Defining Roles and Responsibilities
Over the course of an assessment, you will work with a multitude of people at
the customer organization who have different roles and responsibilities regarding
information security. It is essential that you understand who is in what role and
who can do what to make sure the project progresses smoothly. Many of the
people placed in the roles described in this section will be of your choosing.
Others will not; however, we can at least discuss with the customer our expecta-
tion for these roles in an effort to maintain customer expectations and help them
appoint people we’ll need to be successful. As stated earlier in the book, the
assessment is a team effort, and the quality of the final report is heavily depen-
dent on customer involvement. Some of the roles we discuss here and their rela-
tionships with security are:
■
Decision maker
■
Customer POC
■
Upper-level management
■
Functional area representatives
■
Senior INFOEC manager
■
And many more
www.syngress.com
60 Chapter 2 • The Pre-Assessment Visit
■
Regular practice Imagine—some organizations include an
assessment as part of a good overall security practice! In this
case you usually run into a fairly open and knowledgeable
staff.

Again, your understanding of the customer organization’s motives
is an additional piece of information you can use to do a better job.
When we assess security controls, we tend to inspect them rather
closely, and rightfully so. In a manner of speaking, we are security con-
trols as well. We should also look for any way to improve our processes
and our work.
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 60
Who Is the Decision Maker?
The decision maker is the key player when it comes to setting the scope of the
assessment process and determining relevant boundaries. He or she is likely the
person who authorized funding to bring in an independent team.The decision
maker normally has his or her own objectives in relation to the assessment
outcome.
The decision maker will ultimately authorize the direction and scope of our
assessment process. Early in the IAM process, during potentially intense debates
among departments about information criticality (which we address later, in
Chapter 3), you will often see one individual who has to that point been rather
quiet raise their hand and end the debate by making a decision based on that
person’s interpretation of the conversations up to that point.You have just found
your decision maker.The role is not always based on position or title.You may
see a chief information security officer (CISO) or a CIO defer judgment to an
ITSM. Every organization is different, but this individual can be very influential
in assisting your success. Make sure you take note of this person because you may
need his or her direction or clarification later in the process.
The decision maker is one of the integral components in securing manage-
ment buy-in. When this individual makes it known that your project is going to
be beneficial to the organization, you will get much better response from indi-
viduals on the org chart below him or her. Without adequate buy-in at this level,
don’t expect too much support from any level as the process continues!
Who Is the Main Customer POC?

The main POC for the customer is an extremely important person in this pro-
cess. He or she is your liaison to the customer as well as your window into the
customer’s organizational culture of the organization. Because you will rely so
heavily on this person, this is an important relationship to establish early.The cus-
tomer organization’s POC will work as a member of both the customer team
and the assessment team. He or she will also be involved from the beginning of
the project and beyond completion.
The role this person normally occupies should not be either too high on the
“food chain” or too low. Usually middle management is a good place to start
looking for a candidate. Upper managers will usually not have the time necessary
to dedicate to this project to make it successful. Lower levels of administration
will not have the authority to manage your needs in the organization. A manager
www.syngress.com
The Pre-Assessment Visit • Chapter 2 61
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 61
in the IT or IT security departments is usually a good place to start looking, if
you are allowed any input.The customer organization may already have someone
in mind, which is fine, but you need to verify that they understand everything
that will be expected of the customer POC.
The customer POC’s level of involvement in the assessment is significant. Any
issues that arise from either the assessment team or the customer team will be fun-
neled through this person.As a member of the customer team and the assessment
team, he or she will be involved in almost all group meetings and interviews.The
POC is responsible for seeing that all requests from the assessment team are han-
dled in an appropriate manner and that all concerns of the customer team are dealt
with. Assistance with coordination of the onsite visit is crucial as well in terms of
time management across multiple interview schedules.This role is almost that of a
quality control or project manager, considering the purposes behind the responsi-
bility and the requirement to manage needs as they arise.
The POC’s duty as a member of the assessment team is also to ensure that

your goals and objectives stay on course with the customer organization’s goals
and objectives.Assessment projects can often become sidetracked due to possibly
large teams and the large number of people involved. Importance and priority of
data to its owners can be a very emotional topic. Maintaining level heads and a
clear vision moving forward depends on the customer and assessment POCs.
N
OTE
Interestingly, the main customer POC usually starts out with one of two
predisposed attitudes: intense doubt or anticipation. By the time the
IAM engagement gets into full swing, however, the main customer POC
is often the biggest proponent of the process.
Who Is the Assessment Team Leader?
The main POC for the assessment team is the role with the most involvement.
This is often the team leader or project leader. In reciprocal comparison to the
customer POC, the assessment team leader is responsible for handling any cus-
tomer issues or concerns. He or she is also the individual with the important
duty of managing customer expectations.The assessment team leader will work
very closely with both sides of the engagement and must have an appropriate
www.syngress.com
62 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 62
personality.This may seem a little “picky” at first, but with the amount of
involvement, the opportunities for argument, the goal of customer satisfaction,
and the number of interviews geared toward extracting information, it really is a
serious concern. Excellent problem management and people skills are musts in
the personality of any team leader.
The assessment team leader is usually the individual with the most NSA IAM
experience and will frequently be best suited to the role of lead interviewer as
well, due to the high level of charisma required for the position.The leader’s role
is as a facilitator in the opening meetings to discuss the engagement and the

organization as well as to ensure that the process stays on track and is efficient
enough to complete tasks in the short time allotted.
Suggestions for the Assessment Team
For the PASV, you will want to bring along a team leader (often the assessment
team POC) and one or two team members.The team leader will run most
meetings; the other members will take notes and offer information in supporting
roles.This is one reason you garnered all that information during your prepara-
tion.Your team should be staffed with people who are experienced in the
industry of the customer organization and familiar with similar technical envi-
ronments.These people may or may not be a part of the team during all phases
of the assessment, but their knowledge will be vital to facilitating the activities
detailed in Chapters 3–6.
Ultimately, the customer POC should be considered a member of your team.
If and when he or she has suggestions or questions, listen not based on technical
or security-related experience alone but on the POC’s knowledge of the envi-
ronment you are attempting to help protect.The person in this role will not
always want to have a great involvement with the actual assessment side of the
product outside assisting the team and facilitation of scheduling and introduction
issues, but any assistance you can garner while “getting to know” the customer
organization is always beneficial.
Possible Members of the Customer Team
The customer team will be very active in the PASV portion of the engagement.
You are planning to accomplish several tasks and need to collect a wealth of
information that only key parties can give, and now is the time to do so.
Remember, many of these people are high-level representatives, and you are not
likely to get much time beyond this to speak with them.There are five main
roles you should look for to be involved with the PASV meetings:
www.syngress.com
The Pre-Assessment Visit • Chapter 2 63
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 63

■
Upper-level management Involved to provide overall mission guid-
ance and promote appropriate management buy-in.The decision maker
is usually a member of this group as well.This group or individual will
verify that you are headed in the right direction and can disseminate
instructions of cooperation downward on your behalf.
■
Functional area representatives These people will provide knowl-
edge in regard to specific information types, functional roles of their
departments, and sensitivity of department-owned information.
Information ownership frequently resides at this level.
■
Senior system manager This role will be able to provide you informa-
tion in regard to the current footing of INFOSEC in day-to-day opera-
tions. Others may define policies and procedures, but ultimately this team
member is the one who implements them (or at least is supposed to!).
■
Senior INFOSEC manager This is the party responsible for
authoring and relaying all the documentation you will be reviewing
over the next few months.This person is usually the most security-lit-
erate member of the customer team and is often there to validate your
approach to, and understanding of, upper management in the first few
days.You will likely be heavily involved with this person throughout the
process when requesting documentation or clarification of text.
■
Customer POC The POC usually has a vested interest in the pro-
ceedings and is often a member of one of the aforementioned groups,
since this person is at the right level within the customer organization
to facilitate the success of the assessment. If not, he or she should be a
part of these proceedings as well to ensure that everyone understands

the process that is about to unfold.
www.syngress.com
64 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 64
Planning for the Assessment Activities
The amount of work that needs to be performed in such a short period of time
is extensive and can lead to long, stressful days if proper preparation and planning
are not performed. In this section, we cover the activities that you will perform
during the PASV. Appendix A contains a PASV template that will assist you in
organizing and scheduling the limited amount of time you have during your site
visit.These are the main points we address:
■
Developing mission identification
■
Determining organizational criticality
■
Determining system criticality
■
Defining system boundaries
■
Defining goals and objectives
■
Creating the assessment plan
■
Setting the scope and coordinating the assessment
www.syngress.com
The Pre-Assessment Visit • Chapter 2 65
The Importance of a Team Atmosphere
Nothing can destroy a good security assessment faster than emotional
flare-ups. They can happen on both sides of the project fence as security

and information ownership topics are hotly debated. People can become
passionate about the security of their own information assets, which is
a good thing; yet tempers must always be kept in check. The team needs
to maintain and provide a united front. We have witnessed engage-
ments where members of the assessment team and the customer team
spend hours per day arguing proper security controls and methods. This
is not at all beneficial to the project or the customer and will ultimately
result in a poor-quality product, if it ever gets to the final report phase
at all.
From the Trenches…
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 65
Once these tasks have been achieved, you will be well on the way to per-
forming an assessment. Remember, you can add to this list in whatever way it
helps your organization or conforms with your business processes.This is simply
a foundation of the minimum goals you should have for your pre-assessment site
visit.
NOTE
As mentioned already in the chapter, we provide a template in Appendix
A for your use as a checklist to maintain the integrity of the process. It
can be fully customized to fit your organizational or business model
needs. It is a place to start when you are in the beginning phases of the
project while also allowing a centralized location for notes and contact
information. At a minimum, it is an excellent tool for disseminating pro-
ject information among team members as well as maintaining expecta-
tions. Portions of this checklist will be explained in greater detail in
Chapters 3–6.
Also included is an IAM PASV Planning Survey template for your
review. This is a wonderful tool for requesting information prior to
arriving at the customer organization’s location. Distributed to the client
early in the process, it will make the job of estimating time requirements

and planning timelines much easier.
Developing Mission Identification
To properly perform an assessment and make recommendations for any organiza-
tion, you need to have a strong understanding of that organization’s mission. It is
also important to understand the business functions that drive the organization
and the industry space in which the company operates. Numerous factors can
define a customer organization’s mission. Examples of major organizational
attributes that will figure in defining its mission are:
■
Profit versus nonprofit
■
Publicly traded versus privately held
■
Customer demographic
■
Customer satisfaction
www.syngress.com
66 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 66
■
Small business versus large corporation
■
Industry market share
■
Service offerings versus product offerings
Two players in the same industry and with similar attributes can still have dif-
ferent missions based on what got them to where they are today and where they
see themselves going in the future. Defining this mission is something that you
must do with the customer.The mission priorities are organizationally specific;
because the mission statement helps define priorities regarding information types,

it cannot be completed by outside parties with little experience in the customer
culture. Every organization has a brief mission statement, but these statements
never come close to telling you all the nuances of how the organization operates
and what it considers a priority in completing its mission.
A large part of the process in the pre-assessment phase involves building an
understanding of, or defining, what you believe is the security posture of the
organization. Later, during the onsite visit and documentation review, you will
get to validate your understanding of the current environment. Before you even
begin to define the posture, you need to review the organization’s mission with
the customer team.Your first meeting should begin with a discussion of mission
objectives and industry function.
Understanding Industry Differences
Each industry is different from all others and therefore has different information
security standards it must meet. Disparate industries value security in different
aspects based on what information is important to their operations.All aspects of
information security are important, but part of the resulting information gathered
from the IAM offering is the prioritization of data and the controls protecting
this data. Some examples of differing industries are:
■
Government (on multiple levels)
■
Military
■
Law enforcement
■
State versus federal
■
Academic
■
Health and medical

www.syngress.com
The Pre-Assessment Visit • Chapter 2 67
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 67
■
Financial institutions
■
Hospitality
■
Utility
These are just a few of the industries you will encounter.You can see how
these examples would relate back to the standard concepts of CIA. A financial
institution may place more importance on integrity due to its large number of
transactions. Medical institutions may emphasize the need for confidentiality due
to privacy requirements, and so on.
Relating the Mission to
Pre-Assessment Site Visit Products
Defining the mission objectives will enable you to begin working on the four
main products, or deliverables, that are created during the PASV. In fact, it is the
underlying requirement for all of them. Mission objective definition is the basis
for completing the deliverables. Each one of these is discussed in greater detail
later in the book, but here are some brief introductions to them:
■
Organizational priorities Chapter 3: Organization Information
Criticality—Using the information you have learned in regard to the
organization and its industry and mission, you can define priorities for
the organization.
■
System priorities Chapter 4: System Information Criticality—Just as
you prioritize the organizational components, you funnel that informa-
tion down to more detailed system-based priorities.

■
Customer Environment Chapter 5: System Security Environment—
Definition of the customer environment is based on multiple compo-
nents such as boundaries, customer constraints, and customer concerns.
■
Assessment Plan Chapter 6: Assessment Plan—The assessment plan is
the agreement built during the PASV that defines the processes, the
organization, and the scope of the project.
These products are customized based on priorities the customer organization
defines.These can be considered guidelines for the remaining assessment process as
well as the foundation for any future INFOSEC programs. Again, these products
are built by both the assessment team and appropriate customer representatives.You
www.syngress.com
68 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 68
are there to provide your knowledge of overall security implications and best prac-
tices.The customer has the detailed knowledge of their organization and what
drives it. Working together is the only true way to get an assessment road map that
is balanced between organizational needs and in-depth security experience.
Defining Goals and Objectives
Once you’ve completed all the investigative and customer orientation components
of the pre-assessment site visit, it is now time to take that information and deter-
mine a high level set of goals and objectives for the customer organization’s secu-
rity program.These goals will assist in determining requirements for the
organization’s security controls, whether they are technical, operational, or manage-
rial. Organizational policies are often created to supplement any legislation or regu-
lations that may fall more in line with the customer’s overall mission and goals. In
addition, if some guidance is found to be too stringent or too lenient in contrast to
the defined environment, this can and should be documented as a finding, with
recommendations as to proper control requirements. Any additional local policies

and procedures should also be used in setting detailed system security objectives.
Understanding the Effort: Setting the Scope
One of the final pieces that will begin to take shape is a full understanding of the
level of effort that will be required to perform the assessment.The entire group,
including both customer and assessment team members, must agree with the
aspects of the remaining work. Now you can work with the customer to finalize
delivery dates, project milestones, and the like.
One thing to remember when developing your final timeline is the level of
involvement with recommended solutions.This includes the level of research and
detail requested, but more important at this point, the implementation of those
solutions. If you are at a customer’s location and you find multiple issues with
currently implemented security controls that must be mitigated immediately, are
you willing, and do you have the time, to jump in and assist with correcting this
situation?
Information Request
Requesting information will not likely be the last thing you do during a PASV,
but it is one of the last things you should verify, in that actions have been taken
to assist you in gathering documentation for review.Again, the IAM relies
www.syngress.com
The Pre-Assessment Visit • Chapter 2 69
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 69
heavily on the review of policies and procedures to perform an assurance check;
therefore, you will rely heavily on access to that documentation to perform the
review. Best practice would be to ask for documentation early and often.The
PASV is the perfect time to gather as much documentation as possible.
Coordinate
After the PASV is completed, you can begin coordinating the remaining phases
of the assessment.You may have multiple sites and teams, so this is not always a
simple or easy task. A good deal of management tends to be involved with this
process, resting on the team leader’s shoulders.Typical items that need action are

travel components (airfare, lodging, ground transportation), site issues (scheduling
customers, security clearances, briefings), and personnel requirements.
Establish Team Needs
for Remaining Assessment
At this point, you should now know as much as possible without having actually
reviewed any of the customer organization’s documents. Now begins the process
of coordinating team members for the remainder of the project as needed. Some
members will come and go as the project progresses, and others may stay on for
the duration, depending on the needs of the environment.
Industry and Technical Considerations
You should now know with which industry or governmental regulations, guide-
lines, and legislation the customer is obliged to comply. Make sure you have
available personnel with a strong background in whatever guidance may be
required. Distributing any guidance to your team and keeping any and all regula-
tions on hand throughout the process are important, of course, for understanding
any current security implementations and recommendations to be made. As an
aside, it also boosts the customer’s level of comfort with your services because
they know that you can relate to and understand the current issues or constraints
with which they might feel they have been saddled.
Don’t forget to take into account all the information you have gathered
regarding the technical nature of the customer organization’s environment. It really
would not go over well to have a group of Microsoft Certified System Engineers
(MCSE) show up to begin interviewing a group of IBM AS400 operators in
regard to their day-to-day operations! The possibility of a common understanding
www.syngress.com
70 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 70
between the teams would be very low.As early as possible, you need to make sure
you have the right skill sets available to slip into the schedule without delaying the
customer.

Case Study: The
Bureau of Overt Redundancy
As you can understand, the case studies presented here are made up, since customer
findings are considered proprietary and held in the strictest confidence. However,
we do incorporate experiences gained from actual performances of the IAM assess-
ment to illustrate the different points addressed in this chapter. So with that caveat,
meet our newest customer: the Bureau of Overt Redundancy (BOR).
The Organization
We’ve been contacted by Justin Phun, an ITSM for BOR, which operates as a
bureau within the Department of Excess Verbiage (DEV).Apparently, Justin has
recently begun to see signs that his security measures are not quite up to snuff. In
the last six months he has been hit with several viruses, backup failures, and loss of
rather expensive networking equipment. Justin doesn’t believe the equipment has
been stolen—he believes that the system has simply broken down someplace and it
has been appropriated for invalid use.As we should all be aware, knowing how and
where a number of systems are implemented is key to system inventory, contin-
gency planning, and disaster recovery efforts, to name just a few important matters.
Rogue systems can have varied and dangerous consequences. Justin feels that this
situation warrants bringing in an independent review team to assess the organiza-
tion’s policies and procedures, then offer recommendations where possible.
Justin has received appropriate management buy-in and authorization from the
bureau CIO and is eager to get started as quickly as possible. With an extremely
long and painful RFP process now in the past, you begin scheduling dates for your
pre-assessment visit with Justin and filling him in on who needs to be present and
why. As you do so, take notes of the names, titles, and contact information of each
person you agree to involve. Since Justin is the one lobbying internally for the
assessment, he has gone out of his way to acquire funding for it, and obviously he
has the connections to help you work with upper management and the technical
administrative staff—so doesn’t it make sense that he become your customer POC?
He obviously has a vested interest and has shown the initiative that makes him a

perfect candidate for this role.
www.syngress.com
The Pre-Assessment Visit • Chapter 2 71
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 71
While you are waiting for Justin to get back to you with optimal times to
perform the pre-assessment site visit, you begin researching the BOR to put
together an IAM Planning Survey.You find out that the BOR is the entity
responsible for those annoying mandates in the land of Nactoobia, such as the
requirement for three tags on every mattress, just in case somebody pulls off the
first two prior to reading the warning label.The organization is obviously very
dedicated to what they perceive to be a priority service in Nactoobia: true
redundancy for the masses.You also find several directives from the Nactoobian
government regulating specific aspects of information security.There are several
questions you need answered, so in a brief e-mail you ask Justin to answer these
questions as succinctly yet as descriptively as possible.This survey should provide
your team with valuable insight and not cost the POC more than a few hours:
Q: What antivirus applications are in use?
A: Sloth AV 4.8
Q: What backup hardware and applications are in use?
A: Redundant Redundancy+ 2.3
Q: What server-level OSs are in use?
A: Custom Kernel Clusterer 3.8.22
Q: How is physical access to the data center controlled?
A: Armed guard, closed-circuit TV, proximity badge
Q: What kind, if any, of IDSs are in place to detect malicious traffic?
A: None
Q: Are you bound by Nactoobian Directive 34?
A: Ye s
Q: What level security clearance is required, if any?
A: None

Q: Please list all federal regulations your organization must comply
with.
A: All federal Nactoobian regulations
www.syngress.com
72 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 72
NOTE
Notice how we address some of Justin’s chief concerns in the very first
questions. The best way to help the customer meet his objectives is to
make them your objectives. This also conveys to him that you are paying
attention and striving to meet his needs.
Once you get a response to your IAM Planning Survey and a formally
accepted time frame, you can begin some of the mundane tasks of preparing for
your visit.You, of course, schedule time with one of your lead contractors, Bill M.
High, who has a background in Nactoobian federal government experience, as
well as your lead operating system contractor, Lynn X. Roulls. Luckily, Lynn also
has some experience with Redundant Redundancy 2.2. Seeing as how backups are
a major customer complaint, it would have been wise to have Lynn study the
product prior to the visit had she not already been familiar with it. As it is, we
should ask our team members to familiarize themselves with the antivirus software
in use. Luckily, security clearance levels are not required within the BOR.
In order to update Bill and Lynn, you send them a copy of the completed
IAM Planning Survey as well as your notes and customer contact information in
the IAM PASV Checklist.This allows your team to familiarize itself with aspects
of the customer without requiring you to relay everything you and Justin had
discussed directly. It also gives them detailed notes that they can use to research
any products or regulations with which they may not yet feel comfortable.
The day comes at last, and we all travel to the land of Nactoobia to meet with
Justin and the team at the BOR. In the first meeting we begin discussing the orga-
nization’s mission and what it is that drives their motivation. Recognizably, it is a

Nactoobian federal government institution, so profit is of little concern. Multiple
directives, legislation, and regulation forcing the adoption of some wide-ranging
standards drive them as well.The agency also believes that acceptance of its goals is
predominantly dependent on the private sector companies footing the cost of their
requirements for community well being.The BOR is mandated to keep the cost,
or noticeable cost, to the customer as low as possible.The standards they are
attempting to implement are geared toward a return to products from the “good
old days.”Tired of a disposable society, Nactoobia has undertaken these efforts to
force production of higher-quality, longer-lasting products.
The official mission statement declares that the BOR will strive “to ensure all
products available to the Nactoobian people include maximum redundancy for
maximum safety and maximum reliability at minimum cost.”This mission state-
www.syngress.com
The Pre-Assessment Visit • Chapter 2 73
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 73
ment touches on some of the points already discussed, but not all.There is also a
component, safety, declared that did not really seem to be of great concern
within the organization. A combined team agreement of mission goals would be
two major goals supported by multiple objectives:
■
Mandate private sector organization requirements for redundancy,
quality, and durability of products
1. Introduce legislation and requirements to control industries
2. Research products for improvement opportunities
3. Publish reports detailing benefits of adoption and hazards of non-
adoption
■
Maintain private sector organization costs or defray those costs without
widespread public knowledge or understanding
1. Assess risk versus cost of improvements

2. Introduce methods of industry standardization for cost reduction
3. Manipulate private sector “conclusions” into legislation
As you can infer, the BOR has a large staff of lobbyists, lawyers, and accoun-
tants. What now becomes clear as well is that the BOR doesn’t really define all
the standards they publish or suggest, but it takes them under advisement from
private industry rather than employing multiple teams to run independent tests.
This can seriously alter original perceptions of the customer’s goals for security.
Following these mission goals, it is clear that confidentiality should be con-
sidered rather high, due to the methods by which they arrive at conclusions and
possible flare-ups within the voting community. We will not delve any deeper,
but this portion illustrates the difference between a public mission and an undoc-
umented private mission.
At this point we can now begin scheduling activities for the remainder of the
assessment process. With the customer we can now begin coordinating team
travel, site personnel interviews, delivery dates, and milestones.
The remaining activities performed during this assessment are discussed in
greater detailed in Chapters 3–6.At this point we’ll assume that we have com-
pleted them satisfactorily with the customer, and it is now time to move on to
the later stages.The advantages of using items such as the IAM Planning Survey
and the IAM PASV Checklist should be a little clearer to you, and you probably
have some thoughts on how you might modify the templates to fit your business
model and suit your clients.
www.syngress.com
74 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 74
Summary
It may seem that the pre-assessment site visit team leader must be a motivational
speaker or a psychologist, with all the emphasis this chapter placed on managing
customer expectation and facilitating customer discovery of their own priorities.
In part, there is a bit of truth to that. It has been said that the outcome of many

sporting events is decided in the first few actions.That is definitely true in regard
to the IAM process.The quality of the final product of an assessment is com-
posed of two main factors: the experience of the security professionals involved
and the level of input from the customer. Managing these two goals and getting
things moving smoothly are two primary points that the PASV incorporates into
its process.
Preparation is a major factor in achieving those goals.The PASV, in relation
to the rest of the IAM process, is a very brief stage.The amount of rampup time
is basically nil.The level of preparation can make or break the assessment. As a
basic strategy, you need to be aware of the environment you are walking into, the
requirements within that environment, and the constraints put thereon. If you
can discuss freely the base aspects of the client’s business, infrastructure, and regu-
lations, the customer will open up to you more quickly.This will enable you to
learn specifics faster and produce the deliverables faster as well.
Consideration of events, personnel, expectations, and requirements can help
maintain your level of preparation through this stage and to the end of the assess-
ment. Properly accounting for issues that have a customer cost associated with
them, such as time, materials, and travel, will help keep in line customer expecta-
tions.You may have heard the expression “It is better to ask forgiveness than per-
mission.” In an assessment situation, that is completely backward. Discuss any
issues with your POC at a minimum to ensure that your client is in informed
and up to date on the process and its activities.
The PASV activities become the tools you’ll use to work on the rest of the
project. Defined by the customer with assistance from the assessment team, they
should have a solid footing in both security best practices as well as custom client
concerns. Define a security-related mission statement to build these products as
well as create a solid foundation of guidance for future security programs.
The case study is meant to be a lighthearted model for relaying a few of the
key aspects of the pre-assessment site visit. It is obviously not a true representa-
tion of any organization, but it should give you a better understanding of the

purpose and use of some of the tools.
www.syngress.com
The Pre-Assessment Visit• Chapter 2 75
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 75
With the topics discussed here, you should feel comfortable in your efforts to
perform an IAM pre-assessment site visit.There is no way to prepare someone
for all the things they may encounter during an assessment, but we have covered
many of the major concepts that will enable you to work through any situations
that arise.
Best Practices Checklist
Preparations
 Define the network, security, and organizational environments as early as
you are able to assist in staffing the industry and technical resources you
need.
 Use the IAM Planning Survey and IAM PASV Checklist as data
information repositories and a method of communicating objectives
between team members.
 Make sure that all parties can and will be available during your visit to
eliminate playing catchup from the beginning of the project.
Considerations
 Remember to discuss the differences between an assessment and an
audit to begin opening people up to the process.
 Speak to your audiences respectfully, not down to them or over their
heads, when it comes to technical matters.
 Properly relate the overall impact an assessment can have on daily
operations as well as how it will affect a security program.
 Understand the background of why this assessment is being performed
at this time and how that may affect your working capabilities.
Activities
 Understanding the customer organization’s mission objectives is key to

performing all activities in the pre-assessment site visit.
www.syngress.com
76 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 76
 Proper coordination is often given a low priority but remains a highly
responsible factor for letdowns in the process.
 Given the higher understanding of the required level of effort, make sure
all parties involved are on the same page regarding the remaining work.
Q: Have you ever been involved with an organization from which you simply
could not get cooperation? If so, how did you handle it?
A: This situation will obviously have to be handled differently based on your
business practices, but yes, we have faced scenarios in which cooperation
from a site or an organization was just not forthcoming. In one instance, con-
stant communication with the organization’s leadership finally resulted in the
removal of that site from the assessment.You have to weigh the overall value
the customer is receiving from your persistence and make a combined deci-
sion as to whether certain aspects of the assessment should be modified.
Q: Can you have different goals and objectives within the same industry?
A: Absolutely.You will encounter differing goals at almost every organization
you visit, even if they are in the same industry.They all did things a little dif-
ferently to get where they are today, and they put different priorities on dif-
ferent subjects. Understanding the industry is simply a place to begin when
you’re trying to narrow down a customer’s goals and expectations.
Q: How do you manage to maintain skill sets for all the possible situations you
might face?
A: Well, it tends to vary based on your own organizations. In a larger firm, we
have been able to simply call for assistance from “bench” employees (those
not currently contracted out). Being part of a smaller, more specialized firm,
we don’t have the operational overhead to carry a bench, so we partner with
www.syngress.com

The Pre-Assessment Visit• Chapter 2 77
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form. You will
also gain access to thousands of other FAQs at ITFAQnet.com.
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 77
those we have found to be experienced and capable through past involve-
ment.This includes both organizational and single professional partnerships.
Q: With all of the information you don’t really ascertain until you are per-
forming the pre-assessment site visit, how do you manage to provide proper
estimates or project hour totals for the completion of an assessment?
A: This will vary based on your customer’s comfort level and the adaptability of
your business model. One method that seems to work well, especially for
large multisite organizations, is to offer a statement of work (SOW) for the
pre-assessment visit and add a complete project SOW as another deliverable
from this beginning stage.This is very beneficial to those organizations
working with a fixed-price model, because you get a greater feel and under-
standing of what is involved after you have performed the visit.
Q: What if, during the course of an assessment, I discover that the customer orga-
nization is not in compliance with state or federal laws? What if the customer,
or an employee within the organization, is deliberately breaking the law?
A: This situation can lead back to issues regarding the no-fault concept in the
IAM. First and foremost, the number-one recommendation is to work out a
policy with your legal department. If you do not have a computer or data
specialized attorney, it would definitely show due diligence to have your
policy reviewed by an expert. If you implement policies and procedures to
combat this issue, we recommend sharing them with the client so there is full

understanding of all procedures followed, should this situation occur. Other
than seeking expert legal advice and always following all local, state, and fed-
eral laws yourself, we can’t really give you much more guidance on the issue.
The rule of thumb we follow: If something causes you concern, contact your
legal counsel.
Q: What if, after I provide the SOW, the customer organization requires unreal-
istic timelines?
A: This situation tends to come up quite often. Some organizations want to
extend an assessment over the course of a year or so in order to defer costs.
Some organizations want to have an assessment performed on an extremely
large system or organization. In the first instance, other possibilities are out
there, but performing an assessment over an extended period of time is not
acceptable in the IAM process and is a waste of money for the client.You are
www.syngress.com
78 Chapter 2 • The Pre-Assessment Visit
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 78
looking to attain the security posture by taking a snapshot. Any findings or
recommendations will likely have little value after an extended time period
has passed.The second instance requires a business process to alleviate.
Subcontracting is the norm in government contracting, even though many
private sector organizations do not agree with the practice.This is ultimately
your decision.
Q: What if the POC is lacking in communicating objectives to the customer
organization? Should I step in and facilitate this communication? What if
there is no clear POC?
A: Address the subject with the POC first and try to resolve any issues directly.
If that is not possible or does not help, look toward the decision maker you
identified earlier in the process. However, you should think of this in terms
of “chain of command.”You must have a critical purpose for going over your
POC’s head.

www.syngress.com
The Pre-Assessment Visit• Chapter 2 79
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 79
286_NSA_IAM_02.qxd 12/11/03 3:24 PM Page 80
Determining the
Organization’s
Information
Criticality
Solutions in this Chapter:
■
Identifying Critical Information Topics
■
Identifying Impact Attributes
■
Creating Impact Attribute Definitions
■
Creating the Organizational Information
Criticality Matrix
■
Case Study: Organizational Criticality at
TOOT
■
Best Practices Checklist
Chapter 3
81
 Summary
 Frequently Asked Questions
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 81
Introduction
In this chapter, we cover the basic activities that must be accomplished to com-

plete the Organizational Information Criticality Matrix (OICM).The OICM is
based on customer decisions about the information types within their own orga-
nization that are critical for the completion of their mission and meeting organi-
zational goals.The activities we cover in this discussion include:
■
Identifying the critical information at the customer organization
■
Identifying the mission of the customer organization
■
Creating impact definitions
■
Creating the OICM
■
Determining the high-water mark for the OICM
Defining an organization’s information criticality is one of the most impor-
tant steps in the IAM assessment process.This process gives the customer a clear
understanding of how their own organization operates and what information
should be protected.These activities typically represent the first in-depth interac-
tion between the assessment team and the customer.The customer should know
they are in control of the assessment process and that they have the final word on
the outcome of the assessment.The decisions they make will directly impact the
quality of the final report your team delivers at the end of this project.The
assessment team should not make these decisions because that often would
require the team to make assumptions about how the customer organization
conducts business and what their business goals are. In the world of commercial
security assessments, poor assumptions on the part of the security consulting firm
could result in a liability to the customer should a security incident occur.
Instead, the assessment team leader acts as a facilitator to make recommenda-
tions to the customer throughout the assessment process based on the leader’s
own experience in the field of information security. As we learned in Chapter 1,

the team leader should have a good deal of experience in overall information
security practices but also preferably in the industry in which your current cus-
tomer works.The majority of customers your team will work with during the
assessment process will not have a significant amount of in-depth information
security experience.Technical teams at customer sites are tuned to operational
priorities that often do not include adequate security considerations. Even those
customers with a highly technical and informed staff may lack the experience
www.syngress.com
82 Chapter 3 • Determining the Organization’s Information Criticality
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 82
level required to help define the potential impact of a security compromise on an
organization. For these reasons, the assessment team will facilitate the assessment
process and effectively guide the customer toward making important decisions
within this process.
From a purely business perspective, it’s crucial for the consulting team to per-
form well the pre-assessment processes defined in this chapter. A poorly per-
formed pre-assessment could result in dramatic losses in profit for the company
providing the assessment service and a final report that lacks the value the cus-
tomer expects and requires. Examples of events that could result from a poorly
performed pre-assessment include:
■
Scope creep Additional work creeps into your scope, bit by bit, until
your profit begins to dwindle.
■
Project delay or extension The project could take longer than
expected, reducing profits.
■
Low-quality final report The result does not meet customer expecta-
tions or does not adequately address the information security posture at
the organization.

However, as we mentioned in Chapter 1, keeping the customer informed and
involved in all aspects of the assessment process can help alleviate these issues
before they become a real problem.
The definition of organizational information criticality is one of the primary
milestones in the pre-assessment phase.The activities we cover in this chapter
actually occur during the pre-assessment visit. (The pre-assessment visit is cov-
ered in more detail in Chapter 2.) In addition, the information created during
this piece of the IAM assessment will be used to create the System Criticality
Matrices, explained in Chapter 4.
The IAM course gives students guidelines for the length of time required to
complete each phase of the IAM process. NSA specifically states that the pre-
assessment visit should last one or two days. However, most teams that have per-
form these assessments in a commercial environment have found that the actual
length of time required depends on the type of organization, its size, internal pol-
itics, and customer understanding of what they are attempting to achieve. Keep
in mind as you consider these time frames that NSA works in a very different
environment from most commercial entities. NSA performs these assessments for
military and federal agencies that need the assistance. In many cases, the assess-
ment process may be specifically mandated, so there is seldom a contracting
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 83
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 83
phase to be concerned with, and the costs of the activities are not directly rela-
tional to profit or revenue, since NSA is not in the business of making money.
In most cases, we have found that it should not take more than a single work
week to complete the pre-assessment visit.You should keep in mind that this
process is normally easier in theory or in the classroom than it will be in the real
world. Carefully consider the time window you allocate for this work to help
avoid the issues we previously mentioned. Figure 3.1 demonstrates where the
pre-assessment visit fits into the rest of the IAM assessment process.

Let’s start by defining a term that you’ll use throughout the entire IAM pro-
cess: information criticality.The critical information within any organization or
agency is specifically the information that would impact that organization if it
lost security of the information.The information that’s considered critical varies
from industry to industry and from customer to customer. In the end, the deci-
sion as to what information is critical is based on the customer mission. We cover
these items in more detail later in this chapter.
The exercise of defining critical information for a customer organization may
prove much more difficult than you would initially guess. In some circumstances,
the process might even be slightly painful and frustrating.This phase of the process
is where your team will first become aware of any internal conflict that exists
within the customer organization. As discussed in Chapter 1, conflict within the
customer organization or within your own team can impact the assessment’s value
for the customer. Every organization has its own internal politics and conflicts that
become readily apparent as you step through the IAM, so be prepared to confront
these issues up front and defuse potentially intense situations.
This can breed a large array of working environments from customer to cus-
tomer. Individuals tend to take great pride in their work; this attitude includes
each employee’s belief that the information and/or systems he or she works with
are some of the most critical within the organization.The goal of the IAM
www.syngress.com
84 Chapter 3 • Determining the Organization’s Information Criticality
Figure 3.1 The Pre-Assessment Visit Timeline
2-4 Weeks
1-2
Weeks
2-8 Weeks
Pre-Assessment
On-Site
Post Assessment

Pre-Assessment Visit
1-5 Days
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 84