Department of Interior, major broadband Internet service providers (ISPs), banking institutions, power companies, higher educational institutes, medical organizations, and even small, family-run businesses. From experience we have found that although security as a whole is improving, knowledge growth is still needed in the public sector as well as the private sector. When we originally departed from doing strictly federal government work, we thought that it would be easier to sell this service in the commercial world. We were wrong. It is just as difficult to convince a higher educational institute that they have critical information that must be protected from exposure as it was to convince federal agencies that they were not protecting everything as well as they thought. Both sides, public and private, rarely know how or what they need to address. So, the first step is the education of both what an INFOSEC assess- ment is and how this methodology applies to the customer’s field. What This Book Is About What is an INFOSEC assessment? It is a baseline measurement of the controls implemented to protect information that is transmitted, processed, or stored by a specific system. Simplified, this is a measurement of the security posture of a system or organization.This approach has been endorsed by the Critical Infrastructure Assurance Office (CIAO) for compliance with PDD-63 (www.fas.org/irp/offdocs/pdd/index.html) agency/department vulnerability analysis (www.ciao.gov). Under President George W. Bush, the functions of the CIAO have been integrated into the Department of Homeland Security (DHS) under the Information Analysis and Infrastructure Protection (IAIP) Directorate, by order of the National Security Presidential Directive One (NSPD-1). More informa- tion on the current functions of the IAIP can be found at www.dhs.gov/dhspublic/theme_home6.jsp. INFOSEC posture is the way INFOSEC is implemented. An INFOSEC assessment is not any of the following: ■ Inspection You are invited by the organization. ■ Evaluation It involves no hands-on testing. Instead, we utilize demon- strations by the customer to validate certain control implementations. www.syngress.com xxx Introduction 286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxx ■ Certification/accreditation An assessment can be part of a certifi- cation, but it does not provide a proper level of assurance in and of itself because it does not contain hands-on testing. ■ Risk assessment Although INFOSEC assessments have aspects of risk assessment, they focus on vulnerabilities and impact. Most people think of risk assessment as including quantitative measurements and/or cost analysis. The INFOSEC assessment is broken into three phases: 1. Pre-assessment 2. On-site activities 3. Post-assessment Each of these phases has specific objectives and outputs that will always be present. Overview of the IAM In Chapter 1 we address some issues that are not taught in the class: how to determine that an assessment is needed and the contractual issues.You need to understand these issues to set the foundation for your assessment. Once you have the foundation completed, you can address the pre-assessment activities, which include refining customer needs; gaining an understanding of the criti- cality of the customer’s information; identifying the system, including system boundaries; coordinating logistics with the customer; and writing an assessment plan. All these steps are covered in Chapters 2 through 6. By the end of Chapter 6 you will understand how to implement this phase.We provide a template for the assessment plan, the key work product that is accomplished in the pre-assessment phase. In Chapters 7 through 9, we address the on-site activities. Beyond the kickoff meeting are normal activities that need to be explained. Some of these include the interview process; at the end of Chapter 7 we provide sample inter- view questions that we use in our process.Through Chapters 8 and 9, we address the identification of findings. Findings are not always bad, as you will see, but it is crucial that your customer know what you find. It is key that there are no surprises for your customer during this process.The customer should be aware of all findings that you identify, and we show you how to address the sig- www.syngress.com Introduction xxxi 286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxi nificant findings during the out-briefing.To assist you in developing your own style of out-briefing, we provide a template that you can tailor to fit your situa- tion and style. Once you finish the on-site phase with your customer, it is time to go home and put the final report together.This is the post-assessment phase, just as important as the two previous phases. In this phase, you develop the final report, coordinate delivery of the report, and do the internal housekeeping activities to close out the assessment. In Chapter 10 we address the report activ- ities; in Chapter 11we cover the closeout activities. Throughout this book you will see special elements we’ve added to assist you in understanding the subject material.These special elements include text sidebars of value-added information that complements or expands on the topic under discussion.These sidebars are brief but contain valuable information to clarify everything from “Understanding Why” or “From the Trenches” to “Terminology Alert,” even including checklists that can assist you in developing your own business processes. What Isn’t Covered in the Methodology? If you have attended the class, you already know that several issues are not cov- ered by the IAM. Contracts, staffing, and vendor expectations are good exam- ples.What needs to be in the contract? Everybody has their own business model and legal requirements based on location and legal counsel. How many people do you need to do the job? If we were to tell you that you only need four people, we would be lying.This book is designed to assist you in improving your business process or internal controls.To do that, we address them through examples in the book. So the question is, why was this information not covered in the class? To answer that, you have to understand and remember that this material was devel- oped in and based on the way NSA provides this service. NSA doesn’t have to deal with many of the business issues that the private sector does. NSA does not do contracts, since the service is free to federal agencies that request and need the help. Also remember that this methodology is just that—a methodology.We show you how to move from theory to practice. In addition, people who have been doing assessments for a while will agree that one shoe does not fit all. www.syngress.com xxxii Introduction 286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxii Every customer is different. Every organization is unique.Yes, there are many similarities among them, but those minor differences and recognition of them (or failure to recognize them) can make for a quality assessment or a poor assessment.The core mission, such as a bank or credit union, is the same, but the management is different.The staff probably has different backgrounds, so they will have different views on how to handle the work and priorities. Even your own team’s experience and background will affect what they see as important, even the priorities of importance. The Audience for This Book This book is aimed at several kinds of people: practitioners, customers, man- agers, and salespeople. All of them are important to the process, depending on which side of the fence you are on. Practitioners There are two kinds of practitioner: those who have attended the IAM class and those who have not.We want this book to be useful to both.The goal is to provide a standardized approach that all can use to help their customers. For the practitioner, this book helps provide the nuts and bolts to improve the processes that you already have in place. If you are new to doing assess- ments, this is good reading for you.You will learn what to expect, and that will make you a better team member. Customers There are three types of customer: those responsible for contracting the work, those responsible for assisting with the work, and those responsible for imple- mentation of the results. If you are on the contracting side, it is imperative that you understand what is to be accomplished during an IAM assessment.You don’t want to pay too much, and at the same time you don’t want to undercut the time and resources needed to provide a valuable product for your organiza- tion.This book will help you identify what you should be paying for and what work products should be delivered. For customers who are going to assist as team members, you need to know what to expect.What should be your role, and how much involvement should you have? This information will help you be a better team member and help www.syngress.com Introduction xxxiii 286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxiii your organization achieve a valuable product. Lastly, there is the individual who ends up with the report and is responsible for the implementations to improve the security posture.This book will help that customer understand how and why the assessment was done, which will enable you to see the value of what you get. Understanding can help you meet your organization’s security objectives. Managers Managers also need to read this book. Over the years we have seen companies that have tried unsuccessfully to turn this methodology into a business process. Business managers want a profitable process without a large investment. Without knowing how the process works in reality, managers can make mis- takes.They need to know what the team should be doing and who has what responsibilities during the assessment process.This knowledge will help man- agers price the service better and define the skill sets needed and staffing for a particular assessment. Sales The salespeople are crucial from a commercial standpoint due to the fact that they are the ones selling the service and need to understand how to accurately price the work. Not every assessment will be the same price. Organizations of different sizes, complexities, scopes, skill set requirements, and more will have different pricing.There are many factors to address, and for the salesperson, the pre-assessment phase of this book is probably the most important. Chapters 1 through 6 will help you understand what it is you are selling and the value of that service.You will learn some terminology and how the assessment flows so that you can speak with confidence to your customers. Final Thoughts We wrote this book with you in mind.This book is not the answer to every question or situation, but it’s a good guide to assist you in improving your pro- cesses.The class laid the foundation; now we turn that methodology into reality for you.Welcome to the IAM process, and we hope that you find this book useful. www.syngress.com xxxiv Introduction 286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxiv Laying the Foundation for Your Assessment Solutions in this Chapter: ■ Determining Contract Requirements ■ Understanding Contract Pitfalls ■ Staffing Your Project ■ Adequately Understanding Customer Expectations ■ Understanding What You Should Expect ■ Case Study: Scoping Effort for Organization for Optimal Power Supply (OOPS) Chapter 1 1  Summary  Solutions Fast Track  Frequently Asked Questions 286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 1 Introduction The National Security Agency (NSA) Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for exam- ining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. Often overlooked are the processes, procedures, doc- umentation, and informal activities that directly impact an organization’s overall security posture but that might not necessarily be technical in nature.The IAM was developed by experienced NSA and commercial INFOSEC assessors and has been in practice within the U.S. government since 1997. It was made available commercially in 2001. NSA developed the IAM to give organizations that provide INFOSEC assessments a repeatable framework for conducting organizational types of assess- ments as well as provide assessment consumers appropriate information on what to look for in an assessment provider.The IAM is also intended to raise awareness of the need for organizational types of assessment versus the purely technical type of assessment. In addition to assisting the government and private sectors, an important result of supplying baseline standards for INFOSEC assessments is fos- tering a commitment to improve an organization’s security posture. As with any project, the first step is to identify a need; in this case, it’s the need for an assessment.This identification can happen in two ways. An organiza- tion’s leaders may realize they need an assessment, or a potential provider can convince them that they need an assessment.The justification for an assessment can include legislative requirements, response to a security incident, part of good security engineering practice, requirements for contracts or insurance, or simply because it’s the right thing to do.This book does not focus on selling the IAM to customers, since that is a specific business practice. Instead, it focuses on the pro- cess of conducting the IAM within a customer environment. In this chapter, we examine the beginning of the process, focusing on establishing the scope and contractual requirements for an assessment. www.syngress.com 2 Chapter 1 • Laying the Foundation for Your Assessment 286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 2 Determining Contract Requirements The process doesn’t truly start at writing the contract.The process probably starts one or two months earlier, when the customer decides that they need to do something related to information security, and they need to do it soon.The provider company or another company probably spent some time trying to con- vince the customer of the type of assessment they need. Somewhere during this process, either a basic set of requirements is set or a request for proposal (RFP) is written. At this point, it can officially be said that the need for an assessment has been identified.The time has come to develop the scope and contract for the assess- ment. Every IAM-related assessment starts with documentation that describes the requirements and expectations between those that are conducting the assessment and those that are receiving the assessment. In the commercial environment, the contracting process lays the foundation for the effort. In the government envi- ronment, it can be a contract or a memorandum of agreement (MOA) or mem- orandum of understanding (MOU) between two organizations that can drive the assessment effort. Ultimately, the majority of information is the same in either www.syngress.com Laying the Foundation for Your Assessment • Chapter 1 3 Contracting and the NSA IAM NSA intentionally does not specifically address business processes in the IAM methodology. The IAM was originally designed as a government methodology (NSA providing services to other government agencies) and therefore had no need for contract considerations. Once it was dis- covered that the methodology had applicability in the commercial world, NSA decided to stay out of the contracting side and let each entity handle contracting-related obligations. NSA is not generally involved with developing contract requirements, formats, or contents. The information contained in this chapter comes primarily from the authors’ experience in preparing contracts and scoping the efforts for IAM assessments. Each individual IAM provider must address con- tracting requirements without NSA assistance. Understanding Why… 286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 3 case. In the following sections, we examine the considerations that should be included in a contracted or other associated documentation. What Does the Customer Expect? Meeting expectations is critical in completing a successful assessment. Understanding customer expectations from the beginning of the process will be of tremendous assistance in defining the project’s scope, making estimates to complete the work, and finalizing the effort. Which expectations are you as the assessor concerned about? The expectations you need to address include: ■ Customer definition of an assessment ■ Customers’ “other” needs for the assessment ■ Qualifications of the assessment team ■ Customer timeline requirements ■ Customer contracting process ■ Customer cost limitations Customer Definition of an Assessment A critical first step for an assessment project is to come to a common under- standing on what composes an assessment. Often you have to spend a great deal of time with potential customers just defining what they are looking to accom- plish with the “assessment” process.The term assessment has been used loosely for years to describe everything from an audit to “attack and penetration” testing. NSA has broken up what has been traditionally called assessments into a three- phase, top-down approach (see Table 1.1): 1. Assessment The assessment is an organizational-level process that focuses on the nontechnical security functions within an organization. In the assessment, we examine the security policies, procedures, architec- tures, and organizational structure that are in place to support the orga- nization. Although there is no hands-on testing (such as scans) in an assessment, it is a very hands-on process, with the customer working to gain an understanding of critical information, critical systems, and how the organization wants to focus the future of security. www.syngress.com 4 Chapter 1 • Laying the Foundation for Your Assessment 286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 4 2. Evaluation The evaluation is a hands-on technical process that looks specifically at the organization from a system/network level to identify security vulnerabilities that exist in those systems and can be mitigated through technical, managerial, or operational means. Evaluations are often confused with assessments.The IAM specifically focuses on the assessment, but elements of evaluations can be included in the IAM pro- cess. NSA calls this a Level 1+ assessment.This includes doing technical analysis of the firewalls, intrusion detection systems, guards, and routers. It may also include some basic vulnerability scans of the customer’s net- works. In addition, the IAM process provides excellent information that leads into future evaluations. 3. Red teaming Red teaming, often called attack and penetration testing, is a process whereby someone imitates an adversary looking for security vulnerabilities to make it easy to break into a system or network.This is often called the low-hanging fruit because these vulnerabilities are the eas- iest means into the customer network. Table 1.1 NSA TRIAD Comparison Assessment (Level I) Evaluation (Level II) Red Team (Level III) Cooperative high-level Hands-on process Adversarial overview Information/mission- Cooperative testing External criticality analysis (includes policy, procedures, and information flow) No hands-on testing Diagnostic tools Penetration tests Not overly technical Penetration tools Simulation of appropriate adversary Technical in nature Specific technical expertise required NSA’s Triad is a top-down approach that starts with a high-level overview of the target organization’s security posture.The approach then focuses specifically on critical systems that carry the organization’s critical information.The final step is testing what has been implemented as part of the assessment and evaluation processes by taking a look from the “hacker’s eye” view. www.syngress.com Laying the Foundation for Your Assessment • Chapter 1 5 286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 5 [...]... used to conduct the assessment. This is a good place to emphasize the IAM as a standard methodology to conduct INFOSEC assessments, www.syngress.com 7 286_NSA_IAM_01.qxd 8 12/15/03 3:15 PM Page 8 Chapter 1 • Laying the Foundation for Your Assessment developed and approved by the National Security Agency.This includes the phases, processes, and steps that will be used during the assessment I Scope This... Your Assessment I Knowledge of any regulations or legislation that the customer will have to comply with at the end of the assessment. This information is used to determine some of the organization’s security objectives and directly affects the recommendations that are made to the customer I Knowledge of any assessments that were conducted in the past is useful to show the level of detail in previous assessments... policies and procedures to protect the critical information and systems, then addressing the technical security of the network Figure 1.1 shows Level 1, Level 2, and Level 3 in the topdown approach model TERMINOLOGY ALERT Assessment NSA defines an INFOSEC assessment as “A review of the Information System Security (INFOSEC) posture of a specified, operational system for the purpose of identifying potential... Foundation for Your Assessment • Chapter 1 will be dealing with classified information and the potential necessity for additional security controls while conducting assessment activities I Service fees with any relevant quotation notes This is your pricing table for the effort Be as detailed as possible to show the plan of action along with associated costs (The actual cost of your assessment service... all contracts for assessments in some form Assessment companies may want to consider these elements in proposals and statements of work as well; many times, these documents roll directly into a contract or agreement: I Purpose This section describes, in simple terms, the purpose of the assessment, how it relates to the customer, and the benefits the organization will receive from the assessment process... customer and/or an unhappy assessment team—not to mention the financial impact a company will feel if the project is poorly scoped and runs over the expected level of effort What “value add” does the scope bring to the project? I Defines approved areas to be covered for the assessment I Sets limitations on the assessment efforts I Defines appropriate dates and times for all specific assessment efforts I Lists... will be different than planned by the assessment team Assuring an accurate description of the deliverables in the signed agreement is important to the process I Period of performance The necessary schedule for the assessment can be extremely important Gaining an understanding of customer availability and the consultant’s availability is key to planning a successful assessment Depending on the schedule... begin to plan when the assessment makes sense I Location of the work Work location figures directly into the cost of the assessment In this section, be sure to list where the onsite work is to be conducted, where offsite work is to be conducted, if multiple locations will need to be visited, and where the analysis and reporting will be conducted Be sure to take into account whether the assessment team www.syngress.com... Page 6 Chapter 1 • Laying the Foundation for Your Assessment In days of old (and even today), security was addressed (when it was addressed at all) by first locking down a critical system, then locking down the network around the system, then documenting what had been done Almost as an afterthought, it was decided that some policy was needed to enforce the security in the future.This process is completely... elimination or mitigation of the vulnerability.” Figure 1.1 The NSA Triad www.syngress.com 286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 7 Laying the Foundation for Your Assessment • Chapter 1 Sources for Assessment Work The request for an assessment can come from many different sources Common methods include an RFP, referral from a partner, referral from a previous customer, trade-show contact, a Web site . Risk assessment Although INFOSEC assessments have aspects of risk assessment, they focus on vulnerabilities and impact. Most people think of risk assessment. National Security Agency (NSA) Information Security (INFOSEC) Assessment Methodology (IAM) is a detailed and systematic method for exam- ining security