Group Interviews
There is some debate about the value of group interviews. Many people argue
that a group interview will silence the less outgoing but important members of
the technical team.The group interview does provide a good opportunity to
hear the opinions of the more outgoing personnel.Through observation,
watching body language, and listening to the people involved in the group inter-
view, the assessment team can see those people who have a difference of opinion
from the dominant personality.The assessment team will want to be sure to
interview those people individually.
Interview Scheduling
The interview schedule can make or break an onsite assessment. Some suggested
considerations for scheduling include:
■
Allow at least 1.5 hours for each technical- or operational-level inter-
view.These interviews are where the assessment team will spend the
most time during the interview process.
■
Allow at least 1 hour for each senior management-level interview (C-
staff, president, and so on). Senior management-level interviews will
generally be the shortest due to time constraints of people at this level,
but they are also the most unpredictable and therefore need allocated
time.
■
Allow 30 to 45 minutes for each user-level interview, but remain flex-
ible so that the interviewees do not feel slighted.
■
Allow at least 15 to 20 minutes between interviews to allow relocation
time and for jotting down final notes before transitioning to the next
interview.
■
Try to group interviews by physical location where possible to avoid

running across campus or across town to conduct interviews.
■
Leave room in the schedule for additional interviews.
Interview Environment
Make sure that the location in which the interviews are conducted is comfort-
able and informal. Conduct each interview in the interviewee’s area when pos-
sible but still in a private location, where the interviewer is on the interviewee’s
www.syngress.com
248 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 248
turf. Remove any obstacles to the interviewee’s comfort, and try to avoid putting
a table between the interviewee and the interviewer.This will help remove both
physical and psychological barriers between the interviewee and interviewer,
allowing the interviewee to feel comfortable and hopefully allowing for the free
flow of information.
Attributes of a Successful Interviewer
Interviews are supposed to gain accurate information about the customer’s
formal and informal processes.To effectively accomplish this goal, the interviewer
must be able to break down barriers and gain trust, ask the right questions, and
gain the information needed.
Breaking the Barriers
The person conducting the interview should not be a novice at interviewing.
The interviewer cannot appear like an inquisitor from the Dark Ages.They must
be personable, compassionate, and able to freely communicate. Effective inter-
viewing has several characteristics that directly impact the effectiveness of the
interview.The NSA IAM training course identifies several of these characteris-
tics, as listed in Table 7.4.
It might also be useful to walk around the office area and get a glance at the
work areas of the people to be interviewed.You might find indicators of individual
and even group interests that could help break down communications barriers and

www.syngress.com
Customer Activities • Chapter 7 249
Expect the Unexpected
Remain flexible, and be prepared for just about anything. The assess-
ment team will be required to comply with all fire drills, tornado alert
procedures, earthquake drills, and other customer emergency proce-
dures while onsite. Be respectful of the customer and their procedures
to ensure both the safety of the assessment team and returned respect
from the customer. The customer will also need to be able to adjust the
schedule in the event that someone must cancel or reschedule.
From the Trenches…
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 249
serve as an indicator of interests that can be used to “break the ice.”You can tell a
great deal about people by what is on their desks or on their walls.
Table 7.4 Interview Characteristics
Interview Characteristic Description
Empathy Demonstrating an understanding of what the
interviewee is stating through restating answers,
clarifying meaning, and doing it with feeling.
Stay involved.
Warmth Being friendly, compassionate, and personable in
the interview. Showing you truly care about the
subject being talking about.
Positive regard and respect Being open with the person about your experi-
ences to help get them to open up to the
interviewer. Showing faith in the person and
accepting the information they are providing.
Ask open-ended questions Ask questions that require more than just a Yes
or No answer to get the interviewee to provide
additional information. We need the interviewee

to say what is on their mind; open-ended
questions facilitate that process.
www.syngress.com
250 Chapter 7 • Customer Activities
Breaking the Ice
I used to work as a government contractor in a program management
position and had to spend a great deal of time interfacing with the divi-
sion chief of the government group we were working with. On his office
walls were pictures of his kids and himself with a bunch of fish they’d
obviously caught—not just one picture, but at least 20. There was an
immediate ice breaker: being able to talk about fishing or family.
Another possible approach is to look for indicators of favorite football,
baseball, or other sports teams. Look for common interests to help open
the interviewee up during the discussions.
From the Trenches…
Continued
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 250
Table 7.4 Interview Characteristics
Interview Characteristic Description
Keep discussions on track Allow the interviewee to express opinions, but
also try to keep the interview focused on
security-related issues.
Use tailored questions Utilize questions that are tailored to the type of
business area that the interviewee is part of. This
helps to ensure understanding of terminology.
Good listener The interviewer needs to have good listening
skills, including the ability to show interest in
what the interviewee is saying. He or she should
also able to read body language.
Be consistent in response Provide a consistent response to answers. Try to

to answers avoid showing over-interest or excitement about
specific answers.
Record something for Take notes for all answers to avoid the appear-
all answers ance of overexcitement for specific answers.
Interviewees get nervous if the interview team
has taken no notes up to that point and then
begin scribbling notes franticly when they begin
speaking about a particular topic.
Allow the interviewee Give the interviewee a final chance to speak his
a final open opportunity or her mind before closing the interview. This is
to express thoughts the interviewee’s chance to mention anything
that might have been missed in the question
pool or discussions and your opportunity to
learn of any internal issues that might be
unknown to this point.
Be on time Arrive for the interview on time. The
interviewee’s time is valuable, so please respect it.
End on time Finish the interview within the allotted time. If
you run out of time with this individual,
schedule a time to try continuing the interview
process. In some situations, particular individuals
have a great deal of valuable information to
share, and the assessment team will need to be
flexible during these times. Don’t be late for the
next appointment.
www.syngress.com
Customer Activities • Chapter 7 251
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 251
WARNING
Be careful not to be intrusive during the interview process. If the inter-

viewer influences the interview through his or her own personal views, it
can taint the results. In this case the interviewee may tell the interviewer
what the interviewer wants to hear, or the exact opposite of what the
interviewer wants to hear. What you really want out of this process is
the truth.
Gaining Needed Information
The interview process is intended to help the assessment team gain information
about the customer’s actual security practices so that they can complete an anal-
ysis of the customer security posture.This is accomplished through asking ques-
tions and taking good notes that can then be reviewed during the analysis
process.
Taking Notes
Notes are an important part of the interview process.The assessment team needs
to keep some reference from the interviews for review during the analysis pro-
cess. Generally it is beneficial to have a second person in the interview taking
extensive and constant notes so that the primary interviewer can concentrate eye
contact, discussion, and clarification with the person being interviewed.
Recording the Interview
Interview recording is another debated subject. Recording an interview can pro-
vide the assessment team with an easily referenced source and doesn’t require
that extensive notes be taken.The negative side of recording the interview is that
it may make the interviewee uncomfortable and may eliminate the nonattribu-
tion aspects of the interview, since the recorded interview could be subpoenaed
in a court case. NSA generally does not recommend taping interviews due to
how uncomfortable it may make the interviewee and the fact that a recorded
interview can be directly attributable to an individual, which violates the nonat-
tribution “promise” of the IAM assessment.
www.syngress.com
252 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 252

Interview Questions to Ask
A predetermined set of questions is helpful, but such a list should only be used as
a guide, not an absolute set of questions or the only questions that are asked.
Answers to some questions will lead to additional questions that are not on the
question list. Knowing when to ask these nonpredetermined questions will be
based on the interviewer’s experience and expertise.
NSA recommends no set of standard questions for conducting the inter-
views. However, a few resources are useful in formulating the set of questions
that will help the assessment team gain the needed information and identify the
organization’s vulnerabilities.The first resource for questions comes from the
security expertise of the assessment team.This can be a compilation of experi-
ence from the multiple team members.The second resource is the NIST 800-26
Security Self Assessment Guide. It provides a series of management, technical, and
operational questions that help pull out the security information of the organiza-
tion.This resource can be located through www.nist.gov.The third resource is
the NSA IAM itself.The 18 areas that are identified by NSA in the management,
technical, and operational areas provide an excellent guide on which to base a
question set.These and other resources, combined with the IAM framework,
make it fairly easy to create question sets that are industry-specific and provides
an excellent starting point for the interviews.
www.syngress.com
Customer Activities • Chapter 7 253
The Bad Interview
From time to time, the assessment team will experience a bad interview.
Either the personalities will clash or there was no success in getting the
interviewee to open up. Don’t let this failure discourage the assessment
team. Just accept it and move on.
From the Trenches…
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 253
Case Study: Interviews

With University Staff
The interview schedule was finally set, at least for the first week of the onsite
phase of the Red Rover University assessment.Through discussions during the
pre-assessment site visit, we determined that the college was most concerned
about liability for systems used to initiate attacks on other systems and Family
Education Rights and Privacy Act (FERPA) regulations. FERPA addresses the
privacy protection responsibilities for educational institutions.
The university has four colleges along with the associated support staff. Each
college has its own technology staff responsible for systems administration and
security for that particular college.The administrative functions of the college are
supported by the university’s Information Technology (IT) department.Table 7.5
identifies the Week 1 schedule of interviews.
www.syngress.com
254 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 254
www.syngress.com
Customer Activities • Chapter 7 255
Table 7.5 Sample Assessment Schedule, Week 1
Week 1 On Site Monday Tuesday Wednesday Thursday Friday
0730 Arrive on site Arrive on site Arrive on site Arrive on site Arrive on site
0800 Opening meeting Tour of new Meeting with Interview with Meeting with cus-
technology customer repres- server support tomer representative
center entative
0900 Tour of campus Interview with Interview with Continued Interview with facili-
food services manager of ties management
director technical services
1000 Interview with Continued Meeting with Continued
chancellor’s office customer repres-
entative
1100 Continued Interview with Lunch with Interview with Interview with dean of

dean of engin- campus security business college liberal arts
eering director systems admin-
istrators
1200 Lunch with Lunch Continued Interview with
liberal arts sys budget director
administrators
(group)
1300 Interview with Reserved for Lunch Prep for chancellor
computer unscheduled meeting
technology staff interview
(group)
1400 Continued Reserved for Interview with Interview with Lunch
unscheduled desktop support computer science
interview staff
Continued
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 255
www.syngress.com
256 Chapter 7 • Customer Activities
Table 7.5 Sample Assessment Schedule, Week 1
Week 1 On Site Monday Tuesday Wednesday Thursday Friday
1500 Interview with Continued End of week meeting
patent office with chancellor’s
director office (update)
1600 Continued Assessment Reserved for Assessment team and
team meeting analysis customer rep meeting
for next week’s
preparation
1700 Customer Continued
representative
update

1800 Assessment Interview with Interview with
team dinner and night school janitorial staff
status meeting computer
technician
1900 Continued Assessment team Assessment team Assessment team
meeting and meeting and meeting and
dinner dinner dinner
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 256
NOTE
The assessment team utilized NSA’s 18 Baseline INFOSEC Classes and
Categories as the high-level guide for conducting the interviews, real-
izing that some sections of the 18 categories will not apply to all cus-
tomer personnel being interviewed.
The first set of interviews on Monday at 1200 and 1300 hours, with the lib-
eral arts systems administrators and the computer technology staff, were both
group interviews. During these interviews a common name was brought up that
was not part of either staff. Fred Kingsly had been a systems administrator origi-
nally with the Liberal Arts College and after a year had moved over to the
Computer Technology College and was responsible for all lab networks. Fred
graduated with his Master’s degree last year and was not working as a faculty
member in the undergraduate Computer Technology program while working on
his Ph.D. Fred was identified by the university staff we interviewed as being the
“brain” behind most of the security tools and policies in place at the university.
Fred was not yet on the interview list, so we made a note to get Fred on the
schedule if at all possible.
During these interviews, we also noticed that there were a few dominant
personalities, and in the case of the Liberal Arts College systems administrator
staff, a very quiet administrator disagreed with them (noticed through body lan-
guage) but didn’t say anything. We added this person to the list of people to be
interviewed. During these interviews, we also picked up several additions to our

documentation list, including a Draft Security Policy from three years previous,
two e-mail directives on the password policy for the college (the only known
place it was published), and a security incident report on the ILOVEU virus.
Currently there are three after-hours interviews we know must be con-
ducted: the night school computer support technician, janitorial staff, and the
night shift campus security manager. It will be important to gather their perspec-
tives on the college’s security posture. We also warned the customer representa-
tive handling the schedule to try to avoid forcing the assessment team to run
back and forth across campus several times a day. It is approximately 1 mile from
one end of campus to the other.The assessment team found that meeting with
the customer representative on a daily basis helped resolve conflicts and issues
before they got too difficult.
www.syngress.com
Customer Activities • Chapter 7 257
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 257
The update to the chancellor was a smart idea and helped our cause greatly.
The chancellor received feedback from the departments that the assessment was
going better than they expected and that they found value in the information
that was being collected.They also said they felt that the assessment team was
truly listening to their opinions and are hopeful that the university addresses the
findings with the greatest urgency.
The Management Interview
John Smith is the director of operations for Red Rover University and is respon-
sible for all networking and computer operations for the nonteaching staff at the
university. John has been working with the university for the last 3.5 years after
being vice president of operations for a small local financial services firm. Prior
to this interview, members of the team were able to determine that John was
very much “into” the Washington Redskins professional football team and
enjoyed playing golf. Luckily, one of the assessment team members was from the
Washington, D.C., area and was also an avid golfer (although a little rusty from

working so hard on the assessment).
At the start of the interview, the team discussed football and golf for 5 min-
utes or so to try to relax John into openly sharing his thoughts and concerns.
After a few laughs and “war stories,” the interview leader discussed the purpose
of the assessment and what John could expect from the interview process. John
did express some concern about the lack of communication from the university
as to the purpose of the assessment and some of his staff ’s fears that they were
being considered for downsizing.The interview leader described the purpose of
the assessment and reiterated what the university said the results would be used
for and the plans for delivering the results. Red Rover University had identified
the purpose of the assessment as looking at how the university stands in meeting
the FERPA requirements and how the university rates against best practices. John
was aware of several security incidents that he feels may have pushed the univer-
sity to finally take a look at its networks’ security.
The interview team started by gathering information with questions based
on the 18 areas. We won’t go through every question, but here are just a few of
the relevant ones and John’s answers:
www.syngress.com
258 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 258
Q. What security-related documentation are you aware of and/or use for your
or your staff ’s job?
A. We have a security policy that applies only to the university support staff. We
tried to push for a university-level policy, but the colleges pushed back saying
they want to control their own environment. Unfortunately, the colleges have
a great deal of autonomy and were able to avoid the university-level policy.
Q. Do the colleges have their own policies?
A. The colleges are supposed to be working on their own policies, but no one is
monitoring the development or implementation.
Q. What other documents do you use?

A. We created a few e-mail type guidance memos, but that is pretty much it.
Most security is implemented ad hoc and is due to the self-initiative of some
of our systems administrators.
Q. What types of documentation do you think you need?
A. A university-level security policy, incident response plan, disaster
recovery/business continuity plan, and maybe some security training and
awareness information.
Q. Who at the university has primary responsibility for security-related issues?
A. Well, campus security has all physical security responsibilities, but no one is
designated for technical security types of issues for the entire university. Each
college is responsible for its own technical security.There was discussion to
include that in campus security as well, but they don’t have the right kind of
expertise. I believe part of what the university is looking for is a recommen-
dation from the assessment team where it should be placed.
Q. What do you think the university should do to address security responsibilities?
A. I think the university needs to have a Campus Technical Security Working
Group that includes representatives from the colleges and university staff sup-
port and a designated university security leader to lead the effort. We need
technical security leadership at the university to coordinate and keep things
moving forward. Otherwise, everyone is doing their own thing.
www.syngress.com
Customer Activities • Chapter 7 259
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 259
Q. What do you think the greatest challenge(s) are for the university from a
security perspective?
A. (Speaking up very quickly) Lack of leadership, lack of education, lack of
enforced security standards!
When asked about contingency planning and configuration management
areas, John responded that they have no consistent practices implemented, but he
felt strongly they were needed. When asked about the technical areas, he referred

us to his technical staff as the best source of information for those areas. He felt
that his staff had a relatively good grasp of technical security issues within his
department, but he couldn’t comment on the rest of the university.
The Technical Interview
Red Rover University and the assessment team decided to conduct both group
and individual interviews to try to gain the greatest knowledge from the university
staff.The following is sampling of information gained during those interviews.
Group Interview with
Computer Science Systems Administrators
This technical interview was actually a group interview with the systems adminis-
trators from the College of Computer Science.The four people in the interview
were Joan Heartfelt (Sun Solaris administrator), John Highonlife (Windows admin-
istrator), Byron Brownnose (Windows administrator), and Marcia Grady (Linux
administrator).The assessment team attempted to find out as much about the sys-
tems administrators as possible prior to the interview. Other than the fact that they
are all systems administrators, they have very little in common, so we had to break
the ice rather carefully.The best approach we found was through introductions and
general discussion.The administrators seemed to get along fairly well with each
other, with the exception of Marcia, who was extremely quiet.
The interview started with gaining an understanding of each person’s role
and responsibilities within the group.They stated there was no separate security
administrator. Each systems administrator was responsible for the security of their
respective system. Here is an excerpt of answers from the “management” style
questions asked in the interview:
www.syngress.com
260 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 260
Q. What security-related documentation are you aware of and/or use for your job?
A. Everybody answered user manuals and Web searches; none was aware of any
university- or college-level policies that should be guiding them.

Q. Do the colleges have their own policies?
A. None that they are aware of.
Q. What types of documentation do you think you need?
A. (from Byron) Maybe some guidance further locking down our respective
operating systems. (Marcia rolls her eyes.)
Q. Who at the university has primary responsibility for security-related issues?
A. No university-level contacts known. Each administrator is responsible for the
security of his or her own systems.
Q. What do you think the greatest challenge(s) are for the university from a
security perspective?
A. (From Byron) People not knowing what they are doing. (Marcia rolls her
eyes again.)
Q. Do you have a firewall?
A. Yes, we do. It’s a Checkpoint FireWall-1 on a Nokia Solution.
Q. Who manages it?
A. (Joan answers) John.
A. (Marcia answers) I do (rolls her eyes again).
Q. Who really manages it?
A. (John answers looking very politically correct) Well, we both do. I’m the pri-
mary and Marcia is my backup. Due to some recent projects, Marcia has had
to back me up quite a bit.
Q. Can I get a copy of the firewall rule sets to review?
A. (Byron answers) Sure, Marcia will get those for you (Marcia rolls her eyes yet
again).
www.syngress.com
Customer Activities • Chapter 7 261
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 261
The interview continued like this through a series of technical-related ques-
tions. It was clear that Marcia had a differing opinion from the other three sys-
tems administrators on the state of security and how things should be run within

the group. But she did not say what her opinion truly was or why she seemed
frustrated either with the process or the individuals. After the interview, the
interview team decided that it would be wise to have a separate interview with
Marcia to try to understand where her difference of opinion is coming from.
Individual Interview with Marcia
Since it was clear that Marcia had a difference of opinion about operations and
security with the rest of the staff, a separate individual interview was arranged
with Marcia to address her concerns:
Q. Marcia, you seemed to not agree with Joan, John, and Byron on the answers
during the group interview. Is there anything you can share with us that will
help our assessment effort to be more accurate?
A. It’s not so much that I disagree, it’s just that I am very frustrated with Red
Rover University policies and procedures. I have been here for over three
years, the longest of any of the four of us. I have been saying over and over
again that we need to address security and do things to improve our security
posture. Of course, there is no money and no management support to do
this. It took a FERPA violation and someone hacking one of our systems and
using it as a zombie to attack other systems to cause them to pay attention.
Plus, I am the one that got blamed for the zombie machine because it was a
Linux box on our side of the network. Unfortunately, it was a graduate assis-
tant who put the unpatched box online without anyone’s knowledge. I used
to have primary responsibility for the firewall at that point, then John got it
because of the problems. I wasn’t formally reprimanded, but everyone still
blames me for the problem.
Q. Did the student who put the box online get reprimanded?
A. No, the university said they couldn’t because there were no policies to define
allowed activities and associated punishments.
Q. Is there a code of conduct or acceptable-use policy now?
www.syngress.com
262 Chapter 7 • Customer Activities

286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 262
A. Not that I am aware of.They said they wanted to see the recommendations
from this assessment first. But they told me never to let that problem happen
again.
Q. What are you doing to try to prevent it?
A. I run network discovery tools once a week to try to find new boxes and send
out a note to everyone I can think of to address the prohibition of putting
systems on the network without my knowledge. If they put something up I
don’t know about, then I block them. I have ticked off a couple of professors
in recent weeks doing this.
Q. What do you see as the biggest obstacle for you to be able to do your job?
A. Lack of university leadership and listening to the employees who have to live in
the trenches every day. Until the two incidents I mentioned, there has not been
a great deal of consideration given to security here. Now, due to the FERPA
fine and the bad press, the university is finally paying attention. I’m glad they
are now, but I think we could have prevented it had they paid attention to me
to begin with. I have always been a firm believer in prevention.
Q. Is there any kind of rift between you and other systems administrators?
A. No, I apologized to them after the group interview. We are all friends, it just
has been extremely frustrating for me. I hope you really can help.
Based on the combined information, we were able to get a better picture of
the past and present of the university from a security perspective.This informa-
tion was verified through further discussions and helps identify the basis for
assessment and how the security road map will need to be laid out to accomplish
improving the university’s overall posture.
www.syngress.com
Customer Activities • Chapter 7 263
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 263
Summary
Preparation for any activity is the key to a successful project. After completion of

the pre-assessment site visit, ideally the assessment team will have the opportunity
to go back to home base to prepare for the onsite activities.The pre-assessment
preparation activities are expected to take two to four weeks, to allow time to
conduct all the activities. Both the assessment team and the customer will have
preparation activities they must accomplish in order to be prepared for the actual
onsite time.These activities involve both administrative and technical activities to
ensure that the onsite phase will go smoothly. Appropriate formulation of the
interview schedule is probably the most critical preparation activity, making sure
that the proper amounts of time for activities are coordinated.
Once the preparation is complete, it is important to think about the flow of
the onsite phase of the IAM.The important first step is the opening meeting,
which is the first opportunity to make a positive impression during the onsite
phase.The opening meeting should reiterate the agreed-on assessment plan, iden-
tify the current schedule, show the benefits of the assessment process, and help
establish expectations for the remainder of the assessment. A positive first impres-
sion is essential to assessment success. During the assessment process, understand
the importance of keeping both the customer and the assessment team informed
of progress and remaining actions.
The NSA 18 Baseline INFOSEC Classes and Categories provides an excel-
lent framework to focus the onsite information collection activities.These 18 cat-
egories capture the majority of security-related concerns for assessment purposes
but are flexible enough to allow the addition or alteration of the list as required.
In many cases, the 18 categories can be used to formulate the set of assessment
questions to be asked during the interviews with the customer.
The interview is the process of collecting information about the customer’s
security posture by asking questions related to security matters within the cus-
tomer’s organization.The assessment team members’ positive interviewing skills
are important in gaining the information from the client. Unsuccessful interviews
will result in poor security posture information being obtained. Make sure that
the lead interviewer has the skills to pull information out of the interviewees. In

spite of the skills of the assessment team, sometimes an interview will not go
well. In this case, learn from the process and move on.
Getting focused on preparing for and starting the onsite phase activities will
assist you in kicking off a successful information-gathering process.
www.syngress.com
264 Chapter 7 • Customer Activities
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 264
Best Practices Checklist
Preparing for the Onsite Phase
 Ensure continuous communication with the assessment team.
 Ensure continuous communication with the customer.
 Don’t forget about the comfort needs of the assessment team.
 Work with the customer to create a manageable schedule for the onsite
interviews.
Setting the Onsite Tone
 Utilize the opening meeting to establish a positive tone for the
assessment.
 Reiterate the agreed-on assessment plan during the opening meeting so
that everyone understands the scope of the effort.
 Review the assessment process and its benefits in the opening meeting.
 Keep the customer involved and informed throughout the entire
assessment process.
 Be prepared to not only assess but to educate the customer throughout
the assessment process.
The 18 NSA INFOSEC Baseline
Classes and Categories
 The 18 categories focus on management, technical, and operational
controls to address the customer’s security posture.
 The 18 categories can be used as a guide to help focus the questions to
be asked during the interview process.

 Common themes of documentation and education training and
awareness apply across all 18 categories.
 All 18 categories must be addressed to be officially compliant with the
NSA IAM, but additional areas may be added at the customer’s request.
www.syngress.com
Customer Activities • Chapter 7 265
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 265
The Fine Art of the Interview
 Interviewer must be dynamic and able to facilitate conversation with the
interviewee.
 Limit the number of people in the interview to just the necessities.
Generally this will be two or three people, with one person designated
to take good notes.
 Try to understand how security is really implemented within the
organization vs. the formal policies.
Q: Can I add or take away from NSA’s 18 Baseline INFOSEC Classes and
Categories and still be compliant with the IAM methodology?
A: The IAM is intended to be a flexible methodology that you can either adopt
in full or integrate into your own assessment process.You can add to the 18
baseline categories without an issue. If you take away from the required set,
just document the fact and you will still be in compliance with the IAM.
Q: What are the most common classes and categories beyond the basic 18
defined by the NSA IAM?
A: Additions to the baseline categories vary greatly by customer. Many cus-
tomers have asked us to specifically address certain topics, even though they
are embedded in the primary 18 baseline categories. We have seen specific
topics of:
Encryption
Wireless networking
Intrusion detection systems

E-mail
www.syngress.com
266 Chapter 7 • Customer Activities
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form. You will
also gain access to thousands of other FAQs at ITFAQnet.com.
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 266
Q: What are the greatest obstacles to a good interview?
A: The greatest obstacle is to get the interviewee to relax enough to speak
openly about the security practices of the organization. When the inter-
viewer is able to get the interviewees to speak openly, the interviews gener-
ally go well.
Q: What are pros and cons of group interviews?
A: Pros: Gain views of many people in one sitting. Able to watch the interaction
between the group members and look for dominant personalities and those
who differ in opinions.
Cons: Interview can be dominated by dominant personalities. Some people
may not be willing to speak up because of who is in the room.
Q: Which part of the organization typically gives the most information about
the organization’s security posture?
A: Typically, operations personnel give the greatest insight into the security pos-
ture of the organization.This group includes the systems and security admin-
istrators. Management gives the view of how it should be, and users give the
view of how security affects them. Operations staff gives the view of how
security is implemented.
Q: Should the interviewer stick to a rigid set of prepared questions?

A: Flexibility is key to success. Prepared questions have their place as a guide to
cover topic areas, but the flexibility needs to be there to allow additional
questions to be asked based on the answers given to questions.
www.syngress.com
Customer Activities • Chapter 7 267
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 267
286_NSA_IAM_07.qxd 12/12/03 3:32 PM Page 268
Managing the
Findings
Solutions in this Chapter:
■
Demonstration Versus Evaluation
■
Findings and Dependencies
■
Mapping Findings to Requirements and
Constraints
■
Creating Recommendation Road Maps
■
Case Study: Medical Management
Chapter 8
269
 Summary
 Frequently Asked Questions
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 269
Introduction
At this point, we need to discuss what to do with the information that we have
discovered.Throughout the process, the assessment team has been collecting
information and identifying possible vulnerabilities or weaknesses of the cus-

tomer’s system. Now is the time to begin validating the information. Validation is
not a process of taking the word of every interviewee or believing that what the
documentation says is actually occurring within an organization. What is more
important is to be able to show proof or hard evidence of what is actually occur-
ring within the organization.To do that, we have two options:
■
Demonstration
■
Evaluation
Demonstrations are meant to validate what the customer does through obser-
vation of their activities.This over-the-shoulder viewing of activities clarifies
what was identified during the interviews that may be in conflict with the docu-
mentation that was reviewed. Evaluations are meant to provide documented evi-
dence of findings.This is done through the use of tools or scripts or by manually
checking systems.The range of tools available to do this is quite large; therefore,
we only discuss the use of some of the more popular network scanners and pass-
word crackers. Scripts and manually checking systems are individually specific,
and expertise in using them is dependent on the assessor. For this reason, we do
not provide detailed information regarding the utilization of scripts or manual
checks in this book.
Once you have validated the information, what should be left are the findings.
Not all findings should or will be negative. In this chapter, we discuss how find-
ings can be positive or negative. As an assessor you should always have your eye
open to positive findings and be willing to point out the good things that are
going on in an organization. We believe that if you can find only negative things
while doing an assessment, you have the wrong attitude toward the customer.
There is always something good being done within an organization.You should
recognize and promote these pockets of “good security” to help institutionalize
those good practices throughout the organization.
With findings there is always the case of dependencies and determining if

one finding is dependent on another or if resolving one finding can resolve mul-
tiple findings.This is important because it gives the customer enough informa-
tion on which recommendations provide the highest level of return on
www.syngress.com
270 Chapter 8 • Managing the Findings
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 270
investment.These activities are cost-effective for the customer. We discuss the
findings and how to look at dependencies in this chapter.
Once you have the findings and the dependencies, you can begin mapping
the findings to the requirements.This is important; it will determine the severity
of the finding. We do not always use the recommendations of our scanners. It
does the customer no service to cut and paste the recommendation or the
severity level from the customer. It is critical that you map the findings to the
customer’s requirements and constraints, and we address that topic in this chapter.
Mapping the findings allows you to provide the customer with a road map to
improving the organization’s security posture. Never forget:The purpose of the
assessment is to enable improvement of the organization’s security posture.
Demonstration Versus Evaluation
This section focuses on explaining demonstrations and system evaluations and
the differences between them, including discussion of the positive and negative
aspects of using each. We also look at short examples to help clarify when and
why we recommend using each for given situations. As you read, you might feel
some confusion if you have taken the IAM course.The confusion stems from the
teachings in which we continuously tell the student that the IAM is a hands-off
methodology.That means that there are no system evaluations.
Although this is true from a methodology point of view, it does not always
work to give the customer a proper level of assurance. In most cases, the excep-
tion being the DoD, failing to add the system evaluations has proven to be a hin-
drance to the practical application of the IAM.
What Are System Demonstrations?

System demonstrations are the IAM method for validating or clarifying discrepan-
cies identified between the interviews and the documentation.An example, or a
physical demonstration, is often an extremely helpful tool to validate how prac-
tices are accomplished.
Consider a situation in which you, as the assessor, have reviewed the docu-
mentation and identified that the customer requires 14-character passwords that
must contain upper- and lowercase letters, numbers, and special characters that
do not require the use of the Alt key. While doing the interviews, you learn from
several interviewees that they are not meeting the password requirements identi-
fied in the documentation. We would agree that this is a finding, and a negative
www.syngress.com
Managing the Findings • Chapter 8 271
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 271
one at that. But what is the reason that they are not meeting the requirements?
How widespread is this finding throughout the organization? You don’t want to
turn those interviews into a confrontational situation by asking the interviewee
why they don’t follow the requirements. So what do you do?
One way to handle this situation is to use a system demonstration. It’s simple
to accomplish. When you are doing the system administrator interview or the
system security administrator if they have one, ask the interviewee to show you
how he or she sets up a new account.
Several things can occur that you can observe firsthand when the administrator
sets up the account. If the administrator pulls up the default template from the
operating system and creates the account, you could see that the minimum number
of characters required does not meet the documented requirements of 14 charac-
ters.This means that the operational and technical controls are not in place to
ensure that the users are meeting the organizational requirements. If the adminis-
trator pulls out a dusty notebook to see what the settings are supposed to be, there
is a good chance that the requirements are not normally implemented. A good clue
is the dust on the book, indicating that the book is rarely used.Again, this indicates

that the operational and technical controls are not in place to ensure that the users
or administrators are meeting the organizational requirements.
If the administrator pulls up a template that has all the correct settings, this
indicates that there is a breakdown in the technical control implementation. In
this situation it would be good to ask the administrator if there are any situations
in which the password policy is not or cannot be enforced. As we have discussed
in previous chapters, there are probably some operational reasons that the pass-
word policy is not being enforced, such as a legacy application that cannot
handle such passwords.
The Good and the Bad
There are both positive and negative reasons for using system demonstrations. As
you have just seen, system demonstrations are very useful for seeing how opera-
tional and technical controls are implemented and utilized.They can also be used
to see what steps the system managers are taking to ensure compliance with the
organization’s INFOSEC requirements.These are both positive reasons for doing
system demonstrations. But system demonstrations are not always useful.
Although system demonstrations are excellent for seeing how the technical
controls are implemented, they are not very useful for checking management
controls. Management controls are primarily the INFOSEC documents that
www.syngress.com
272 Chapter 8 • Managing the Findings
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 272