Educause Security Discussion mailing list archives
Early Lessons Learned on External Security Assessments
From: Jim Moore <jhmfa () RIT EDU>
Date: Sat, 26 Jul 2003 23:32:56 -0400
the reason I am in my office at 10:30 on a Saturday night is because I'm finishing some documentation for an external information security assessment is in progress. This is my first and academic setting. And this is my first since the mid-90s, when we were still trying to figure out what an assessment should look like. This is also the first time that our institution has been through a formal, comprehensive (high-level), external information security posture assessment. The model I selected was the infosec assessment methodology (IAM), as it seemed to be adaptable across various types of organizations. It also has its roots in capability maturity models in the security area. This is not to say that OCTAVE, ISO 17799, IPAK would not have been just as good. My assumptions: A) I should cover the entire campus at a high level. B) I should choose someone with formal/academic credentials as well as reputation. C) I needed very good communicators, and people who could be flexible D) Firms that do both assessments and remediation have to work harder to avoid bias E) I needed to fit within my budget F) I had customer requirements for a fast turn around. So what I learned? 1) Picking a time is never easy. I chose the summer, thinking that every other quarter had more in it. But I partially hit our financial and of year, and our summer board meeting. And of course, many faculty were unavailable. 2) The contract process can be slowed down by insurance concerns. Some insurance companies are willing to pay for information Security assessment. However these assessments tend to be short and focused. we found that our assessment, will satisfy the insurance company's requirements, but they will not contribute to the payment for the assessment. The "behind the scenes" look, is really that insurance companies do not pay for the assessment at all, but arrange for companies offering remediation services to do the assessment. These companies are willing to do the assessment for free with the hopes of arranging for follow-on business. 3) If the vendor offers to do a pre-assessment overview briefing on-site, for VPs and Deans, take them up on it. We waived it because of contract finalization slippage. Not a good idea. It may mean that you need to have the contract in place 2+ months before the on-site interviews. - One month to the overview briefing, for scheduling reasons - One month for documentation gathering and interview/scanning scheduling - Schedule in a small break before the interviews, to get caught up, if you are a department of 1. 4) Our assessment consisted of three phases: Document collection, On-site interviews & scanning, External scanning and analysis. It is important to give people adequate time for document collection. it is also important to educate users that in academic environments, memos and e-mail can be the equivalent of "standard operating procedures manuals" in government or industry. Eventually, we want to recommend away so that less formal documents are easily accessible. What I found important for the first time assessment was a personal visit to division directors, deans, and their direct reports. I unfortunately, did this after I noticed that the documentation was not coming in, or in one case there was a response that to be too much work to assemble the documentation. After the personal visits, there was much more support. However, much more support, did not translate directly into good scheduling. I gave people about five weeks notice for scheduling the on-campus interviews and scanning. When the on-campus interviews and scanning time came, I have the schedule about 20 percent filled. It was only after the words started to spread that this was not an inquisition, that the interviews started to come in. Then it was difficult to accommodate everyone was planned. We managed to accommodate about 80 percent. Interestingly, during the interviews and scanning, the technical people wanted more. 5) I had known that the onsite phase would be difficult. I didn't realize how demanding it would be. The vendor included me on one of the primary interview teams as the client contact. A second interview teams required no client contact (which was good, because I am the only person , add Institute level, involved in information security. All other's with information security responsibilities are in the individual divisions and colleges.) It was a terrific training opportunity. However, I was also the notetaker. And I no flexibility to attend to my normal duties during the entire time. All that was pushed into the evening. Also, I had not checked on the health of my notebook computers battery. and initially I did not carry an extension cord. There should be an interview kit defined: - notebook computer with a good battery - extension cord - small switch or hub - wireless card - Paper copies of the question bank - A notepad, or a copy of the "interview list" from the question bank, and have people supply their information. I found that I didn't know some of the people nearly as well as I though. And my note taking couldn't keep up. With the unexpected occasionally occurring, I had a fair number (15) of notes from 2 hour interviews to transcribed from paper to electronic form. I have Dragon NaturallySpeaking, and thought the transcription would be a piece of cake. However, the question bank was 40 pages long and largely tables of questions. The interaction between Dragon and Word took awhile to debug. Dragon kept trying to keep its place in a huge, complex document, and was slow as molasses. My 450Mhz PIII at home would simply lock up. My 2.4 Ghz, 1Gb Ram P4 in the office would crawl along. Finally, I broke up the question bank into 8 segments, of about 5 pages each, and achieved reasonable speed. Do a practice "interview" with yourself over the phone before a real one. I found that I did not understand how the question bank would be used, and so I was scheduling interviews with inappropriate time. Also, some people will tell you how long they want for an interview, no matter how you describe the process. Others will also delegate to technical people, or bring who they want. Sometimes, summer and vacations make it hard to get the right cross-sections. But if it wasn't summer, there would be other things, that would make a concentrated week or 2 week on-site interview difficult. Take the scheduling admin or student out to lunch after the on-site interview time is over. 6) Expect some executive jitters. They will get a report out at the end that will put them in a new due diligence picture. Cast positive light on the willingness to have an external assessment. Be understandning, as they will have findings that are not quick fixes, and some may have dependencies built in. Stress planning as being the stage after assessment. It isn't a fire drill. 7) After decompressing from the intense interview schedule, take some time off. Things will get busy after the final report is in. Hope this helps. I imagine some of you have this type of activity as part of your GLB strategy. God bless, Jim P.S. Having a good sense of humor helps too. -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Early Lessons Learned on External Security Assessments Jim Moore (Jul 26)