Modifying the Nine NSA-Defined Areas
One way to customize the TAP is through changes in the composition of the
TAP. By default, you may not remove sections and still be within the IAM
guidelines.The components discussed are considered by NSA to be minimum
requirements for any plan to be used in an assessment. If a conflict arises and a
section cannot be completed, the reasons or events leading to these issues need to
be clearly documented.The section will remain, but the information detailed will
be in regard to the lack of completion, not the actual topic itself.
Adding sections is entirely up to the customer. Several items may be added as
requested or as part of an overall independent business practice. Just a few that
can be used to add value to the document are these:
■
Executive summaries Summaries can go a long way toward pro-
viding descriptions and instructions on how to read and understand the
plan.They can also be used to summarize the methodology or provide
background into the purpose or goal of this particular assessment.
■
Version history information This can be very useful when dealing
with very fluid engagements where change is the standard. In the
example in the appendices, you’ll notice that a version control page was
combined with approval authority to demonstrate acceptance and
understanding of each change on one simple page.
Level of Detail
The level of detail is a very important aspect of the IAM TAP. It can depend on
many things, such as the level of involvement the customer organization wants to
have with the assessment process. A hands-on approach may dictate requirements
for a very detailed plan as well as increase the chances for multiple revisions
down the road.
What is included as detail should be based on interactions with the customer.
This should be worked out early on in the pre-assessment site visit, and an intro-
duction to a sample TAP during initial meetings would not be overboard.The

amount of information recorded in each section is flexible, as long as all required
aspects are included.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 201
286_NSA_06.qxd 12/15/03 11:32 AM Page 201
Format
The format of this document is almost entirely up to you. Certain basic rules
should apply, such as the inclusion of a cover sheet and the original order of
topics, but most of this is fair game for adjustment based on what is more effec-
tive in a given scenario.
Some organizational assessments can be so large, with multiple assessment
teams in action, that an overall TAP is created as the main repository, with several
detailed plans attached as appendices. Some systems may be in such revolving
states and of sufficient size to warrant breaking out diagrams and detailed tech-
nical descriptions or inventories into subdocuments for ease of management.
The TAP is a tool. Whatever helps improve the efficiency or usability of the
tool should be considered appropriate, as long as you account for all required
components.
Case Study: The Bureau
of Overt Redundancy
We’re back to the Department of Excess Verbiage (DEV) BOR offices. In
Chapter 2 we went through the pre-assessment site visit with the BOR, detailing
some of the concerns and issues regarding their environment as well getting to
understand the culture and requirements.This case study is geared toward a single
document, the primary deliverable from that meeting: the TAP.
The BOR TAP
As the customer requested, we have included a document-tracking section in the
TAP (see Figure 6.1).The BOR would like us to maintain a version history of
the document, including change details and dates. For peace of mind, we’ve also
added an approval section! Remember, this is a custom addition, not part of any

NSA requirements for the TAP.
www.syngress.com
202 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 202
Contact Information
The next section, Contact Information, is a true requirement of the NSA IAM.
As you can see in Figure 6.2, we have decided to include alternates for both the
customer and the assessing teams.This gives the customer a second line of attack
in the event an emergency arises, as well as giving the assessing team a second
contact with either the authority to make decisions or access to decision makers,
should any unforeseen events arise.
Figure 6.2
Contact Information Worksheets
DEV BOR Organization Contacts
DEV BOR Primary Point of Contact: Justin Phun
Title IT Security Manager
Address 3608 1
st
Nactoobia Ln
Desk Phone 555.555.1234
Mobile Phone/Pager 555.555.8365
E-mail
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 203
Figure 6.1 The BOR Document-Tracking Sheet
Version Date
Signature
Approval
Version Update
Infomation

Pages
Affected
V1.00
6June
2003
Justin Phun, ITSM
Bill High , SCE
Team Lead
Pre-Assessment
Site Visit Creation
All
Continued
286_NSA_06.qxd 12/15/03 11:32 AM Page 203
Figure 6.2 Contact Information Worksheets
DEV BOR Organization Contacts
DEV BOR Alternate Point of Contact: Cole Ishin
Title Network Manager
Address 3608 1
st
Nactoobia Ln
Desk Phone 555.555.1622
Mobile Phone/Pager 555.555.8344
E-mail
SCE Organization Contact
SCE Primary Point of Contact: Bill M. High
Title Principal Security Consultant
Address 87234 NW Safe Pl.
Desk Phone 555.555.6832
Mobile Phone/Pager 555.555.3762
E-mail

SCE Alternate Point of Contact: Lynn X. Roulls
Title Senior Security Consultant
Address 87234 NW Safe Pl.
Desk Phone 555.555.6826
Mobile Phone/Pager 555.555.3162
E-mail
Mission
Next we move on to the second point of the IAM TAP, the mission statement.
We discussed the mission statement and tried to develop it into a more detailed
product in Chapter 2. Here we display our final understanding of the mission
goals as well as the formal statement the customer uses.The added detail in
regard to the mission is another custom addition to this case study, so if in other
scenarios it does not fit, it is certainly acceptable to leave it out.The DEV BOR
mission statement is as follows:
To ensure that all products available to the Nactoobian people include maximum
redundancy for maximum safety and maximum reliability at minimum cost.
www.syngress.com
204 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 204
Through group discussions with DEV BOR management, we identified spe-
cific detailed mission objectives and requirements.These have been broken into
three detailed components that will assist in defining the direction and level of
focus of current and future organizational INFOSEC programs:
■
Mandate private sector organization requirements for redundancy,
quality, and durability within products
■
Introduce legislation and requirements to control industries
■
Research products for improvement opportunities

■
Publish reports detailing benefits of adoption and hazards of non-
adoption
■
Maintain private sector organization costs or defray those costs without
widespread public knowledge or understanding
■
Assess risk versus cost of improvements
■
Introduce methods of industry standardization for cost reduction
■
Manipulate private sector “conclusions” into legislation
■
Manage public “voting” community safety concerns in domestic con-
sumable products
■
Validate private sector research and conclusions in terms of safe-
guards for consumers
■
Ensure that private sector movements and initiatives are properly
marketed to consumers
After mission comes the organizational information criticality. Again, in
Chapter 2 we discussed the types of information that the customer, the BOR,
might use, and we rolled them into unique categories. In this section we publish
those results, from specific to rollup, as well as their importance to the customer.
We also include the definitions used in creating these matrices, which we defined
in detail in Chapter 3. As demonstrated earlier, you’ll see that the OICM includes
each and every information type determined.
To combat the confusion that often surrounds the organizational versus
system criticality discussions, notice the brief description included at the begin-

ning of the section.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 205
286_NSA_06.qxd 12/15/03 11:32 AM Page 205
Organization Information Criticality
This section discusses the perceived impact of the loss of confidentiality, integrity,
or availability in regard to the information types stored, processed, and trans-
mitted within the DEV BOR organization.This includes a listing of information
types and definitions for CIA, as shown in Figure 6.3. Custom definitions of
High, Medium, and Low are included as well.
BOR Information Types
■
Human resources
■
Personnel files
■
Applications and résumés
■
Finance
■
Payroll
■
Accounts payable and receivable
■
Current projects
■
Lobbyists (partners, plans, marketing, etc.)
■
Goals
■

“Research”
■
Completed projects
■
Lobbyists (partners, plans, marketing, etc.)
■
Goals
■
“Research”
■
Corporate partners
■
Partner information
■
Partner submissions
■
Partner “Research”
■
Legal
■
Litigation as a tool
■
Litigation as a defense
www.syngress.com
206 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 206
Definitions
■
Confidentiality The property that the existence of an object and/or
its contents is not made available or disclosed to unauthorized subjects.

■
Integrity The property that data has not been altered or destroyed in
an unauthorized manner.
■
Availability The property of an object being accessible and usable on
demand by an authorized subject.
■
High An impact of High consequence is one that may cause the loss of
financial assets in excess of $100,000, loss of trust among partners, or loss
of autonomy resulting from forced involvement of DEV or higher
authority.
■
Medium An impact of Medium consequence is one that may cause
the loss of financial assets in excess of $25,000 but less than $100,000,
loss of trust among the public voting community, or lessened autonomy
resulting from forced involvement of DEV or a higher authority.
■
Low An impact of Low consequence is one that may cause the loss of
financial assets less than $25,000 and basic impedance of day-to-day
operations.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 207
Figure 6.3 The DEV BOR Organizational Criticality Matrix
Low LowMedium
Medium MediumHigh
High HighMedium
High MediumHigh
Human
Resources
Finance

Current
Projects
High Watermark
Confidentiality Integrity
Availability
Low LowMedium
Completed
Projects
Medium LowHigh
Corporate
Partners
Medium MediumMedium
Legal
286_NSA_06.qxd 12/15/03 11:32 AM Page 207
System Information Criticality
This section discusses the perceived impact of the loss of CIA in regard to the
information types stored, processed, and transmitted within specific denoted sys-
tems of the DEV BOR organization.This sections works directly off much of
the information in the previous section, so there is no need to be overly redun-
dant (although maybe this customer would appreciate that?). Notice in Figure
6.4 that the section description again comes into play to avoid confusion with
the organizational information criticality. Note too that these systems will be
described in detail in the System Configuration section. We have broken the
information into two matrices: one for the Active Bureau Campaigns System
(ABCS) and a second for the Bureau Information Support System (BISS), which
we’ll discuss in greater detail in a moment.
www.syngress.com
208 Chapter 6 • Understanding the Technical Assessment Plan
Figure 6.4 The DEV BOR System ABCS and BISS Criticality Matrices
Medium MediumHigh

Medium MediumHigh
Current
Projects
High Watermark
Confidentiality Integrity
Availability
Medium LowHigh
Corporate
Partners
Low LowMedium
High HighMedium
High MediumMedium
Human
Resources
Finance
High Watermark
Low LowMedium
Completed
Projects
Medium MediumMedium
Legal
Confidentiality Integrity
Availability
286_NSA_06.qxd 12/15/03 11:32 AM Page 208
Concerns and Constraints
This section discusses specific concerns of the DEV BOR organization and pos-
sible methods to directly address those concerns. Constraints that need to be
taken into consideration are discussed as well, including workarounds. We need
to make sure that we include all the concerns our customer may have; this way
we keep on track with requested priorities and reassure the customer that we’re

tracking the things that are important to them.
Concerns
Three main concerns have been discussed in relation to DEV BOR INFOSEC
practices. Antivirus, configuration management, and backup procedures have all
been found lacking in results compared with the requirements of the DEV BOR
security team. Extra due process will be spent to determine current procedures
and their implementation levels in regard to these concerns.They will be com-
pared with standard industry best practices, and recommendations will be made
to improve lacking processes that may be leading to ineffective measures.
Recommendations will also be validated to fit within any required industry reg-
ulations or legislation.
Constraints
The only true constraint is the ABCS. DEV BOR is currently involved in a
major campaign, and crucial deadlines loom on a weekly basis.There must be
virtually nothing that hinders the 24 x 7 required operation of this system.Any
system demonstrations and interviews need to be performed when system opera-
tors and administrations staff are available. SEC understands this requirement and
has arranged to perform some work outside standard business operating hours
during the onsite visit to better fit within DEV BOR time frames.
System Configuration
The System Configuration section discusses the system configurations that will
be addressed by this INFOSEC assessment. Included are hardware and software
inventories, site information, architectures, and the like. Here we display our
understanding of the customer’s system. Boundaries, hardware and software
inventories, site information, architectures, and more are all relevant pieces of
information to include here.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 209
286_NSA_06.qxd 12/15/03 11:32 AM Page 209
The Active Bureau Campaigns System

The ABCS provides daily operations of currently active redundancy campaign
programs.The system consists of two P12H servers operating Custom Kernel
Clusterer 3.8.22.This system contains the most sensitive information within the
BOR in terms of confidentiality.The system is protected by two N2 standard
firewalls working redundantly to protect the environment from any incidences
that may occur on the BOR network.The system functions using internally
developed and maintained code and is backed up regularly using Redundant
Redundancy+ 2.3. Users connect through the firewalls via HTTP using a ter-
minal client that operates in any Web browser.
The Bureau Infrastructure Support System
The BISS provides general IT support for daily administration activities and
organizational support functionality.The system consists of a local area network
(LAN) managed by eight Cisco Catalyst switches ranging between the 2900,
4000, and 6000 series. Also in the system are eight Windows 2000 Servers uti-
lizing active directory services, Exchange 2000 for e-mail services, and Sloth AV
4.8 for server and mail antivirus protection. In addition, residing on the network
are approximately 1500 workstations varying in operating system among
Windows 98, Windows NT, and Windows 2000; all of which are likely to be at
differing patch levels. Sloth AV 4.8 clients are required on all workstations.
The Interview List
The Interview List section contains the list of individuals at BOR who we have
selected to interview (see Figure 6.5).You’ll notice that not all the job positions
have yet been defined. Due to the large number of employees, we determined
that we can decide on average users during the onsite visit, based on manage-
ment schedules. In this instance, the Address/Location section may not be ter-
ribly important, since all the individuals reside in the same office. In larger,
distributed organizations, this information becomes much more important, and it
can often be helpful to divide interviewees into groups based on location for
scheduling and tracking purposes.
www.syngress.com

210 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 210
Figure 6.5 The Interview List
Phone/
Interviewee Title Address/Location E-mail
Justin Phun IT security manager 3608 1
st
Nactoobia Ln 555.555.1234
Justin.Phun@
bor.dev.
nactoobia
CIO 3608 1
st
Nactoobia Ln TBD
TBD Systems administrator 3608 1
st
Nactoobia Ln TBD
TBD Systems administrator 3608 1
st
Nactoobia Ln TBD
TBD Lead systems 3608 1
st
Nactoobia Ln TBD
administrator
Cole Ishin Network manager 3608 1
st
Nactoobia Ln 555.555.1622
cole.ishin@
bor.dev.
natcoobia

TBD System security 3608 1
st
Nactoobia Ln TBD
administrator
TBD Lead help desk 3608 1
st
Nactoobia Ln TBD
technician
TBD System operators 3608 1
st
Nactoobia Ln TBD
TBD Functional users 3608 1
st
Nactoobia Ln TTBD
Documentation
After the interviewees comes the Documentation section. In Figure 6.6 we have
listed each and every document we have received. Again, the details you decide
to track are up to you, but for the purposes of this case study, we decided to
track numbers, dates, formats, and the name of the individual who gave the doc-
ument to us. Also notice the comment at the bottom, where we clearly define an
agreed-on standard for maintaining disposal security controls.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 211
286_NSA_06.qxd 12/15/03 11:32 AM Page 211
Figure 6.6 The BOR Document-Tracking Sheet
Item Document Title Internal Tracking Format Received From Date
D-1 Shipping Confidential BOR-P&P-012 Paper Justin Phun 3 June 2003
Records via UPS
D-2 Disaster Recovery Plan BOR-P&P-035 Paper Justin Phun 4 June 2003
Digital Cole Ishin

D-3 Termination of BOR-P&P-007 Paper Justin Phun 4 June 2003
Employment
D-4 Disciplinary Process BOR-P&P-006 Paper Justin Phun 3 June 2003
D-5 Safety BOR-P&P-002 Paper Justin Phun 3 June 2003
D-6 Threats and Violence BOR-P&P-024 Paper Justin Phun 3 June 2003
D-7 Substance Abuse BOR-P&P-053 Paper Justin Phun 3 June 2003
D-8 Storage and Retention BOR-P&P-011 Paper Justin Phun 3 June 2003
of Records
D-9 New Hire Orientation BOR-P&P-002 Paper Justin Phun 3 June 2003
and Processing
D-10 Internal Audit BOR-P&P-028 Digital Cole Ishin 4 June 2003
D-11 Tape Backup and BOR-P&P-012 Digital Cole Ishin 4 June 2003
Media Destruction
Schedule
D-12 Systems Development BOR-P&P-015 Digital Cole Ishin 4 June 2003
Methodology
D-13 Help Desk BOR-P&P-031 Digital Cole Ishin 4 June 2003
Agreement of disposal: All documents reviewed in paper format shall be appropriately destroyed using a
shredder within 90 days of the delivery of the final report. All digital versions of software residing on SCE
equipment shall be thoroughly deleted, while any removable media (diskette, CD-ROM, etc.) will be
destroyed using conventional methods within 90 days of the delivery of the final report. CD-ROM dimplers
and diskette shredders are considered acceptable methods of destruction.
www.syngress.com
212 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 212
Events Timeline
The Events Timeline section discusses he timeline for events that the assessment
process will follow as discussed during the pre-assessment site visit.This section
includes dates and times for any deliverables or milestones for tracking as well as
site visits and reporting. Because unforeseen customer constraints can arise, some

items may shift slightly.The timeline shown in Figure 6.7 is a rather generic one,
but it does cover all the required events. We’ve even gone so far as to add “place-
holders” to remind us of important meetings that will need to be scheduled as
we near the close of the project.
Figure 6.7 The BOR Events Timeline
Initial IAM requested 7 May 2003
Pre-assessment 2 June 2003–27 June 2003
Site visit 2 June 2003–6 June 2003
Organizational discussions
Mission/goals (INFOSEC objectives)
Information type determination and definitions
OICM
SICM
Approval for TAP
Coordination 2 June 2003–27 June 2003
Planning for onsite visits
Team requirements decisions
Schedule for onsite visits
Organizational assessment 2 June 2003–27 June 2003
Review of documentation
Review of requirements/standards/regulations
Onsite visit 30 June 2003–11 July 2003
Interviews
System demonstrations
Review of documentation
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 213
Continued
286_NSA_06.qxd 12/15/03 11:32 AM Page 213
Figure 6.7 The BOR Events Timeline

Post-assessment 14 July 2003–15 August 200
Report generation 14 July 2003–1 August 2003
Review of documentation
Analysis of gathered data
Research of findings and recommendations
Delivery of draft 1 August 2003
(Conference to be scheduled later)
Receipt of comments/requests 8 August 2003
(Conference to be scheduled later)
Delivery of final report 15 August 2003
(Conference to be scheduled later)
So there we have a finished IAM TAP for our customer. From the document,
you can see that we have followed all the rules and guidelines set out by NSA,
but we have really been able to customize specifically to fit the BOR situation.
As stated in several other chapters, this process emphasizes one of the main con-
cepts of the IAM: flexibility. Now once we get the TAP signed, and we’re off and
running to the onsite visits!
www.syngress.com
214 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 214
Summary
In the IAM, a great deal of focus is directed toward the technical assessment plan,
or TAP. It is the most important tool assessment teams use to verify that value is
being placed in the work and the deliverables. It is a conglomeration of charts,
diagrams, and pieces of information that have been gathered during the pre-
assessment site visit and compiled to act as a guide for completing the INFOSEC
posture assessment.
Understanding the background of the TAP or the goals behind it will aid in
putting together a plan that will efficiently manage the activities of the IAM
assessment.The realization that the TAP is a working document should allow you

to create a document that can be used and updated smoothly as the project rolls
on. With the assessment beginning under the added assurance of an approved and
signed IAM TAP, both parties should have a better understanding of the level of
effort and final products required to successfully complete the assignment.
The nine core concept areas covered by the IAM TAP should encompass
most of the required information to keep a good handle on the job. With the
POC information, you know where to direct questions, and the remaining sec-
tions should supply everyone with information ranging from mission objectives
to system configurations and diagrams. Detailed definitions and explanations fur-
ther describe the story of this engagement. Boundaries have been set, and the
likelihood of scope drift has been minimized with a signed agreement demon-
strating the included systems.
With the amount of flexibility granted by the IAM, we can modify the TAP
in many ways to fit the needs of our business practices as well as the customer’s
requirements. Understanding that the core nine topics may not be removed, we
can then add any pieces we deem necessary.
In the case study, we again are involved in a fictitious IAM assessment,
putting together the TAP for an industry organization.The example TAP created
with case study information should give you a better direct look at what your
IAM TAP should contain. It is by no means a fully functional plan, but it is a
definite grounding point that covers all the key aspects the TAP requires.
After this discussion centered around the IAM TAP, your understanding of
NSA’s expectations in terms of planning and assessment guidelines should be
solid. If you like, feel free to use the example plan provided to create your own
IAM TAP template. It is a great exercise and can assist both you and your organi-
zation in preparing to perform an IAM assessment.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 215
286_NSA_06.qxd 12/15/03 11:32 AM Page 215
Best Practices Checklist

Understanding the Purpose
of the Technical Assessment Plan
 Be sure that the plan is sufficiently introduced to the customer during
the pre-assessment site visit and that ease of use for the customer is
taken into consideration.
 Verify and agree on document security controls from the beginning.
 The TAP is an important tool to improve the performance of an IAM-
based assessment, so use it.
Understanding the Format of the TAP
 Begin with a solid template to ensure that all components are accounted
for.
 Make sure all customer concerns are documented in the TAP.
 If system diagrams do not exist, create simple summary diagrams for
inclusion in the system configuration.
 For recording purposes, include dates within such sections as Interviews
and Documentation.
Customizing and Modifying
the TAP to Suit the Job at Hand
 Determine the level of detail required by the environment and the
customer organization’s needs.
 Address all components of the TAP, even if it is just to explain the
reason for a lack of information.
www.syngress.com
216 Chapter 6 • Understanding the Technical Assessment Plan
286_NSA_06.qxd 12/15/03 11:32 AM Page 216
Q: Who should be involved in signing the TAP?
A: A representative from both sides should sign approval to the TAP, at min-
imum. Often a decision maker, information owners, and the primary cus-
tomer POC are involved as well. In any event, just be sure that the highest
required level is on board to confirm management buy-in.

Q: If multiple people are involved with approval, how do you address adden-
dums or revisions to the TAP, especially if multiple sites are involved as well?
A: If multiple people have approved the original from the customer point of
view, you might consider naming an official “approver” for modifications.
Usually this is the customer POC who, with the approval of management,
has been granted the ability to approve project-related changes. It also would
not hurt to document this understanding under the section that discusses
points of contact.
Q: Normally, how many pages should comprise the plan?
A: Well, that really depends on the scenario and your customer involvement, but
on average, for a small to medium-sized company, the plan should be around
15–20 pages. Keep in mind that this number will vary depending on things
such the number of systems, number of sites, custom additions, and the like.
Q: Does NSA provide any templates for the IAM TAP?
A: At this time NSA does not provide any templates.The agency’s goal is to
provide the framework for an INFOSEC assessment, and it relies on your
industry experience and understanding of best practices. Some templates
based on a combination of business practices and the NSA requirements are
included with this book, but feel free to come up with your own or to alter
these to suit your purposes.
www.syngress.com
Understanding the Technical Assessment Plan • Chapter 6 217
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form. You will
also gain access to thousands of other FAQs at ITFAQnet.com.
286_NSA_06.qxd 12/15/03 11:32 AM Page 217

286_NSA_06.qxd 12/15/03 11:32 AM Page 218
Customer Activities
Solutions in this Chapter:
■
Preparing for the Onsite Phase
■
Setting the Onsite Tone
■
NSA IAM Baseline INFOSEC Classes and
Categories
■
The Fine Art of the Interview
■
Case Study: Interviews with a University
Staff
■
Best Practices Checklist
Chapter 7
219
 Summary
 Frequently Asked Questions
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 219
Introduction
This chapter introduces the reader to the onsite assessment phase of the IAM and
associated activities. By the end of this chapter, the reader should have an under-
standing of the preparation necessary to conduct the onsite activities, the impor-
tance and necessity of setting the tone of the assessment, the basics of the NSA
Baseline Classes and Categories, and the process of conducting the security inter-
views.This process is intended to help the customer be comfortable and not run
away from the assessment team.

NSA has emphasized the importance of the assessment team developing a
strong relationship with the customer when conducting the IAM process.
Through experience, we have seen how important connecting with the customer
can be in creating a positive assessment environment and getting the most useful
information out of the customer.This relationship building starts with the first
introduction made during the contracting process and continues through the
pre-assessment, onsite, and post-assessment phases.
Preparing for the Onsite Phase
On completion of the pre-assessment site visit, the assessment team will hope-
fully have the opportunity to return to home base and prepare for the onsite
portion of the assessment.The focus of the pre-assessment site visit and the focus
of the onsite phase are different.The pre-assessment phase is focused on identi-
fying business mission, critical information, and critical systems, whereas the
onsite phase is focused on gathering information about the organization’s secu-
rity posture.The pre-assessment phase helps the assessment team understand the
customer’s business objectives and the underlying infrastructure that supports
these business objectives.This type of information is critical to establishing the
scope of the effort and defining impacts on the business operations.The onsite
phase takes this information into account to determine whether the customer is
meeting their objectives related to security or if additional actions need to be
taken to improve the organization’s overall security.To address the differences
between the two phases, the assessment team will have to shift gears.They may
also need to add or change team members to conduct the onsite portion of the
assessment.The assessment team will not know what exactly has to be accom-
plished until they conduct the pre-assessment site visit.Technically, NSA defines
this preparation time as the end part of the pre-assessment process. Figure 7.1
shows the preparation time as part of the IAM pre-assessment process.
www.syngress.com
220 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 220

Preparation gives the team time to review information collected during the
pre-assessment site visit.This time should be used to decide how to address the
customer focus areas or concerns and to collect the necessary questions and tools
to conduct the assessment. Preparation time also gives the team leader time to
address assessment focus areas and work out any issues remaining from the pre-
assessment site visit.This preparation time is beneficial to both the assessment
team and the customer. Proper preparation is the best way to reduce the number
of problems that will be experienced during the assessment process.
WARNING
Ideally, the assessment team has the luxury of conducting preparations
between the pre-assessment site visit and the onsite phase. However,
often the pre-assessment site visit and the onsite phase are conducted
simultaneously. Although NSA recognizes that this can happen, it is
important to understand that when it does, some of the benefits of
preparation are lost and the process must be closely monitored. In
assessments NSA performs on its own federal customers, the agency can
use a flexible timeline, but the reality in the commercial world is that we
don’t always have as much flexibility. Assessment teams need to address
their own timeline needs based on consultant experience and customer
needs.
Assessment Team Preparation
A successful assessment obviously depends on a prepared assessment team.The
time allocated for assessment team preparation must be used wisely to address the
required administrative and technical planning that should take place during this
www.syngress.com
Customer Activities • Chapter 7 221
Figure 7.1 The IAM Timeline for Preparation
2-4 Weeks
1-2
Weeks

2-8 Weeks
Pre-Assessment
On-Site
Post Assessment
Pre-Assessment Visit
1-5 Days
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 221
time. Administrative planning includes actions necessary to arrange travel, clear-
ance passing, and other non-technical types of functions.Technical planning
addresses the technical needs of the client by assuring the right kind of experi-
ence with customer operating systems and applications, as well as, assuring
backups are completed in case of a disaster as a result of crashed systems.The
team leader should be responsible for making sure assignments are made to the
assessment team and appropriately follow-up to make sure the preparation tasks
are being accomplished. Preparation can be broken out into administrative and
technical activities.The following represents a “to do” list for the assessment team
preparation:
■
Send security clearances
■
Schedule travel
■
Schedule hotel
■
Schedule transportation
■
Identify assessment team members
■
Coordinate schedules with the customer
■

Assign onsite responsibilities to the assessment team
■
Identify assessment team backups in case of emergency
■
Schedule the dog for the kennel
■
Pack your bags
Administrative Planning
The administrative activities associated with planning and preparation are pri-
marily focused on the organization’s business needs and assuring that you cover
all the details required to conduct the onsite assessment phase.The planning pro-
cess also addresses the “care and feeding” of the assessment team to ensure a
happy team:
■
Coordination with the customer As we said in previous chapters,
communication with the customer is critical throughout the entire
assessment. During the preparation activities, the team leader and some
team members will have to communicate closely with the customer
representative.The primary purpose of this activity is to ensure that
schedules for interviews and meetings are arranged to meet the needs of
www.syngress.com
222 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 222
both the assessment team and the customer and that the team has a
location to work while on site.This communication should occur a
minimum of once per week with the customer and the week before the
onsite begins. Communication will probably occur daily, even if just for
a “sanity check” and to ensure that everything is ready to go.This coor-
dination effort is also used to request and gather additional documenta-
tion needed for completing the assessment. Documentation will need to

be coordinated throughout the entire assessment.
■
Travel arrangements Don’t forget about the simple things, like airline
and hotel reservations. Consider the location of accommodations and
times of travel for the team while making travel schedules.The hotel
will be their home for the next two-plus weeks, so ensure that the basic
amenities are there. Important considerations may include proximity to
restaurants, entertainment, gym and pool in the hotel, and high-speed
Internet access.
■
Care and feeding of the team Don’t underestimate the value of the
little considerations for the assessment team.These not only include a
comfortable hotel room but also healthy snacks and appropriate bever-
ages for the team members. For example, many technical people survive
on products like Mountain Dew and coffee. Make sure that these are
available. Brain-boosting snacks may also be appropriate for those times
when team members need a little picker-upper.Think and plan ahead,
and you will have a much happier (and therefore more efficient) assess-
ment team.
Technical Planning
The technical planning process focuses on those activities directly related to
determining the customer vulnerabilities.This activity will apply to any activity
not occurring in the administrative planning process:
■
Assigning responsibilities The team leader generally has the responsi-
bility for assigning tasks that will need to be accomplished, during both
the preparation activities and the onsite assessment itself.These tasks
include the team selection process mentioned previously.The pre-assess-
ment site visit will identify several focus areas for the team. Based on the
team expertise, certain individuals will be assigned to interview customer

www.syngress.com
Customer Activities • Chapter 7 223
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 223
areas that match that expertise.These assignments can be critical, since you
don’t necessarily want your UNIX expert interviewing the customer’s
Microsoft Windows administrators.
■
Reviewing available documentation During the preparation time,
the assessment team should focus on reviewing information collected
during the pre-assessment site visit.The assessment team will also be
receiving additional documentation that might have not been available
or that was found after the pre-assessment site visit. Especially important
is a strong understanding of existing documentation, which could
include security policies and procedures, business continuity plans, and
previous assessments. Even if this documentation was read at the pre-
assessment site visit, restudying the documentation makes sense.
■
Pre-analyzing available information With the information col-
lected from the pre-assessment site visit and documentation collected
and reviewed to date, the assessment team can identify focus areas for
the assessment and initial analysis of the organization’s security posture.
Some of these focus areas may have already been defined for us as a
“customer concern” in the pre-assessment phase. Potential findings and
recommendations can be formulated from the pre-analysis effort.
■
Laying the assessment road map The assessment team’s critical
objective during the preparation activities is to lay out how the flow of
the onsite phase will be conducted.The members of the assessment
team should understand their roles and responsibilities going into the
onsite phase. How do you create the assessment road map? The assess-

ment plan lays out the activities to be accomplished in the assessment.
The easiest way is to relate the assessment plan activities to the timeline
and give an idea of how the process will proceed.Then lay out the
interview schedule based on the assessment objectives.
Customer Preparation
The customer will also have their tasks to accomplish between the pre-assess-
ment site visit and the onsite phase. Helping the customer understand the expec-
tations for their activities during preparation is important.These actions include:
www.syngress.com
224 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 224
■
Setting priorities for interviews and organizing the schedule
■
Continuing communications with customer staff and the assessment
team
Scheduling
Scheduling customer staff is essential to meeting the assessment objectives. If
scheduling is not handled properly, the key individuals may be out at meetings or
on vacation when they are needed. Poor scheduling can also make the assessment
team appear extremely disorganized, giving a negative feel to the assessment.The
customer representative will spend a great deal of time coordinating with cus-
tomer staff to arrange for interviews and system demonstrations:
■
Schedule priorities The first concern for the customer representative
is to help identify the key personnel who will be interviewed during the
assessment process.The customer rep helps ensure that critical intervie-
wees have confirmed slots on the interview schedule. Interviewees
include the C-staff (CEO, CIO, CSO, etc.), director of human resources,
and other senior-level positions.Take into consideration vacations or

holidays that fall during the assessment process and try to make certain
that key personnel are on the schedule.
■
Schedule organization The organization of the schedule is also crit-
ical. Make sure that there is enough time built into the schedule for
team members and interviewees to travel between interview locations,
make notes between interviews, have lunch, and take bathroom breaks.
If the schedule is too compressed, both the customer and the assessment
team will start to get frustrated. Another possibility is that an interview
would have to be cut short to go to the next interview or be late for
the next interview.This would limit the amount of information gained
from the interview and make the interviewee feel his or her role in the
process is not valued.
Communication
Just as communication is key between the assessment team and the customer,
customer-to-customer communication is also critical.The customer representa-
tive will have to communicate information and expectations to those members
of the customer team who are involved with the assessment:
www.syngress.com
Customer Activities • Chapter 7 225
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 225