrity Availability 286_NSA_06.qxd 12/15/03 11:32 AM Page 208 Concerns and Constraints This section discusses specific concerns of the DEV BOR organization and pos- sible methods to directly address those concerns. Constraints that need to be taken into consideration are discussed as well, including workarounds. We need to make sure that we include all the concerns our customer may have; this way we keep on track with requested priorities and reassure the customer that we’re tracking the things that are important to them. Concerns Three main concerns have been discussed in relation to DEV BOR INFOSEC practices. Antivirus, configuration management, and backup procedures have all been found lacking in results compared with the requirements of the DEV BOR security team. Extra due process will be spent to determine current procedures and their implementation levels in regard to these concerns.They will be com- pared with standard industry best practices, and recommendations will be made to improve lacking processes that may be leading to ineffective measures. Recommendations will also be validated to fit within any required industry reg- ulations or legislation. Constraints The only true constraint is the ABCS. DEV BOR is currently involved in a major campaign, and crucial deadlines loom on a weekly basis.There must be virtually nothing that hinders the 24 x 7 required operation of this system.Any system demonstrations and interviews need to be performed when system opera- tors and administrations staff are available. SEC understands this requirement and has arranged to perform some work outside standard business operating hours during the onsite visit to better fit within DEV BOR time frames. System Configuration The System Configuration section discusses the system configurations that will be addressed by this INFOSEC assessment. Included are hardware and software inventories, site information, architectures, and the like. Here we display our understanding of the customer’s system. Boundaries, hardware and software inventories, site information, architectures, and more are all relevant pieces of information to include here. www.syngress.com Understanding the Technical Assessment Plan • Chapter 6 209 286_NSA_06.qxd 12/15/03 11:32 AM Page 209 The Active Bureau Campaigns System The ABCS provides daily operations of currently active redundancy campaign programs.The system consists of two P12H servers operating Custom Kernel Clusterer 3.8.22.This system contains the most sensitive information within the BOR in terms of confidentiality.The system is protected by two N2 standard firewalls working redundantly to protect the environment from any incidences that may occur on the BOR network.The system functions using internally developed and maintained code and is backed up regularly using Redundant Redundancy+ 2.3. Users connect through the firewalls via HTTP using a ter- minal client that operates in any Web browser. The Bureau Infrastructure Support System The BISS provides general IT support for daily administration activities and organizational support functionality.The system consists of a local area network (LAN) managed by eight Cisco Catalyst switches ranging between the 2900, 4000, and 6000 series. Also in the system are eight Windows 2000 Servers uti- lizing active directory services, Exchange 2000 for e-mail services, and Sloth AV 4.8 for server and mail antivirus protection. In addition, residing on the network are approximately 1500 workstations varying in operating system among Windows 98, Windows NT, and Windows 2000; all of which are likely to be at differing patch levels. Sloth AV 4.8 clients are required on all workstations. The Interview List The Interview List section contains the list of individuals at BOR who we have selected to interview (see Figure 6.5).You’ll notice that not all the job positions have yet been defined. Due to the large number of employees, we determined that we can decide on average users during the onsite visit, based on manage- ment schedules. In this instance, the Address/Location section may not be ter- ribly important, since all the individuals reside in the same office. In larger, distributed organizations, this information becomes much more important, and it can often be helpful to divide interviewees into groups based on location for scheduling and tracking purposes. www.syngress.com 210 Chapter 6 • Understanding the Technical Assessment Plan 286_NSA_06.qxd 12/15/03 11:32 AM Page 210 [...]... on the security management process Information Exchange Passing information between the assessment team and the customer is an important part of the process.This goes back to keeping the customer informed and involved throughout the entire assessment. The assessment team should be prepared for and the customer should demand that there be periodic reports during the assessment process to keep them informed... management The senior management level has responsibility for setting security policy, establishing security objectives, and providing the enforcement mechanisms for the overall security program Senior management also has the responsibility to provide support to the other levels of the organization in the implementation of the security standards and should lead the security effort by setting the example for. .. organization in preparing to perform an IAM assessment www.syngress.com 215 2 86 _NSA_ 06. qxd 2 16 12/15/03 11:32 AM Page 2 16 Chapter 6 • Understanding the Technical Assessment Plan Best Practices Checklist Understanding the Purpose of the Technical Assessment Plan Be sure that the plan is sufficiently introduced to the customer during the pre -assessment site visit and that ease of use for the customer is taken into... the pre -assessment phase or even the opening meeting .The assessment team must plan and be prepared to educate the customer throughout the entire process .The two forms of customer education are: I Informal customer education I Formal customer education Informal Customer Education The majority of the education process for the customer will be informal .The customer will request discussions about the assessment. .. Opening Meeting The opening meeting should be as informative as possible, providing the participants with a full picture of the assessment process and the benefits expected from the assessment Utilize this meeting as a chance to reengage the customer in the dialogue necessary to make the assessment successful Meeting Format NSA requires no special format for the opening meeting as part of the IAM, but it... Plan Item 2 86 _NSA_ 06. qxd 212 www.syngress.com Figure 6. 6 The BOR Document-Tracking Sheet 2 86 _NSA_ 06. qxd 12/15/03 11:32 AM Page 213 Understanding the Technical Assessment Plan • Chapter 6 Events Timeline The Events Timeline section discusses he timeline for events that the assessment process will follow as discussed during the pre -assessment site visit.This section includes dates and times for any deliverables... have the opportunity to return to home base and prepare for the onsite portion of the assessment. The focus of the pre -assessment site visit and the focus of the onsite phase are different .The pre -assessment phase is focused on identifying business mission, critical information, and critical systems, whereas the onsite phase is focused on gathering information about the organization’s security posture .The. .. of the onsite phase will be conducted .The members of the assessment team should understand their roles and responsibilities going into the onsite phase How do you create the assessment road map? The assessment plan lays out the activities to be accomplished in the assessment The easiest way is to relate the assessment plan activities to the timeline and give an idea of how the process will proceed.Then... objectives as defined by the customer during the pre -assessment phase Keeping these objectives in the forefront will also help keep the assessment focused Keeping the Customer Involved The assessment process is not an assessment team-only process.You must include the customer in every facet of the process .The customer will want to feel that they are being kept informed of findings along the way Establishing... 219 2 86 _NSA_ IAM_ 07.qxd 220 12/12/03 3:32 PM Page 220 Chapter 7 • Customer Activities Introduction This chapter introduces the reader to the onsite assessment phase of the IAM and associated activities By the end of this chapter, the reader should have an understanding of the preparation necessary to conduct the onsite activities, the importance and necessity of setting the tone of the assessment, the . Technical Assessment Plan 2 86 _NSA_ 06. qxd 12/15/03 11:32 AM Page 202 Contact Information The next section, Contact Information, is a true requirement of the NSA IAM. As you can see in Figure 6. 2, we. standard for maintaining disposal security controls. www.syngress.com Understanding the Technical Assessment Plan • Chapter 6 211 2 86 _NSA_ 06. qxd 12/15/03 11:32 AM Page 211 Figure 6. 6 The BOR Document-Tracking. is just to explain the reason for a lack of information. www.syngress.com 2 16 Chapter 6 • Understanding the Technical Assessment Plan 2 86 _NSA_ 06. qxd 12/15/03 11:32 AM Page 2 16 Q: Who should be