Group Interviews There is some debate about the value of group interviews. Many people argue that a group interview will silence the less outgoing but important members of the technical team.The group interview does provide a good opportunity to hear the opinions of the more outgoing personnel.Through observation, watching body language, and listening to the people involved in the group inter- view, the assessment team can see those people who have a difference of opinion from the dominant personality.The assessment team will want to be sure to interview those people individually. Interview Scheduling The interview schedule can make or break an onsite assessment. Some suggested considerations for scheduling include: ■ Allow at least 1.5 hours for each technical- or operational-level inter- view.These interviews are where the assessment team will spend the most time during the interview process. ■ Allow at least 1 hour for each senior management-level interview (C- staff, president, and so on). Senior management-level interviews will generally be the shortest due to time constraints of people at this level, but they are also the most unpredictable and therefore need allocated time. ■ Allow 30 to 45 minutes for each user-level interview, but remain flex- ible so that the interviewees do not feel slighted. ■ Allow at least 15 to 20 minutes between interviews to allow relocation time and for jotting down final notes before transitioning to the next interview. ■ Try to group interviews by physical location where possible to avoid running across campus or across town to conduct interviews. ■ Leave room in the schedule for additional interviews. Interview Environment Make sure that the location in which the interviews are conducted is comfort- able and informal. Conduct each interview in the interviewee’s area when pos- sible but still in a private location, where the interviewer is on the interviewee’s www.syngress.com 248 Chapter 7 • Customer Activities 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 248 turf. Remove any obstacles to the interviewee’s comfort, and try to avoid putting a table between the interviewee and the interviewer.This will help remove both physical and psychological barriers between the interviewee and interviewer, allowing the interviewee to feel comfortable and hopefully allowing for the free flow of information. Attributes of a Successful Interviewer Interviews are supposed to gain accurate information about the customer’s formal and informal processes.To effectively accomplish this goal, the interviewer must be able to break down barriers and gain trust, ask the right questions, and gain the information needed. Breaking the Barriers The person conducting the interview should not be a novice at interviewing. The interviewer cannot appear like an inquisitor from the Dark Ages.They must be personable, compassionate, and able to freely communicate. Effective inter- viewing has several characteristics that directly impact the effectiveness of the interview.The NSA IAM training course identifies several of these characteris- tics, as listed in Table 7.4. It might also be useful to walk around the office area and get a glance at the work areas of the people to be interviewed.You might find indicators of individual and even group interests that could help break down communications barriers and www.syngress.com Customer Activities • Chapter 7 249 Expect the Unexpected Remain flexible, and be prepared for just about anything. The assess- ment team will be required to comply with all fire drills, tornado alert procedures, earthquake drills, and other customer emergency proce- dures while onsite. Be respectful of the customer and their procedures to ensure both the safety of the assessment team and returned respect from the customer. The customer will also need to be able to adjust the schedule in the event that someone must cancel or reschedule. From the Trenches… 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 249 serve as an indicator of interests that can be used to “break the ice.”You can tell a great deal about people by what is on their desks or on their walls. Table 7.4 Interview Characteristics Interview Characteristic Description Empathy Demonstrating an understanding of what the interviewee is stating through restating answers, clarifying meaning, and doing it with feeling. Stay involved. Warmth Being friendly, compassionate, and personable in the interview. Showing you truly care about the subject being talking about. Positive regard and respect Being open with the person about your experi- ences to help get them to open up to the interviewer. Showing faith in the person and accepting the information they are providing. Ask open-ended questions Ask questions that require more than just a Yes or No answer to get the interviewee to provide additional information. We need the interviewee to say what is on their mind; open-ended questions facilitate that process. www.syngress.com 250 Chapter 7 • Customer Activities Breaking the Ice I used to work as a government contractor in a program management position and had to spend a great deal of time interfacing with the divi- sion chief of the government group we were working with. On his office walls were pictures of his kids and himself with a bunch of fish they’d obviously caught—not just one picture, but at least 20. There was an immediate ice breaker: being able to talk about fishing or family. Another possible approach is to look for indicators of favorite football, baseball, or other sports teams. Look for common interests to help open the interviewee up during the discussions. From the Trenches… Continued 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 250 Table 7.4 Interview Characteristics Interview Characteristic Description Keep discussions on track Allow the interviewee to express opinions, but also try to keep the interview focused on security-related issues. Use tailored questions Utilize questions that are tailored to the type of business area that the interviewee is part of. This helps to ensure understanding of terminology. Good listener The interviewer needs to have good listening skills, including the ability to show interest in what the interviewee is saying. He or she should also able to read body language. Be consistent in response Provide a consistent response to answers. Try to to answers avoid showing over-interest or excitement about specific answers. Record something for Take notes for all answers to avoid the appear- all answers ance of overexcitement for specific answers. Interviewees get nervous if the interview team has taken no notes up to that point and then begin scribbling notes franticly when they begin speaking about a particular topic. Allow the interviewee Give the interviewee a final chance to speak his a final open opportunity or her mind before closing the interview. This is to express thoughts the interviewee’s chance to mention anything that might have been missed in the question pool or discussions and your opportunity to learn of any internal issues that might be unknown to this point. Be on time Arrive for the interview on time. The interviewee’s time is valuable, so please respect it. End on time Finish the interview within the allotted time. If you run out of time with this individual, schedule a time to try continuing the interview process. In some situations, particular individuals have a great deal of valuable information to share, and the assessment team will need to be flexible during these times. Don’t be late for the next appointment. www.syngress.com Customer Activities • Chapter 7 251 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 251 WARNING Be careful not to be intrusive during the interview process. If the inter- viewer influences the interview through his or her own personal views, it can taint the results. In this case the interviewee may tell the interviewer what the interviewer wants to hear, or the exact opposite of what the interviewer wants to hear. What you really want out of this process is the truth. Gaining Needed Information The interview process is intended to help the assessment team gain information about the customer’s actual security practices so that they can complete an anal- ysis of the customer security posture.This is accomplished through asking ques- tions and taking good notes that can then be reviewed during the analysis process. Taking Notes Notes are an important part of the interview process.The assessment team needs to keep some reference from the interviews for review during the analysis pro- cess. Generally it is beneficial to have a second person in the interview taking extensive and constant notes so that the primary interviewer can concentrate eye contact, discussion, and clarification with the person being interviewed. Recording the Interview Interview recording is another debated subject. Recording an interview can pro- vide the assessment team with an easily referenced source and doesn’t require that extensive notes be taken.The negative side of recording the interview is that it may make the interviewee uncomfortable and may eliminate the nonattribu- tion aspects of the interview, since the recorded interview could be subpoenaed in a court case. NSA generally does not recommend taping interviews due to how uncomfortable it may make the interviewee and the fact that a recorded interview can be directly attributable to an individual, which violates the nonat- tribution “promise” of the IAM assessment. www.syngress.com 252 Chapter 7 • Customer Activities 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 252 Interview Questions to Ask A predetermined set of questions is helpful, but such a list should only be used as a guide, not an absolute set of questions or the only questions that are asked. Answers to some questions will lead to additional questions that are not on the question list. Knowing when to ask these nonpredetermined questions will be based on the interviewer’s experience and expertise. NSA recommends no set of standard questions for conducting the inter- views. However, a few resources are useful in formulating the set of questions that will help the assessment team gain the needed information and identify the organization’s vulnerabilities.The first resource for questions comes from the security expertise of the assessment team.This can be a compilation of experi- ence from the multiple team members.The second resource is the NIST 800-26 Security Self Assessment Guide. It provides a series of management, technical, and operational questions that help pull out the security information of the organiza- tion.This resource can be located through www.nist.gov.The third resource is the NSA IAM itself.The 18 areas that are identified by NSA in the management, technical, and operational areas provide an excellent guide on which to base a question set.These and other resources, combined with the IAM framework, make it fairly easy to create question sets that are industry-specific and provides an excellent starting point for the interviews. www.syngress.com Customer Activities • Chapter 7 253 The Bad Interview From time to time, the assessment team will experience a bad interview. Either the personalities will clash or there was no success in getting the interviewee to open up. Don’t let this failure discourage the assessment team. Just accept it and move on. From the Trenches… 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 253 Case Study: Interviews With University Staff The interview schedule was finally set, at least for the first week of the onsite phase of the Red Rover University assessment.Through discussions during the pre-assessment site visit, we determined that the college was most concerned about liability for systems used to initiate attacks on other systems and Family Education Rights and Privacy Act (FERPA) regulations. FERPA addresses the privacy protection responsibilities for educational institutions. The university has four colleges along with the associated support staff. Each college has its own technology staff responsible for systems administration and security for that particular college.The administrative functions of the college are supported by the university’s Information Technology (IT) department.Table 7.5 identifies the Week 1 schedule of interviews. www.syngress.com 254 Chapter 7 • Customer Activities 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 254 www.syngress.com Customer Activities • Chapter 7 255 Table 7.5 Sample Assessment Schedule, Week 1 Week 1 On Site Monday Tuesday Wednesday Thursday Friday 0730 Arrive on site Arrive on site Arrive on site Arrive on site Arrive on site 0800 Opening meeting Tour of new Meeting with Interview with Meeting with cus- technology customer repres- server support tomer representative center entative 0900 Tour of campus Interview with Interview with Continued Interview with facili- food services manager of ties management director technical services 1000 Interview with Continued Meeting with Continued chancellor’s office customer repres- entative 1100 Continued Interview with Lunch with Interview with Interview with dean of dean of engin- campus security business college liberal arts eering director systems admin- istrators 1200 Lunch with Lunch Continued Interview with liberal arts sys budget director administrators (group) 1300 Interview with Reserved for Lunch Prep for chancellor computer unscheduled meeting technology staff interview (group) 1400 Continued Reserved for Interview with Interview with Lunch unscheduled desktop support computer science interview staff Continued 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 255 www.syngress.com 256 Chapter 7 • Customer Activities Table 7.5 Sample Assessment Schedule, Week 1 Week 1 On Site Monday Tuesday Wednesday Thursday Friday 1500 Interview with Continued End of week meeting patent office with chancellor’s director office (update) 1600 Continued Assessment Reserved for Assessment team and team meeting analysis customer rep meeting for next week’s preparation 1700 Customer Continued representative update 1800 Assessment Interview with Interview with team dinner and night school janitorial staff status meeting computer technician 1900 Continued Assessment team Assessment team Assessment team meeting and meeting and meeting and dinner dinner dinner 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 256 NOTE The assessment team utilized NSA’s 18 Baseline INFOSEC Classes and Categories as the high-level guide for conducting the interviews, real- izing that some sections of the 18 categories will not apply to all cus- tomer personnel being interviewed. The first set of interviews on Monday at 1200 and 1300 hours, with the lib- eral arts systems administrators and the computer technology staff, were both group interviews. During these interviews a common name was brought up that was not part of either staff. Fred Kingsly had been a systems administrator origi- nally with the Liberal Arts College and after a year had moved over to the Computer Technology College and was responsible for all lab networks. Fred graduated with his Master’s degree last year and was not working as a faculty member in the undergraduate Computer Technology program while working on his Ph.D. Fred was identified by the university staff we interviewed as being the “brain” behind most of the security tools and policies in place at the university. Fred was not yet on the interview list, so we made a note to get Fred on the schedule if at all possible. During these interviews, we also noticed that there were a few dominant personalities, and in the case of the Liberal Arts College systems administrator staff, a very quiet administrator disagreed with them (noticed through body lan- guage) but didn’t say anything. We added this person to the list of people to be interviewed. During these interviews, we also picked up several additions to our documentation list, including a Draft Security Policy from three years previous, two e-mail directives on the password policy for the college (the only known place it was published), and a security incident report on the ILOVEU virus. Currently there are three after-hours interviews we know must be con- ducted: the night school computer support technician, janitorial staff, and the night shift campus security manager. It will be important to gather their perspec- tives on the college’s security posture. We also warned the customer representa- tive handling the schedule to try to avoid forcing the assessment team to run back and forth across campus several times a day. It is approximately 1 mile from one end of campus to the other.The assessment team found that meeting with the customer representative on a daily basis helped resolve conflicts and issues before they got too difficult. www.syngress.com Customer Activities • Chapter 7 257 286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 257 [...]... communication with the customer Don’t forget about the comfort needs of the assessment team Work with the customer to create a manageable schedule for the onsite interviews Setting the Onsite Tone Utilize the opening meeting to establish a positive tone for the assessment Reiterate the agreed-on assessment plan during the opening meeting so that everyone understands the scope of the effort Review the assessment. .. staff ’s fears that they were being considered for downsizing .The interview leader described the purpose of the assessment and reiterated what the university said the results would be used for and the plans for delivering the results Red Rover University had identified the purpose of the assessment as looking at how the university stands in meeting the FERPA requirements and how the university rates... categories capture the majority of security- related concerns for assessment purposes but are flexible enough to allow the addition or alteration of the list as required In many cases, the 18 categories can be used to formulate the set of assessment questions to be asked during the interviews with the customer The interview is the process of collecting information about the customer’s security posture...286 _NSA_ IAM_ 07. qxd 258 12/12/03 3:32 PM Page 258 Chapter 7 • Customer Activities The update to the chancellor was a smart idea and helped our cause greatly The chancellor received feedback from the departments that the assessment was going better than they expected and that they found value in the information that was being collected.They also said they felt that the assessment team was... time for activities are coordinated Once the preparation is complete, it is important to think about the flow of the onsite phase of the IAM .The important first step is the opening meeting, which is the first opportunity to make a positive impression during the onsite phase .The opening meeting should reiterate the agreed-on assessment plan, identify the current schedule, show the benefits of the assessment. .. expectations for the remainder of the assessment A positive first impression is essential to assessment success During the assessment process, understand the importance of keeping both the customer and the assessment team informed of progress and remaining actions The NSA 18 Baseline INFOSEC Classes and Categories provides an excellent framework to focus the onsite information collection activities.These 18... the assessor have put into assisting the customer with developing the OICM and then mapping that to the SICM.These matrices are part of the requirements for the customer.They define the importance to the customer of their information and the importance of the system that processes, stores, or transmits that information Justifications should reflect that work and allow the customer to quickly identify which... than the Yugo .The Ford is the “middle of the road map” choice to a better security posture .The Cadillac is the most expensive .The cost is significant; the maintenance fees are higher; and the fuel economy is significantly less Consider the Cadillac the ultimate goal in recommendations We all want one, but right now we cannot afford the cost or resources to own one The Yugo Implementation Consider the. .. related to security matters within the customer’s organization .The assessment team members’ positive interviewing skills are important in gaining the information from the client Unsuccessful interviews will result in poor security posture information being obtained Make sure that the lead interviewer has the skills to pull information out of the interviewees In spite of the skills of the assessment. .. creating the road map.They convey the ultimate goal of improving the customer’s security posture For every www.syngress.com 286 _NSA_ IAM_ 08.qxd 12/15/03 5:03 PM Page 283 Managing the Findings • Chapter 8 finding, you should present options for the customer to implement As we have discussed, the customer may not have the resources to implement the best solution for every finding, so we want to give them options . 7 2 57 286 _NSA_ IAM_ 07. qxd 12/12/03 3:32 PM Page 2 57 The update to the chancellor was a smart idea and helped our cause greatly. The chancellor received feedback from the departments that the assessment. questions that will help the assessment team gain the needed information and identify the organization’s vulnerabilities .The first resource for questions comes from the security expertise of the assessment. out the security information of the organiza- tion.This resource can be located through www.nist.gov .The third resource is the NSA IAM itself .The 18 areas that are identified by NSA in the management, technical,