Introducing the Assessment Process
The assessment process can be carried out in one of three ways: level I, level II, or level III types. A level I assessment is focused on information. Level I assessments require you to request and review all the security policies and procedures the organization has. This job has been simplified because the documentation has been broken into 18 distinct classes, which are shown in Table 7.1. Each of the classes of policies will be discussed in this chapter. After these documents are reviewed, you can progress to employee interviews. The interviews are with the people who carry out the day-to-day tasks outlined in the various policies that were reviewed. They will be able to provide you with valuable information about how things are actually done versus how procedure describes that they should be done. They can also offer insight into ways to improve security. It’s important to note that interviews are not interrogations. Employees should be able to speak freely with you and not worry that their comments will be attributed to them or used against them.
| Management | Technical | Operational |
|---|---|---|
| INFOSEC documentation | Identification and authentication | Media controls |
| INFOSEC roles and responsibilities | Account management | Labeling |
| Contingency planning | Session controls | Physical environment |
| Configuration management | Auditing | Personal security |
| Malicious code protection | Education training and awareness | |
| Maintenance | ||
| System assurance | ||
| Networking connectivity | ||
| Communications security |
The next item to be tackled in a level I assessment is system demonstrations. System demonstrations give you the opportunity to match up what is stated in policy versus what is actually done. System demonstrations are just as the name implies—demonstrations. You will let employees who normally perform a task go through the process while you observe.
With the completion of system demonstrations, you will have completed a level I assessment. Will you need to go further? Well, it depends. Level II and III assessments focus on technology. Items such as vulnerability scanning, password cracking, and exploiting vulnerabilities are all part of level II and III assessments. Performing a level III assessment or ethical hack just to show that someone can break in is important only to demonstrate that it endangers the organization or its key business processes. By itself, a level III assessment provides only an adversarial view, is usually external in nature, and does not examine policies, procedures, or the underlying security structure and may provide only a short-term fix. Figure 7.1 outlines the assessment process and details the flow of level I, II, and III assessment activities.
Figure 7.1. Assessment process.
Let’s start by taking a look in more detail at what needs to be accomplished during a level I assessment.
Note
An assessment is not an audit. Whereas audits are focused on ensuring compliance with established policies and operational procedures, assessments are more concerned with the big picture. Some of the questions an assessment seeks to answer are the following: Are procedures in place? Do you adequately protect the organization’s core business? Do employees have suggestions on how to improve security or make changes to current procedures? Assessments, unlike audits, are based on a policy of nonattribution. If the janitor reports that he has seen confidential information in the trash, there’s no need to attribute that statement directly to him; simply state that media control policies are not being followed.