Early Lessons Learned on External Security Assessments

[Jim Moore <jhmfa () RIT EDU>]

the reason I am in my office at 10:30 on a Saturday night is because I'm
finishing some documentation for an external information security
assessment is in progress.

This is my first and academic setting.  And this is my first since the
mid-90s, when we were still trying to figure out what an assessment
should look like.  This is also the first time that our institution has
been through a formal, comprehensive (high-level), external information
security posture assessment.

The model I selected was the infosec assessment methodology (IAM), as it
seemed to be adaptable across various types of organizations.  It also
has its roots in capability maturity models in the security area.  This
is not to say that OCTAVE, ISO 17799, IPAK would not have been just as
good.

My assumptions:

A) I should cover the entire campus at a high level.
B) I should choose someone with formal/academic credentials as well as
reputation.
C) I needed very good communicators, and people who could be flexible
D) Firms that do both assessments and remediation have to work harder to
avoid bias
E) I needed to fit within my budget
F) I had customer requirements for a fast turn around.

So what I learned?

1) Picking a time is never easy.  I chose the summer, thinking that
every other quarter had more in it.   But I partially hit our financial
and of year, and our summer board meeting.  And of course, many faculty
were unavailable.

2) The contract process can be slowed down by insurance concerns.  Some
insurance companies are willing to pay for information Security
assessment.  However these assessments tend to be short and focused.  we
found that our assessment, will satisfy the insurance company's
requirements, but they will not contribute to the payment for the
assessment.  The "behind the scenes" look, is really that insurance
companies do not pay for the assessment at all, but arrange for
companies offering remediation services to do the assessment.  These
companies are willing to do the assessment for free with the hopes of
arranging for follow-on business.

3) If the vendor offers to do a pre-assessment overview briefing
on-site, for VPs and Deans, take them up on it.  We waived it because of
contract finalization slippage.  Not a good idea.  It may mean that you
need to have the contract in place 2+ months before the on-site
interviews.
 - One month to the overview briefing, for scheduling reasons
 - One month for documentation gathering and interview/scanning scheduling
  - Schedule in a small break before the interviews, to get caught up,
if you are a department of 1.


4) Our assessment consisted of three phases: Document collection,
On-site interviews & scanning, External scanning and analysis.

It is important to give people adequate time for document collection.
it is also important to educate users that in academic environments,
memos and e-mail can be the equivalent of "standard operating procedures
manuals" in government or industry.  Eventually, we want to recommend
away so that less formal documents are easily accessible.

What I found important for the first time assessment was a personal
visit to division directors, deans, and their direct reports.  I
unfortunately, did this after I noticed that the documentation was not
coming in, or in one case there was a response that to be too much work
to assemble the documentation.

After the personal visits, there was much more support.  However, much
more support, did not translate directly into good scheduling.  I gave
people about five weeks notice for scheduling the on-campus interviews
and scanning.  When the on-campus interviews and scanning time came, I
have the schedule about 20 percent filled.  It was only after the words
started to spread that this was not an inquisition, that the interviews
started to come in.  Then it was difficult to accommodate everyone was
planned.  We managed to accommodate about 80 percent.

Interestingly, during the interviews and scanning, the technical people
wanted more.

5) I had known that the onsite phase would be difficult.  I didn't
realize how demanding it would be.

The vendor included me on one of the primary interview teams as the
client contact.  A second interview teams required no client contact
(which was good, because I am the only person , add Institute level,
involved in information security.  All other's with information security
responsibilities are in the individual divisions and colleges.)  It was
a terrific training opportunity.  However, I was also the notetaker.
And I no flexibility to attend to my normal duties during the entire
time.  All that was pushed into the evening.

Also, I had not checked on the health of my notebook computers battery.
   and initially I did not carry an extension cord.  There should be an
interview kit defined:
  - notebook computer with a good battery
  - extension cord
  - small switch or hub
  - wireless card
  - Paper copies of the question bank
  - A notepad, or a copy of the "interview list" from the question
bank, and have people supply their information.  I found that I didn't
know some of the people nearly as well as I though.  And my note taking
couldn't keep up.

With the unexpected occasionally occurring, I had a fair number (15) of
notes from 2 hour interviews to  transcribed from paper to electronic form.

I have Dragon NaturallySpeaking, and thought the transcription would be
a piece of cake.  However, the question bank was 40 pages long and
largely tables of questions.  The interaction between Dragon and Word
took awhile to debug.  Dragon kept trying to keep its place in a huge,
complex document, and was slow as  molasses.  My 450Mhz PIII at home
would simply lock up.  My 2.4 Ghz, 1Gb Ram P4 in the office would crawl
along.
Finally, I broke up the question bank into 8 segments, of about 5 pages
each, and achieved reasonable speed.

Do a practice "interview" with yourself over the phone before a real
one.  I found that I did not understand how the question bank would be
used, and so I was scheduling interviews with inappropriate time.  Also,
some people will tell you how long they want for an interview, no matter
how you describe the process.  Others will also delegate to technical
people, or bring who they want.  Sometimes, summer and vacations make it
hard to get the right cross-sections.  But if it wasn't summer, there
would be other things, that would make a concentrated week or 2 week
on-site interview difficult.

Take the scheduling admin or student out to lunch after the on-site
interview time is over.

6) Expect some executive jitters.  They will get a report out at the end
that will put them in a new due diligence picture.  Cast positive light
on the willingness to have an external assessment.  Be understandning,
as they will have findings that are not quick fixes, and some may have
dependencies built in.  Stress planning as being the stage after
assessment.  It isn't a fire drill.

7) After decompressing from the intense interview schedule, take some
time off.  Things will get busy after the final report is in.


Hope this helps.  I imagine some of you have this type of activity as
part of your GLB strategy.

God bless,

Jim

P.S. Having a good sense of humor helps too.

--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.