Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact
Vulnerability # Source Rating Consequence
Lack of 33 Intentional High System administrators,
separation of modifi- without detection, can
duties cation bypass mechanisms in place
of data for holding users responsible
for their actions. Due to a
lack of resources, a decision
has been made to allow the
system administrators to
audit their own activity. This
could result in a loss of
integrity.
.JSPServlet 34 Unauthor- Low An attacker can use this
enumeration ized access vulnerability to enumerate
vulnerability the physical path of the
webroot. This could result in
a loss of confidentiality,
integrity, and availability if
the attacker is able to use
this information to compro-
mise the system.
Web server 35 Unauthor- Low Allows attackers to
enumeration ized access identify specific version
vulnerability of IIS to tailor specific
attacks. This could result in
a loss of confidentiality,
integrity, and availability if
the attacker is able to use
this information to compro-

mise the system.
Cold Fusion 36 Unauthor- Low It is possible to anonymously
debug ized access view debug information,
enumeration which usually contains sensi-
tive data such as template
path or server version. This
could result in a loss of con-
fidentiality, integrity, and
availability if the attacker is
able to use this information
to compromise the system.
www.syngress.com
Managing the Findings • Chapter 8 295
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 295
Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact
Vulnerability # Source Rating Consequence
Security alerts 37 Administra- Low Without documented
and incident tive error procedures, the response
handling taken is ad hoc and results
procedures are in opinion-driven decisions,
not documented which can expose Medical
Management to errors in
human judgment. This could
result in a loss of confiden-
tiality or integrity if an inci-
dent goes unnoticed.
Contingency 38 Administra- Low Current contingency plan-
plan does tive error ning is scattered through

not exist various location documents
and should be centralized in
one document that all loca-
tions utilize. This could
result in a loss of availability.
Process to 39 Administra- Low Currently being done ad
modify incident tive error hoc, which could result
handling does in wasted time during
not exist future CISRT responses by
not having procedures to
incorporate lessons learned.
This could result in a loss of
confidentiality, integrity, and
availability.
Risk assess- 40
Human error/ Low Inconsistent application of
ment imple- omission quarterly scan results in
mentation is various vulnerabilities not
not consistent being identified or cor-
rected. This could result in a
loss of confidentiality,
integrity, and availability if
the vulnerabilities are not
identified and resolved.
www.syngress.com
296 Chapter 8 • Managing the Findings
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 296
Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact

Vulnerability # Source Rating Consequence
Rules of 41 Disgruntled Low Rules of behavior define to
behavior are employee the user what is acceptable
not consistent or citizen behavior and the conse-
and are not incident quences for failure to
signed by users comply. Without a signature,
there may be an issue with
proving the user was ade-
quately warned. This could
result in a loss of integrity
and management having no
legal recourse available.
Termination 42 Disgruntled Low Current procedures would
process does employee allow access to medical
not address or citizen system to continue after an
short-notice incident employee or contractor has
quitting departed. This could result
in a loss of confidentiality,
integrity, and availability.
Access to 43 Intentional Low Inconsistent screening of
system is modifica- personnel with system
granted tion of data access. Contractors are
without appro- granted access without
priate back- background checks being
ground required. Periodic reviews of
screening sensitive positions are not
performed. This could result
in a loss of confidentiality
and integrity.
Software 44

Human Low No documented procedure
distribution
error/omission leads to inconsistent oper-
implementa- ating systems and patch
tion is incon- levels for system compo-
sistent nents. This could result in a
loss of confidentiality,
integrity, and availability due
to poor configurations.
www.syngress.com
Managing the Findings • Chapter 8 297
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 297
Table 8.1 A Sample of Findings from the SA for Medical Management
Finding Threat Impact
Vulnerability # Source Rating Consequence
No software 45
Human error/
Low This could allow for inconsis-
or hardware omission tent test procedures
testing pro- resulting in unknown risk to
cedures in place the system. This could result
in a loss of confidentiality,
integrity, and availability if
poor configurations are
introduced to the system.
Recommendation Road Map
Table 8.2 provides the assessment team recommendations, referenced by finding
numbers presented in Table 8.1.
Table 8.2 Recommendation Road Map for Medical Management

Finding Action
# Vulnerability Recommendation Target Date Responsibility
1 .IDA ISAPI Install appropriate
buffer overflow MS patch (Q317815).
present
Unmap the .IDA
extension and any
other unused ISAPI
extensions if they
are not required.
2 dvwssr.dll Delete this file if
available not needed.
If this file is required,
restrict access to authen-
ticated user only.
3 Newdsn.exe Delete this file if not
available needed.
If this file is required,
restrict access to
authenticated user only.
www.syngress.com
298 Chapter 8 • Managing the Findings
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 298
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
4 Msadcs.dll Install latest patch;
available see MS99-025 for
information.

5 Unauthen- Edit the ubroker.
ticated Web properties file as
Script follows:
WSMAdmin AllowMsngrCmds = 1
available
Change to
AllowMsngrCmds = 0
6 Allaire JRun Modify the following in
3.0/3.1 accepts the JRun console:
malformed URLs
JRun Default Server/
Web Applications/
Default User App-
lication/File Settings/
Directory Browsing
Allowed set to FALSE.
JRun Default Server/
Web Applications/
JRun Demo/ File
Settings/Directory
Browsing Allowed
set to FALSE.
7 Allaire Cold Remove HTML login
Fusion DOS file if not required.
If HTML login file is
required, implement
HTTP basic authenti-
cation to restrict
access to this page.
8 Internet Printer Unmap the .printer

Protocol (IPP) extension.
buffer overflow
present
www.syngress.com
Managing the Findings • Chapter 8 299
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 299
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
9 Anonymous Create /users
user repost directory.
Restrict anonymous
access.
10 Remote file Disable this service
system viewing if it is not needed.
Restrict anonymous
access if this service
is required.
11 CompaqDiag Disable this service if
remote man- it is not needed.
agement
services active
Restrict anonymous
access if this service
is required.
12 Oracle account Assign a password to
password the TNSLSNR.
missing
13 Old TNSLSNR If possible, upgrade to

Version version 9.0 or later.
running
14 Sadmin enabled Disable this service if
not needed.
15 Statd enabled Disable this service if
not needed.
16 Tooltalk enabled Disable this service if
not needed.
17 aexp2.htr Delete this file if not
available needed.
18 BIND DNS Upgrade to BIND 8.3.4.
Server
Ensure that all patches
have been implemented.
www.syngress.com
300 Chapter 8 • Managing the Findings
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 300
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
19 SNMP default Disable SNMP if not
string needed.
Change the SNMP
community string.
20 SMTP server Disable mail relay if
relaying not required.
allowed
21 Cisco SNMP Implement controls
to block access to

the ILMI community
and to SNMP if possible.
22 Antivirus Require and have users
detection and sign an acknowledg-
elimination is ment requiring they
inconsistent have installed an up-
to-date antivirus
software on any
machine that they will
be using for remote
access.
Implement scripts to
auto-update antivirus
software for all
remote users when
they connect to
the WAN.
23 Inadequately Provide formal training
trained for equipment prior to
personnel installation.
Hire trained and
certified contractors
to operate equipment.
24 Cross-site Install available patches
scripting or comply with vendor
recommendations
where possible.
www.syngress.com
Managing the Findings • Chapter 8 301
Continued

286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 301
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
25 NULL session Ensure that NULL/
enabled anonymous sessions
are disabled if not
needed. See MS
Q143474 or Q246261.
26 Cross-site Deny HTTP TRACE requests.
tracing vul-
nerability exists Permit only the methods
required by authorized individuals.
27 Java cross-site Disable the Java service
tracing vul- if not needed.
nerability exists Update the Java service.
WASCAdmin IAW Medical Man-
password does agement policy.
not expire
29 Remote Migrate to MS terminal
terminal services or Citrix, or
services allows some other product
bypassing of that can follow/
security protocols enforce Medical Man-
agement password
and audit requirements.
30 Echo, Chargen, Disable these services if
Ootd enabled not needed.
If these services are
required, restrict them

to administrators only.
31 Data integrity Implement Tripwire or
and validation other integrity and
controls are validation controls.
not consistently
applied
www.syngress.com
302 Chapter 8 • Managing the Findings
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 302
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
32 Audit trail Implement chain-of-
cannot support custody and storage
after-the-fact IAW solicitor
investigations requirements.
33 Lack of Hire personnel to
separation of handle security duties.
duties
34 .JSPServlet Set a global error
enumeration page for the
vulnerability ServletExec Virtual
Server.
35 Web server Modify the reported
enumeration Web server appli-
vulnerability cation with urlscan
to misdirect the
attacker.
36 Cold Fusion Enter an IP address

Debug (e.g. 127.0.0.1) in
Enumeration the Debug Settings
within the Cold
Fusion Admin.
37 Security alerts Incorporate docu-
and incident mented procedures
handling pro- and distribute to
cedures are all locations.
not documented
Schedule and
document testing
of procedures.
38 Contingency Develop, document,
plan does not implement, and
exist distribute a contin-
gency plan.
39 Process to Develop, document,
modify incident implement, and
handling does distribute lessons-
not exist learned procedures.
www.syngress.com
Managing the Findings • Chapter 8 303
Continued
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 303
Table 8.2 Recommendation Road Map for Medical Management
Finding Action
# Vulnerability Recommendation Target Date Responsibility
40 Risk assessment Develop, document,
implementation and implement
is not consistent security tools

utilization procedures
with written auth-
orization for who
can use the tools
and when.
41 Rules of Standardize Medical
behavior are Management medical
not consistent system rules of
and are not behavior and have all
signed by users users sign acknow-
ledgment.
42 Termination Update current
process does procedures to
not address address all
short-notice situations.
quitting
43 Access to Standardize and
system is enforce background-
granted without screening process
appropriate for employees and
background contractors.
screening
Require contractor
to provide certifi-
cation of screening.
44 Software Document and
distribution distribute procedures
implementation for software
is inconsistent distribution and
implementation.

45 No software Document the
or hardware required test
testing pro- procedures and
cedures are in retain test reports.
place
www.syngress.com
304 Chapter 8 • Managing the Findings
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 304
Summary
Throughout this chapter we covered specific areas that you as the assessor need
to understand to identify and validate findings that affect your customer.You
have learned about system demonstrations and evaluations and when to use
them.You have learned to look at the findings for dependencies and possible
interdependencies. With your newfound understanding the dependencies of the
findings, you now understand how to map the findings to the customer require-
ments and constraints.You now understand how to create a justification that is
usable and valid for you customer.You can now create a road map for the cus-
tomer to improve their security posture. We ended this chapter with a look at a
case study to give you an example of how this information fits into the real
world of INFOSEC assessments. We hope that you found this discussion enlight-
ening and informative.
Best Practices Checklist
Demonstration Versus Evaluation
 Validate or clarify interviews with demonstrations.
 Validate or clarify documentation with demonstrations.
 Measure operational controls with evaluations.
 Measure technical controls with evaluations.
Findings and Dependencies
 Findings can be positive or negative.
 If there are no negative findings for an area, there should be a positive one.

 Is a finding related to another finding?
 How many findings can be resolved with one solution?
 Does a positive finding help mitigate a negative finding?
www.syngress.com
Managing the Findings • Chapter 8 305
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 305
Mapping Findings to Requirements and Constraints
 What is the impact to the customer?
 What critical information impact attribute is attributable to each
finding?
 Is there enough information in the justification for the decision maker
to understand and make a good risk management decision after you are
gone?
 What is the threat vector that can exploit each finding?
 Are customer concerns or constraints included in the justification?
Creating Recommendation Road Maps
 Does the recommendation address cost effectiveness?
 Does the recommendation address applicability to the customer
environment?
 Does the recommendation address the importance of the finding to the
critical information?
 Does the recommendation address the users who have to implement the
recommendation?
 Does the recommendation give the customer options?
www.syngress.com
306 Chapter 8 • Managing the Findings
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 306
Q: Can you really do an assessment of any value to the customer without using
tools?
A: Yes, if you are only validating the policies and procedures.You will have to

note a caveat in the report that there is insufficient assurance that critical
devices are functioning as required, since you have not had the opportunity
to technically assess these components using tools.
Q: Can you just use the evaluation tools and skip the system demonstrations?
A: Not if you want to get a complete picture of how things are actually done.
There is always the case where some administrators will prepare for your
assessment by coaching, and demonstrations are a good way to see the reality
of how things are normally done.
Q: Have you ever used demonstrations for something besides account manage-
ment?
A: Yes, we use it for audit and almost anything you can think of that requires
daily or weekly repetition.They are also good for learning what the customer
is trying to accomplish with a specific configuration.
Q: Do you always have to map the finding to the OICM, or can you just map it
to the SICM?
A: As you have already learned, the impact definitions are the same for both the
OICM and the SICM.Therefore, the findings and recommendations that you
are mapping to a matrix would be similar and applicable to both the OICM
and the SICM.
www.syngress.com
Managing the Findings • Chapter 8 307
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form. You will
also gain access to thousands of other FAQs at ITFAQnet.com.
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 307
Q: Do you list all the possible findings for the customer individually, or do you

group them?
A: We try to merge the findings to a common solution.This provides the cus-
tomer with a simpler road map.
www.syngress.com
308 Chapter 8 • Managing the Findings
286_NSA_IAM_08.qxd 12/15/03 5:03 PM Page 308
Leaving No
Surprises
Solutions in this Chapter:
■
Determining the Audience for the Close Out
Meeting
■
Organizing Closeout Meeting
■
Understanding the Meeting Agenda
■
We Came, We Saw, Now What?
Chapter 9
309
 Summary
 Solutions Fast Track
 Frequently Asked Questions
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 309
Introduction
In this chapter we will be discussing the closeout meeting and the remaining time-
line.This meeting is important because we do not want to leave our client with
any surprises. We have completed all of the work that needs to be done on-site and
we are getting ready to head back to our office to review the information and
documentation, and prepare a final report. We need to set up the closeout meeting

to ensure that we have all the information we need, address any questions from the
client, and inform our customer of any critical vulnerabilities before we leave the
client site. One of the more important aspects of the closeout meeting is to make
sure that the appropriate people attend and participate in this meeting.
We have just spent the last two weeks at the client site doing interviews and
collecting information where we have obtained a thorough understanding of our
customers network as well as what the roles and concerns of the individuals. We
have reviewed the critical information as well as the systems that store, process, and
transmit this information. We have seen a demonstration of the systems and we
have reviewed the documentation. We have defined what is meant by a low,
medium, and high criticality. We want to review this information one last time and
we want our client to understand what has been done and give them a chance to
voice any questions or concerns that they may have. Our client will want to see
that the goal, the purpose, and the scope of the assessment have been met.
If there are any critical vulnerabilities that have been discovered thus far we
need to inform our clients so they can act on these vulnerabilities quickly. Let
the client know what might be a critical issue and work with them through rec-
ommendations that will help secure their network.
Finally we will discuss not only what has been done but what they can
expect to happen next. What kind of timeline can our client expect? What indi-
viduals might be needed to complete the rest of the assessment? At this time we
will also let our client know when they can expect a final report.The goal of the
closeout meeting is to leave the client site without leaving behind any surprises.
Determining the Audience
for the Closeout Meeting
Before you start preparing for the closeout meeting, it is important to determine
who will be attending the meeting and what type of information will be impor-
tant to them.
www.syngress.com
310 Chapter 9 • Leaving No Surprises

286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 310
Who Is Your Audience?
You and your team have just spent a few weeks working side by side with these
individuals in the organization.You know how they work and a little about who
they are and what makes them tick.You should now be familiar with the culture
of the people that will be in the closeout meeting.
Are they formal or casual? Do they like to joke around or are they all busi-
ness all the time? Has there just been a merger, a take over, or a reduction in the
workforce? What are some of the cultural differences with the group? These
things are important in the way you present your material.
NOTE
No matter what your first impressions are of the organization you are
assessing, or how thing progress you must maintain professionalism.
Remember that you can easily create a situation not only by what you
say or do, but also by how your actions are perceived by someone in the
organization.
By now you have also picked up on the personalities within the customer’s
organization. Are they glad you came to do the assessment? Do they feel you are
intruding on their space? Did you get a favorable welcome or an unfavorable
welcome when you arrived? What have you done to increase favorability while
you have been on site?
Who Should Attend?
It is now time for the closeout meeting. We need to get everyone involved that
might be able to contribute to the meeting. We know that this is not always pos-
sible due to scheduling and other work related issues, but we should do our best
to get the people involved that have the greatest impact.You want to have your
point of contact (POC) at the meeting as well as your assessment team.You want
to include upper level management, systems managers, and the senior security
manager as well as any customer team members.
These individuals should be involved with the closeout meeting to ensure

that the assessment is done and that there are no surprises at the end of the day.
Your POC needs to be there as your connection to the customer.The manage-
www.syngress.com
Leaving No Surprises • Chapter 9 311
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 311
ment team will need to be there to make the final decisions regarding your rec-
ommendations.The senior security manager is the person that will be heading
up the network security and any implementation that is recommended.
These are the people that invited us into their organization.These are the
people that set the goals and told us what information and systems were critical.
These people are the customer and they will be taking our recommendations
and applying them to their systems to protect them from vulnerabilities.The mis-
sion of the company rests with these individuals. It is the concerns of these
people that we are here to give recommendations.
Organizing the Closeout Meeting
Organizing the closeout meeting is very similar to the organization and prepara-
tion of other types of business meetings.You want to take the time and review
the information that you are going to cover in the meeting. How do you want
to start the meeting? What direction do you want the meeting to take? Take
some time and think about the meeting and how you would like things to
unfold. What information is important to you and your team? What do you want
to impress upon your audience? What information is important to your cus-
tomer, and what is their expectation of the closeout meeting? Always be mindful
that the purpose of the closeout meeting is to give the customer the information
that you have gathered over the last few weeks, and to ensure that there will not
be any surprises at the end of the assessment.
Determining Time and Location
There are many things to consider when choosing the time and location for this
meeting.The objective when scheduling the meeting is to accommodate the
schedules of as many of the important attendees as possible.These people would

be the decision makers that are going to influence how the customer resolves
any vulnerability issues discovered during the assessment. Are there people in the
organization that will be coming in from out of town? Do some of the
employees work from home on specific days of the week? Pick a day and time
that most of these people will be in the office. The location of the meeting
should be where it is most convenient for the major players. Have your customer
representative recommend the best location.
www.syngress.com
312 Chapter 9 • Leaving No Surprises
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 312
Time of Meeting
When we determine the time of the closeout meeting we want to consider get-
ting as many people involved with the assessment as possible to attend. Check
with your POC and other leaders in the organization to determine the best time
for this.The length of meeting needed will depend on the size of the organiza-
tion and the number of vulnerabilities found in the systems.Typically this
meeting is one or two hours in length.
Day of Week
Picking the day of the week again depends on the schedules of the people in the
organization. Usually the meeting is set when the on-site assessment has been
completed or when you expect the on-site assessment to be completed. If you
schedule the meeting on a Monday and your team has traveled out of town for
the assessment, you will have to spend another weekend on the road just to
come in Monday and have the Closeout Meeting. I like to schedule my Closeout
Meeting Tuesday, Wednesday, or Thursday. Once you get to Friday and something
unexpected comes up, you’re staying another weekend.
Meeting Room
Where will you have the Closeout Meeting? If you are going to use a conference
room, remember that most companies will have you reserve a conference room in
advance.This could be something that your POC can handle for you. How many

people are going to attend? Does this organization have a conference room big
enough for the meeting, or will you need a larger location within the company? Is
the meeting room that you have selected set up for your type of meeting?
Consider your technical needs and if the location can accommodate them.
Determining Supply List for the Closeout Meeting
Now that you have selected a time and a place to meet, you and your team need
to make sure the room is ready for the meeting. Plan to be there at least an hour
in advance to make sure all equipment works, handouts are ready, the laptop is
charged, etc.You will need the following items for most Closeout Meetings:
■
Whiteboard Whiteboards are a great tool in meetings to keep interest
piqued as you write each critical assessment point.
■
Overhead projector These are ideal for presenting to a larger audience.
www.syngress.com
Leaving No Surprises • Chapter 9 313
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 313
■
Laptop Depending on the culture of the customer, you may need a
laptop for a PowerPoint presentation.
■
Handouts these can help people follow along during the meeting, and
allow people to take the information with them in the event they are
called away during the meeting.
Other Concerns about the Meeting
The Closeout meeting is scheduled, and you and your team are ready to present
your information to the customer. It is a good idea at this time to consider any
other concerns that you might have about the meeting.These meetings can take
quite a while depending on what you have to cover, so remember to plan for
breaks depending on how long your presentation runs. If you don’t, those in

attendance may begin to lose focus. Some food for thought:
■
Plan for breaks, and if possible supply coffee, snacks, and other cold
drinks. Again, you can ask your POC to assist you with these details.
■
Supply the customer with materials for taking notes. A great idea is to
hand out pens or pencils with your company logo on them.
■
Lastly, is there anyone in the organization that will be attending the
closeout meeting who has a special need? Your POC will be able to let
you know if there is anyone who is hearing impaired, visually impaired,
etc. Again your POC will be able to help here as well. Just be mindful of
the needs of the customer.
Understanding the Meeting Agenda
No matter what type of meeting you are having it is a good idea to have a clear
agenda. Let your customer know what you intend to cover, and how long you
expect the meeting to last. Remember the customer might have some concerns
that take you away from your agenda. Be flexible when it comes to the cus-
tomers needs. The agenda activities include:
■
Reviewing the final agreed upon Assessment Plan
■
Reviewing Critical Vulnerabilities
■
Reviewing the Process and Looking Forward
www.syngress.com
314 Chapter 9 • Leaving No Surprises
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 314
Review of the Assessment Plan
It is now time to review the assessment plan. First, we will cover the organization

information criticality. We have already decided with our client how we will
determine Low, Medium, and High criticality. For some companies High criti-
cality will be protecting information that could shut down the business. For
others it could be a loss of contracts, or legal action taken against them. Still
others might consider the protection of customer information as high impact
criticality.The high criticality will be different for each client; it is your job to
learn what is of utmost importance for your client.
Review of Organization Information Criticality
The organization information criticality is a matrix of that information deemed
critical by the customer, which is then rated Low, Medium, or High depending
on the impact level.The three attributes that we use to determine the impact
value are; confidentiality, integrity, and availability. Organization Information
Criticality was addressed in the Pre-Assessment Phase.This is only a review that
would be included in the closeout meeting.
Review the information that you have gathered over the last few weeks with
the customer.This is just the information, not the systems, platforms, or applica-
tions. It is information that has been deemed critical through the discussions and
interviews with the customer. What additional organizational information have
you found through your assessment to be critical?
The attributes that are used during the assessment process; are confidentiality,
integrity, and availability.These are the minimum attributes recommended, you
could add more attributes if you or your customer thinks it is necessary, now that
you have established what would happen if the information were released, tam-
pered with, or inaccessible.
You have worked with your customer to develop definitions of criticality,
which will define a High, Medium, and low impact value. Let’s use a law
enforcement agency as our customer. Review with them what they have defined
as a High, Medium, and Low impact value. In this example a high impact might
be a loss of life or infringement of personal liberties. A Medium impact value
might be endangerment of a law enforcement officer, embarrassment to the

organization, or delay of an arrest.A Low impact might be an inconvenience in
performance of duties.
www.syngress.com
Leaving No Surprises • Chapter 9 315
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 315
Present your information criticality matrix whether it is on a handout, white
board, or PowerPoint presentation. In this example of a law enforcement agency,
the information that they see as critical is the criminal records, informants, inves-
tigations, and warrants. Using the table below as an example, show your customer
how they related there information according to the confidentiality, integrity, and
availability attributes using their High, Medium, and Low impact values.The
Organization Information Criticality Matrix (OICM) is a list of the most impor-
tant information within the IT operations defined by the customer.The matrix
also defines the impact value of this information according to confidentiality,
integrity, and availability:
Organization
Information Confidentiality Integrity Availability
Criminal records Medium High Medium
Informants High Medium Medium
Investigations Medium Medium Medium
Warrants Low High Medium
After going over the information criticality matrix, show the customer how
you determined the final value of the Organizations Information Criticality.
Explain that you simply take the highest impact value from each of the columns;
confidentiality, integrity, and availability. In this case it would look like this:
Organization
Information Confidentiality Integrity Availability
Information High High Medium
Criticality
Systems Information Criticality

To continue the Assessment Plan review, you now have to discuss the system crit-
icality information. After you review the organization’s critical information and
determine the final value of the organizations information criticality, it’s time to
review the organization’s systems information criticality. Some individuals have a
difficult time separating the information from the systems. Make sure everyone
understands the difference before discussion of the organization’s systems criti-
cality begins.The system is where the information we just reviewed is processed,
stored, and transferred. Just as we previously reviewed the critical information, we
www.syngress.com
316 Chapter 9 • Leaving No Surprises
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 316
will now review the organization’s systems criticality. Continuing to use our
example of the law enforcement agency, we would talk about its specific systems.
The systems they are concerned with are the Federal Agents’ Comprehensive
Tracking systems (FACTS) and the Secret Network of Operational Program
(SNOOP).These are the two systems within the law enforcement agency that
store, process, and transmit information about criminal records, informants, inves-
tigations, and warrants. Walk your customer through the information on their
systems information criticality matrix.The following table will show the impact
value of the systems that contain the critical information.The first table is the
FACTS systems, which contains the criminal records, investigations, and warrants.
The second table is the SNOOP systems that contain the informant’s informa-
tion. As you can see we have taken the highest impact from each column to
come up with the final impact value of each system.
Federal Agents Comprehensive Tracking Systems (TACTS)
Organization
Information Confidentiality Integrity Availability
Criminal records Medium High Medium
Investigations Medium Medium Medium
Warrants Low High Medium

Federal Agents Comprehensive Tracking Systems Final Value
Systems
Information Confidentiality Integrity Availability
FACTS Medium High Medium
Secret Network of Operational Programs (SNOOP)
Organization
Information Confidentiality Integrity Availability
Informants High Medium Medium
www.syngress.com
Leaving No Surprises • Chapter 9 317
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 317
Secret Network of Operational Programs Final Value
System
Information Confidentiality Integrity Availability
SNOOP High Medium Medium
Customer Concerns and Constraints
The reason for an assessment will vary depending on the organization. For
obvious reasons, organizations that have specific concerns about their critical
information are: federal, financial, medical, public, private, etc.The basic reason
for an assessment is that the organization wants to assess the current state of secu-
rity within their networks, and establish a current security posture.They want a
basis for understanding and addressing the vulnerabilities that exist within their
systems in order to improve security.
Each customer is going to have their own specific concerns. Some might be
concerned about information, some about the systems, and others will have con-
cerns about their physical security. It could be a personal modem on an indi-
vidual’s workstation in order to access information from home or possibly that a
server room door has no locking device. Make sure you identify the concerns of
your customer and address them. Further concerns depending on there type of
organization could be:

■
Customer requirement
■
Insurance requirement
■
Part of there ideal security posture
■
Federal requirement
Constraints can impact your assessment. It is imperative that you identify
your customer’s constraints in order to have a successful assessment. Failure to
recognize your customer’s constraints can affect whether or not your recommen-
dation can be implemented.
The following are some operational constraints:
■
Third party involvement
■
Politics
www.syngress.com
318 Chapter 9 • Leaving No Surprises
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 318
The following are some resource constraints:
■
Time
■
Money
■
Personnel
Reviewing Goals, Purpose, and Scope
Goal of the Assessment
Review the goals of the organization that you are assessing. In most cases, the

goals of our customers are to improve security within their environment, and to
develop a roadmap to achieve a desired security posture.This review is one more
way to ensure you and your customers are on the same page.This review is not a
time to change or alter these goals in any way.
Purpose of the Assessment
The purpose of the assessment is going to be a little different with each cus-
tomer, but most are very similar.The purpose of the assessment is to identify any
known threats and vulnerabilities, as well as to create a tool that will track critical
vulnerabilities to ensure information and systems security.
Scope of the Assessment
The scope of the assessment is going to vary quite a bit from customer to cus-
tomer.The assessment could be to assess a specific wireless network or to assess
all of the management, operational, and technical controls of an organization.
Remember that the review stage is not the time to make a change, but simply an
opportunity to review what the customer wanted to accomplish with the assess-
ment, and which parts of the organization should be included.
Reviewing the Critical Vulnerabilities
You have reviewed the organization and systems information criticality, and now
you need to talk specifically about the critical vulnerabilities.You have collected a
lot of information, and this is where you cover the critical vulnerabilities that the
customer has labeled as a high impact value.This would not be the time to talk
about low impact criticalities such as a lack of labeling standards, or standard
operating system loads in use. Now is the time to talk about patch levels not
www.syngress.com
Leaving No Surprises • Chapter 9 319
286_NSA_IAM_09.qxd 12/16/03 12:58 PM Page 319