Vulnerability Classification
Deciding on the level of threat to or vulnerability of a customer is a somewhat
subjective process.This is another place in the IAM process that the assessors’
INFOSEC experience is critical. Whether the vulnerability is a High, Medium,
or Low depends greatly on the overall risk the vulnerability creates for the orga-
nization. For example, if a vulnerability exists but there is no threat of exploita-
tion of that vulnerability, the overall risk is Low. If a vulnerability exists, a threat
exists to exploit that vulnerability, and if it is on a critical system, a High level
rating should be considered for the finding. Other designations may be consid-
ered depending on the criticality of the systems, the likelihood and ease of
exploiting the vulnerability, and the type of threat involved.All the information
gathered in the organizational information and system criticality processes
directly tie to the overall risk factor determination for the organization.
Positive Findings
Every finding during an assessment does not have to involve a negative vulnera-
bility.The assessment team should identify good security practices in addition to
the negative vulnerabilities, to give the customer a sense of what they are cur-
rently doing correctly.This gives the customer a sense that they at least have
some foundation on which to build their security program. If you present only
negative findings, the customer will possibly develop a negative attitude toward
any suggestions you make. Here are examples of acceptable and unacceptable
positive findings:
■
Acceptable positive finding Customer ABC has demonstrated a
resolve to provide a secure work environment through the use of a
managed firewall and intrusion detection systems that provide quick
reporting of anomalies to the security administrator.The security
administrator responds to the notification within two hours unless a
higher priority is placed on the identified incident.
■
Unacceptable positive finding The customer break room has

excellent coffee.
Negative Findings
The reality of the assessment process is that most findings will be negative in
nature.This is due to the fact that the purpose of the assessment is to identify
www.syngress.com
342 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 342
vulnerabilities and make recommendations to improve an organization’s security
posture. Findings and associated discussion should be clear on the finding’s
impact on the customer. Common negative findings often seen during assess-
ments are managerial, technical, or operations related.
Common Managerial-Related Findings
The common vulnerabilities seen from a managerial perspective include, but are
certainly not limited to, the following:
■
Lack of a comprehensive security policy
■
Lack of or out-of-date disaster recovery or business continuity plan
■
Lack of policy enforcement by the organization’s staff
■
Lack of senior management support for the security program
■
No defined roles and responsibilities for staff
■
No configuration management process
■
Security not a member of the configuration control board (CCB)
Common Technical-Related Findings
The common vulnerabilities seen from a technical perspective include, but are

certainly not limited to, the following:
■
Network architecture not secure
■
Firewalls improperly configured
■
No intrusion detection/intrusion prevention implemented
■
No redundancy on critical components
Common Operations-Related Findings
The common vulnerabilities seen from an operational perspective include, but
are certainly not limited to, the following:
■
No effective security training and awareness program in place
■
No initial security training on new hires
■
No background checks conducted on new hires
www.syngress.com
Final Reporting • Chapter 10 343
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 343
■
Critical systems not physically secured
■
Limited challenge of unbadged personnel
■
No identification required to be displayed when on site
Negative Finding Examples
The following are good and bad examples of negative findings, giving considera-
tion to the usefulness and level of detail of the finding:

■
Acceptable negative finding The firewall configurations for cus-
tomer ABC should be reexamined to address the need for separation of
network access to the various departments of ABC.The areas ABC
should consider separating are the Research and Development Lab,
Human Resources, and the Technology Training Room.This separation,
along with good firewall rules, will help reduce the visibility of critical
areas of the network.
■
Unacceptable negative finding Firewalls need to be reconfigured to
provide better security.
Multiple Recommendations for Each Finding
Providing a customer with multiple recommendations to mitigate vulnerability
allows them to choose the level of protection and cost point for each vulnera-
bility.The assessment team cannot determine the final constraints on a customer,
especially when it comes to cost and politics. If you provide multiple recommen-
dations to mitigate a single vulnerability, the customer can select the level of
solution they ant to implement. Providing multiple levels of recommendations
also gives the customer a sense that they have some control over the security that
will be implemented and the risk management process that ensues. If the assess-
ment team only provides the perceived “best” solution, the customer may not be
able to implement the solution due to cost or other constraints that impact the
organization.There may also be times when there is only one solution available,
and this should be indicated in the final report.
www.syngress.com
344 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 344
Creating and
Formatting the Final Report
Everybody (well, maybe not everybody) hates documentation, but it is a critical

part of the assessment process.The final report presents the customer with the
formal documented results that are needed to show due diligence and their
progress for implementing their security program.The final report provides the
means to convey all findings, document the process, and provide a road map for
improving security. A well-organized final report provides the best way to present
the assessment results.
www.syngress.com
Final Reporting • Chapter 10 345
Yugo, Ford, and Cadillac
Anyone who has taken a Security Horizon IAM Training Course will
remember the references to the Yugo, the Ford, and the Cadillac recom-
mendations for mitigating vulnerabilities for a customer. This presenta-
tion provides a customer with options for implementation. The
following are general definitions for each level:
■
Yugo The low-end, low-cost solution that can be imple-
mented quickly and/or with minimal cost to provide a client
with some level of protection. Sometimes referred to as the
“Band-Aid” solution.
■
Ford The mid-level, mid-cost solution that requires more
planning and implementation than a Yugo solution but will
provide a greater level of protection against threats to an
existing vulnerability.
■
Cadillac The top-of-the-line solution that will provide the
greatest level of protection for the customer, but often at a
high cost and/or high administration requirement to
implement.
From the Trenches…

286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 345
TERMINOLOGY ALERT
Due diligence is the process an organization goes through to ensure that
they are taking the appropriate and necessary steps to protect the assets
of the company or organization. From a security perspective, due diligence
involves taking the necessary steps to protect the operations and informa-
tion from electronic theft, destruction, or alteration. When a company is
sued over a security incident, the courts look at whether that company
took reasonable responsibility and steps to protect the resources from
known threats through identifying and mitigating vulnerabilities.
In creating the final report, your primary purpose is to create a formal docu-
ment that provides details about the entire assessment process. It identifies the
purpose of the assessment, the process used to conduct the assessment, the identi-
fication of critical information, the identification of critical systems and system
configuration, the identification of vulnerabilities, and recommendations to
improve the organization’s security posture.The final report also takes care of
contractual requirements for documenting the assessment and its results.
NSA provides a recommended format for the final report; however, there is
flexibility in how the final report is presented.The NSA outline incorporates a
good set of minimum requirements to include in the final report. Let’s look at
those requirements.
Executive Summary
The executive summary serves as a high-level introduction to the assessment
results. It should be clear that the executive summary will not be at the level of
detail of the final report. However, the executive summary is intended to stand
alone as a summary of the assessment to be readable by the customer
management staff.
Executive Summary Content
The executive summary is meant to be a quick summary of the assessment and
its findings.There should be enough information that it makes sense, but it

should be short enough that an executive can read it in 5 minutes or less to
understand the results.The executive summary should include the following
types of information:
www.syngress.com
346 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 346
■
A brief description of the customer, mission, organizational structure,
and number of employees.
■
A brief description of the assessment process and the purpose of the
assessment. Include the dates of the assessment.This might be a good
place to reiterate that the assessment was not an inspection, audit, certifi-
cation, or risk analysis.
■
A statement about why the customer requested the assessment to be
performed.
■
A statement that implementation of any recommendations contained in
the final report is strictly voluntary on the part of the customer’s man-
agement.
■
A brief description of the system or systems that were assessed to
include sensitivity of the information.
■
Major findings and recommendations found during the assessment.
Detail will be included in the INFOSEC analysis section of the main
final report document.
■
Highlight support provided and positive aspects of the customer’s

organization.
NOTE
The executive summary should be used to reiterate major findings, high-
light the significant vulnerabilities identified, and highlight actions the
customer is already taking to mitigate those vulnerabilities.
Introduction
The Introduction section should contain a detailed description and overview of
the assessment.This information is more detailed than the executive summary
and is intended to give the reader a complete picture of the assessment process
and the scope of the assessment. It should include the following elements:
■
Information about the customer and the assessment company
www.syngress.com
Final Reporting • Chapter 10 347
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 347
■
A description of the assessment process
■
The purpose of the assessment
Customer and Assessment Company Information
The Introduction should include information about the mission and operations
of the customer being assessed.This information includes company name, oper-
ating locations of the customer, operating locations covered by the assessment,
number of employees, and so forth.The information should be complete enough
to show why the customer is in business and has the organization and systems
they do for operations.
It is also good to highlight who conducted the assessment and the expertise of
the assessment team so that readers know the assessment was accomplished by a
professional security company. For example, highlighting that the assessment team is
trained in the NSA IAM and other credentials, along with the types and number

of assessments previously conducted, will provide a sense of credibility to the cus-
tomer as well as identifying the benefit of the IAM assessment to the customer.
Assessment Process Description
The Introduction should include a description of the process used to conduct
the assessment. In our case, we describe the NSA IAM as the methodology used
to conduct the assessment and the basis for the assessment process. Since this is
the main document, the assessment team can go into detail about the process
used.These standard descriptions of the IAM process can be used with minor
variations in future IAMs.
Important note: The IAM is a detailed and systematic way of examining cyber
vulnerabilities and was developed by experienced NSA and commercial
INFOSEC assessors. NSA provided the IAM to assist both INFOSEC assessment
suppliers and consumers requiring assessments with a framework for conducting
effective organizational security assessments.The IAM assessment provides orga-
nizations with a comprehensive overview of their security posture for purposes
of implementing security countermeasures and improving their organizations’
overall security. In addition to assisting the governmental and private sectors, an
important result of supplying baseline standards for INFOSEC assessments is fos-
tering a commitment to improve organizations’ security postures.
www.syngress.com
348 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 348
Purpose of the Assessment
The Introduction should include a description of the reason that the customer
requested the assessment and the identified usage of the assessment results.This
again is a good place to identify that the assessment was not an inspection, audit,
or certification. We also recommend that you identify how the assessment process
met the customer goals for the assessment.
System Description
The System Description section should actually be a combination of information

about the organization’s critical information and critical systems along with an
actual description of the customer’s system(s). In this section, you should include
the following elements:
■
The importance of the customer mission
■
Identified critical information
■
Identified critical system information
■
A verbal description of the system being assessed
■
System diagrams
The Customer’s Mission Is Important
The System Description section should include discussion of the importance of
the customer’s mission and the services or products the customer provides.This
information is important to gain an understanding of why the customer’s critical
information is critical and why their critical systems are critical.
Information Criticality
The System Description section should include a list of identified critical infor-
mation, the associated impact definitions, and the information criticality matrix.
Detailed discussion should include information that will help the customer
understand what the information means. (Information criticality is discussed in
detail in Chapter 3 of this book.)
www.syngress.com
Final Reporting • Chapter 10 349
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 349
WARNING
The final report writers need to remember that the IAM results will be
reviewed at a future date, and they should include enough detail in the

description so that it can be understood by anyone reading the report.
Don’t assume that the matrix will be understood without a description.
System Criticality
Carry forward the system criticality information described in detail in Chapter 4
of this book.The writer should be able to refer to the definitions and critical
information elements described previously so that duplication is limited. It may
be useful to describe why the subset of systems was selected and the overall usage
of each system.
Actual System Description
A detailed description of the system or network is needed, including the config-
uration of the system/network, number of workstations, number of servers, the
types of hardware platforms, software and applications being utilized on the sys-
tems, and the types of services (FTP,Telnet, and so forth) that are in use. Also
include in the description any firewalls, IDSs, and VPNs in use.
WARNING
Don’t forget interconnections with third parties, connectivity, modem
connections, wireless communications and networking, and so forth. Be
as detailed as possible in this section to give the reader the greatest
understanding of the configuration.
A Picture Is Worth a Thousand Words
It seems cliché, but it is true—a picture is worth a thousand words. For our pur-
poses, a system diagram goes a long way toward providing a better and clearer
understanding of the system configuration. Be sure to identify whether the dia-
gram was created by the customer or by the assessment team.This is important,
www.syngress.com
350 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 350
because a diagram created by the assessment team is an understanding of the net-
work, whereas one created by the customer should be indisputably accurate.
INFOSEC Analysis

The INFOSEC Analysis section identifies the organization’s security posture by
identifying vulnerabilities and the impact of those vulnerabilities on the organi-
zation.There is flexibility in how the vulnerabilities are presented to the cus-
tomer in the final report.Two commonly used options are:
■
Specifically use the 18 Baseline INFOSEC Classes and Categories, as
discussed in Chapter 7 of this book.
■
Organize the vulnerabilities by their impact to the customer, typically as
High, Medium, or Low, while still noting from which of the INFOSEC
Classes and Categories the finding is derived.
N
OTE
Either way of listing the vulnerabilities is acceptable. You may even find
a better way to list them. In any case, the vulnerability listings must
make some logical sense. The downside of using the topic areas as the
primary listing method is the fact that many findings cross over multiple
topic areas. If you organize them by impact and then list the topic areas
from which the vulnerability came, the customer can already see the pri-
oritization of the areas that need to be addressed. A single vulnerability
can address more than one topic area.
Topic Areas
The topic areas that are to be addressed in the final report include the 18
Baseline INFOSEC Classes and Categories, discussed in Chapter 7, and any
agreed-on changes discussed with and approved by the customer.Table 10.1 pro-
vides a recap of the 18 Baseline INFOSEC Classes and Categories.
www.syngress.com
Final Reporting • Chapter 10 351
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 351
Table 10.1 Eighteen Baseline INFOSEC Classes and Categories

Management Technical Operational
INFOSEC documentation Identification and Media controls
INFOSEC roles and authentication Labeling
responsibilities Account management Physical environment
Contingency planning Session controls Personnel security
Configuration Auditing Education training and
management Malicious code awareness
protection
Maintenance
System assurance
Networking/connectivity
Communications security
Identifying the Findings
Findings are the identified customer vulnerabilities. However, findings do not
have to be wholly negative. In fact, it is highly recommended that you include
some positive findings in the final report to help emphasize good security prac-
tices the customer can use to leverage additional security focus for their organi-
zation. For reporting purposes, the finding is a brief, clear statement of the
vulnerability or good security practice identified.
Discussion of the Findings
The Discussion section is a detailed description of the findings and their impact
on the organization.This discussion is an excellent educational tool to help
emphasize the importance of security to the customer.
Recommendations for Improving Security Posture
The Recommendations section is a detailed description of the recommendations
for the customer to improve their security posture for that specific finding.
Hopefully, the assessment team is able to identify multiple recommendations for
each finding to provide the customer with options for improving their security
posture.
www.syngress.com

352 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 352
Conclusion
The Conclusion section is intended to summarize the final report and provide
the customer with additional information on how they can direct questions or
gain more information about the findings and results. Included in this section are
the following elements:
www.syngress.com
Final Reporting • Chapter 10 353
INFOSEC Analysis Section Example
Here is an example of a possible INFOSEC Analysis section entry:
■
Finding Disaster recovery plans incomplete and outdated.
■
Category INFOSEC documentation and contingency plan-
ning.
■
Severity High.
■
Discussion Disaster recovery plans provide the processes and
procedures necessary to restore critical services in the event of
an emergency. The current disaster recovery plan is focused on
premier site restoration and is out of date due to major
changes and closures within the network. It also does not
include critical telecommunications restoration information.
■
Recommended options
1. (Optimal) Develop an overall disaster recovery policy. Based
on the policy, develop site-specific and/or system-specific dis-
aster recovery plans and procedures.

2. Develop an IT-specific disaster recovery plan that addresses the
systems that IT is directly responsible for implementing, man-
aging, and maintaining. Once developed, the plan should be
tested minimally on an annual basis. Incorporate the disaster
recovery process into the incident response process.
3. Update the existing premier site disaster recovery plan to
cover all critical systems within the infrastructure.
From the Trenches…
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 353
■
A general description of the overall results and the level of additional
attention the customer needs to improve their security.This is where the
assessment team finally makes a statement about the customer’s security
posture that is backed up by the assessment’s actual results.
■
Statements about how security can save money in the long run may be
useful. If specific examples are available, include them here.
■
Statements that recommendations are suggested guidelines, not require-
ments, to help the company improve its overall security posture and that
implementation of any of the recommendations should be at the discre-
tion of the company’s management may be useful here.
■
Positive statements about support and security practices are useful.
■
Provide contact information for the assessment team.
Delivering the Final Report
Do not overlook the importance of the final step of the process: delivering the
final report. A quality, visual presentation of the final report goes a long way toward
meeting customer expectations. A sloppy report will leave the customer with a

negative impression and could lead the report’s readers to believe that the assess-
ment was conducted equally haphazardly. Be sure to meet the deadline established
for the final report.This is important in meeting customer expectations.
Cover Letter
On your own letterhead, create a deliverable letter that meets your contractual
requirements and provides a clear yet concise description of the assessment and
the appropriate points of contact for the assessment team.This cover letter is a
business process item that utilizes the assessor’s letterhead and processes to for-
mally deliver the final report. Similar cover letters can likely be used for every
final report delivery.
Attach the Assessment Plan
A copy of the customer-signed assessment plan should be attached to the final
report as a record of the agreed-to scope used to conduct the assessment process.
Since the assessment plan may change at various times throughout the process,
the version attached should be a photocopy of the final version signed and
agreed to by the customer, which includes all agreed-to changes made
www.syngress.com
354 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 354
throughout the process.This gives the assessment team and the customer an
opportunity to compare the resulting assessment to the agreed-on assessment,
helping both parties compare customer expectations, concerns, and constraints.
Customer Acknowledgment
Make sure that you include some method of acknowledgment to encourage the
customer to accept the final report so that a permanent record can be made for
contractual purposes.This is important to prevent future misunderstandings or
confusion as to the acceptability of the assessment results and, of course, your
ability to get paid.The acknowledgment should be formal, requiring an original
signature.This can generally be accomplished via a deliverable acknowledgment
letter that the customer signs, stating that they have received and approved the

delivered document.
Case Study: Analyzing Findings
for Important Internet Services
Provided, Inc.
Important Internet Services Provided, Inc. (IISP), located in Turpentine,Texas, is
responsible for providing Internet services to a wide range of customers across
the United States. IISP has departments supporting development and production
environments. IISP provides provisioning support for user access on multiple sys-
tems, help desk support, and Tier 1 support.
IISP asked Security Horizon to conduct an organizational (NSA IAM-based)
security assessment. Security Horizon conducted this assessment from May 1
through June 28, 2002.This assessment was not an inspection, accreditation, cer-
tification, or risk analysis. It was a snapshot view of the existing security posture
within IISP.The results are intended to provide IISP with a plan of action to
improve security operations.The assessment team gathered information through
several means to obtain the indicated results.This process included interviews
with key IISP personnel, observations of existing practices, and a review of avail-
able documentation.Through these efforts, the team was able to identify security
vulnerabilities and propose solutions to meet IISP security needs.
The executive summary of the final report may look something similar to
the following.
www.syngress.com
Final Reporting • Chapter 10 355
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 355
Executive Summary
Security Horizon was contracted by IISP to conduct an information security
assessment on the IISP operations in Turpentine,Texas.This assessment covered the
organizational considerations of information security. IISP is responsible for pro-
viding IT support for IISP internal operations.This responsibility includes support
for the development and production environments. IISP provides provisioning sup-

port for user access on multiple systems, help desk support, and Tier 1 support.
This information security assessment was conducted, at the request of IISP, to
document the current state of security (the security posture) in the IISP respon-
sible networks, to give a basis for addressing vulnerabilities, and to gain SLT visi-
bility into the information security issues that are affecting the IISP environment.
The assessment was conducted from May 1–June 28, 2002.The assessment was
an analysis of the current state of security with the goal of improving security
within the IISP environment. It was not an inspection, certification, or risk anal-
ysis. Security Horizon utilized the National Security Agency (NSA) Information
Security Assessment Methodology (IAM) to conduct the organizational portion
of the assessment. Security Horizon utilized its extensive commercial and gov-
ernment experience and formal processes and procedures to conduct the tech-
nical portion of the assessment. Implementation of any of Security Horizon’s
recommendations is strictly voluntary on the part of IISP and is at the discretion
of the organization’s management.The implementation of any recommendations
contained herein does not guarantee the elimination of all risks.
The systems that were reviewed as part of this assessment included a combi-
nation of UNIX- and Windows-based servers, databases, Web servers, and work-
stations providing a broad range of services.These systems were located in
Turpentine,Texas; Sterling Silver, Virginia; and San Juan, California.
The assessment highlighted several areas of concern within the IISP environ-
ment. Detailed findings are broken out by type of finding and severity of the
finding in the INFOSEC Analysis section of this report. Also provided is a prior-
itized security road map to assist IISP in planning their security program and
addressing improvements to their security posture.
Organizational Assessment Findings Summary
Analysis of the assessment findings shows that the two major items that need to
be addressed within the IISP environment are a corporate-level, comprehensive,
enforced security policy and general security awareness across all the IISP staff.
www.syngress.com

356 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 356
IISP does not have a comprehensive security policy that details not only physical
security requirements but also includes information protection and computer
security considerations.These two items address approximately 80 percent of the
organizational security findings at IISP. Additional findings show that IISP is not
operating as a cohesive company with common goals and objectives.Although
this is common for organizations that have grown through multiple acquisitions,
it still has a major impact on the organization’s ability to address the issues related
to security.
Security Horizon would like to thank all the IISP staff for their support and
openness during the assessment process.Their openness and insight were critical
to helping Security Horizon gain the information needed to complete the assess-
ment. We would also like to thank Susie Shell for her assistance in locating avail-
able documentation that we reviewed. It has been a pleasure to work with the
IISP staff, and we look forward to opportunities to work with you in the future.
Should you have any questions, please do not hesitate to contact either member
of your assessment team.
Russ Rogers, , (719) 488-4500 office,
(719) 555-1212 cell
Greg Miles, , (719) 488-4500 office, (719)
555-1213 cell
NOTE
The following are some additional examples of findings from IISP that
are included in the INFOSEC Analysis section of the final report.
INFOSEC Analysis
Organizational Assessment Findings
The following findings are based on interviews with IISP IT staff.These findings
are a compilation of the thoughts and opinions of IISP staff. Verification of a
finding is conducted through observation by the assessment team and/or confir-

mation with other IISP staff that are being interviewed. All these interviews are
conducted in a nonattribution format to allow the interviewee to be fully open
with the assessment team.
www.syngress.com
Final Reporting • Chapter 10 357
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 357
High-Severity Findings
Finding: IISP Lacks a Comprehensive Security Policy
■
Category INFOSEC Documentation
■
Severity High
■
Discussion Security policy is the foundation of an organization’s secu-
rity program. It defines security requirements, accountability, and enforce-
ment.The lack of a comprehensive security policy affects an organization’s
ability to set and enforce best practices based on industry standards.
Lacking a security policy also opens an organization to noncompliance
with federal and state law and to not meeting due diligence expectations.
Approximately 80 percent of the findings of this assessment are based on
the lack of a comprehensive, enforceable security policy. Once a security
policy is sanctioned by IISP, actions can be taken to bring IISP into com-
pliance with the policies that have been established.
■
Recommendation options
■
Option 1 (optimal) Top-down approach: Develop a comprehensive,
enforceable information security policy with either IISP resources or out-
side industry professionals. Policy must be sanctioned and supported by
IISP senior leadership team and must be enforced.This option will give

IISP the quickest push toward resolution.
■
Option 2 Bottom-up approach: Develop security standards within
the IT group and work to get them adopted as IISP standards.This
will require SLT sanctioning and allowance of enforceability once
adopted.
Finding: IISP Employee Acceptable-Use Policy Inadequate
■
Category INFOSEC Documentation and Personnel Security
■
Severity High
■
Discussion The employee acceptable-use policy shows employees how
important security is to the operations of IISP.The current policy,
located in the Associate Handbook titled Computer,Telephone, and E-mail
Systems, is limited to less than a page that doesn’t identify specific com-
www.syngress.com
358 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 358
pliance requirements and the enforcement that will occur should the
policy be violated. Because this document is signed by the employee,
identifying that employee’s understanding of IISP policy, it is critical that
it be detailed and complete.
■
Recommendation options
■
Update the employee acceptable-use policy to be detailed based on
the corporate security policy.
Finding: No Mandated Warning
Banners on Systems and Workstations

■
Category Session Controls
■
Severity High
■
Discussion Warning banners are key elements for the legal prosecution
of unauthorized access to a system and/or improper use of a system by
an authorized system user. Lack of warning banners makes it difficult to
prosecute abusers. In all cases, IISP legal counsel should provide and
approve any warning banner placed on the systems. Warning banners
can be generic or specific, depending on the type of system and users of
a system.
■
Recommendation options
■
Define the requirement for warning banners in the to-be-developed
security policy. Have the IISP general counsel provide warning ban-
ners for each type of system in use at IISP. Have the owners of each
system implement the warning banner.
■
Define the requirement for warning banners in the to-be-developed
security policy. Have the IISP general counsel provide an acceptable
generic warning banner for use on all IISP systems.
www.syngress.com
Final Reporting • Chapter 10 359
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 359
Medium-Severity Findings
Finding: Inconsistent Support
Plans Drive Inconsistent Account Management
■

Category INFOSEC Documentation and Account Management
■
Severity Medium
■
Discussion System support plans are supposed to mandate the account
establishment, management, and approval process. When a system sup-
port plan provides weak guidance on how the approval and manage-
ment process is to occur, the support desk cannot effectively manage the
users. System support plans are not always created for each system. Many
existing system support plans are weak and not kept up to date when
changes are made. Weak or nonexistent system support plans create dif-
ficulties with the applicable system access policies. Without the proper
approval process with applicable authority for access to a system, the IT
support team cannot administer their responsibilities in a secure and
efficient manner.
■
Recommendation options
■
Establish and enforce a basic framework for development to use for
their account management portion of the system support plan. Make
sure that security and systems support personnel are involved with
the projects as they are being rolled out to ensure an understanding
of the account management for those particular systems and to
ensure some level of consistency across all systems.
■
Implement single sign-on throughout the IISP network.This will only
work once IISP works out the relationships across the IISP organiza-
tion to ensure that it is operating as one integrated company.
Finding: No Formally Defined Security
Roles and Responsibilities Among the IT Staff

■
Category INFOSEC Roles and Responsibilities
■
Severity Medium
www.syngress.com
360 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 360
■
Discussion IISP information security is currently handled by indi-
vidual initiative, not by defined roles and responsibilities. Empowerment
and accountability for security are critical to successful security program
implementation. IISP IT operations managers identified their need, and
some are working on job descriptions for their staff.The job descrip-
tions do not need to identify step-by-step activities for individuals, but
they do need to identify the basic responsibilities of the positions to
include security responsibilities.
■
Recommendation options
■
Option 1: Establish comprehensive job descriptions that include
roles and responsibilities related to information security for that
position.The specific roles and responsibilities need to be flexible
enough to allow for changes in job requirements and technology.
■
Option 2: Create a generic security responsibility document for
which all employees will be responsible.
N
OTE
The Conclusion section might look something like the following.
Conclusion

Prompt attention to security is needed at IISP. A majority of the findings are due
to the lack of documented policies and procedures, lack of senior management
support to implement security best practices, lack of security training and aware-
ness among IISP staff, and system misconfiguration. IISP can improve its security
posture by taking into consideration the enclosed recommendations.
Good security is based on good policies, procedures, training, awareness,
management support, and implementation. Good security is also based on a
sound security architecture utilizing the correct products in the correct locations
on the network. Ultimately, good security can help save IISP money by reducing
redundancy of duties across the staff, reducing the amount of time spent
addressing security incidences, and standardizing products and procedures across
the enterprise.
www.syngress.com
Final Reporting • Chapter 10 361
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 361
The recommendations are suggested guidelines, not requirements, to help
IISP improve its overall security posture. Implementation of any of the recom-
mendations should be at the discretion of IISP management.
IISP has demonstrated a desire to improve its security posture. IISP has a tal-
ented technical staff that needs senior management support to break through the
political barriers that are preventing them from successfully implementing
improvements at IISP.
It has been a pleasure to work with the IISP staff, and we look forward to
opportunities to work with you in the future. Should you have any assessment
questions, please do not hesitate to contact either of your assessment team mem-
bers.
Russ Roger, , (719) 488-4500 office, (719)
555-1212 cell
Greg Miles, , (719) 488-4500 office, (719)
555-1214 cell

Results
Overall, IISP was very receptive to Security Horizon’s recommendations and is
utilizing the provided road map to improve its security posture through phased
implementation of the appropriate recommendations.
W
ARNING
Even when the customer is very receptive of the assessment results, they
will likely have to implement solutions in phases based on available
funding, political roadblocks, and available staff and time resources.
Opportunities may exist here to do additional support work for the cus-
tomer, but that should not be your primary focus.
www.syngress.com
362 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 362
Summary
The assessment team is approaching the end of the assessment process, but the
work is not yet complete.Two to eight weeks of work remain to finalize the anal-
ysis, put together the discussion on the impact of vulnerabilities to the customer,
and create useful recommendations for the customer to consider implementing.
Begin the analysis process as soon as you return from the onsite visit.The longer
the assessment team waits to begin analysis, the more that can be forgotten.
Taking the steps to prepare for conducting analysis helps get the assessment
team focused on the required tasks and assists in providing an organized environ-
ment in which to work.These efforts include conducting assessment team meet-
ings and making writing assignments to the appropriate individuals. It also
includes taking the time to review in detail the information collected at the
onsite visit and formulating the actual list of findings.
The actual analysis process is not an individual effort.The assessment team
should meet several times to complete the full list of findings and decide on
appropriate recommendations.The assessment team may be able to collectively

identify vulnerabilities that they would have missed individually. Any look at vul-
nerabilities should include consideration of the overall risk to a customer.This
includes an analysis of threats, vulnerabilities, and the customer’s asset value or
impact on the customer. Risk plays a key role in the recommendations you make
to improve the organization’s security posture.
The final report is the key deliverable for the entire process.The report
should include detailed information about the assessment process, the purpose of
the assessment, information criticality, system information and criticality, actual
detail about vulnerabilities, positive findings, and an overall determination of the
customer’s security posture. As a formal document, it should meet common-sense
standards for organization, flow, grammar, and spelling.The final report should
also meet your organization’s legal requirements for a deliverable. Don’t forget to
attach the assessment plan to the final report.
Use common sense and review the assessment requirements when doing the
analysis and preparing the reports to ensure that customer expectations are met.
Keep communicating with the customer throughout the entire process, and
things will flow much more easily.
www.syngress.com
Final Reporting • Chapter 10 363
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 363
Best Practices Checklist
Preparing for Analysis
 Don’t delay in starting the analysis process; begin as soon as you return
from the onsite visit.
 Utilize assessment team meetings to pull together the findings
information.
 Manage the process to ensure success.
 Keep communicating with the customer.
Understanding Findings (Doing the Analysis)
 Threats, vulnerabilities, and asset value (or impact) play a major role in

assessing the overall risk to a customer. Vulnerabilities are the areas in
which a customer has the greatest control over their risk.
 Analyze both negative and positive findings to create a true picture of
the customer’s security posture.
 Make multiple recommendations for each finding, where possible, to
give the customer action options.
Preparing and Formatting the Final Report
 Deliver the final report early, not late.
 Be clear and concise with findings, discussion, and recommendations
 Be sure to address contractual needs to close out the assessment process.
www.syngress.com
364 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 364
Q: Why does it take so long to prepare a final report? Why can’t it be delivered
the week after the onsite assessment phase ends?
A: The answer is twofold: One, you’ll need that time to do good analysis and
combine information from the assessment, and two, creating a high-quality
report takes time.
Q: Which area of risk does the customer have the most control over?
A: Vulnerabilities.The customer has very little control over the threats and the
impact to the organization, but they can do things to mitigate the vulnerabil-
ities and therefore reduce the risk.
Q: Why are positive findings important to identify? I thought the purpose of the
assessment was to find vulnerabilities.
A: The purpose of the assessment is to identify the customer’s security posture.
This includes both positive and negative security practices. Unfortunately, the
nature of the assessment generally results in more negative vulnerabilities than
positive findings, but both should be taken into consideration.
Q: Why are multiple recommendations important?
A: You need to give the customer options. If there is only one possible recom-

mendation, that’s fine. But where possible, provide multiple recommendations
that give the customer options for implementation. Implementations may be
driven by money, politics, or differences in regulations, but options will give
the customer greater flexibility and the sense that they have additional con-
trol over the process.
www.syngress.com
Final Reporting • Chapter 10 365
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form. You will
also gain access to thousands of other FAQs at ITFAQnet.com.
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 365
Q: Does NSA require a specific format for the final report?
A: The format NSA provided is only recommended, not required.The key is to
include all the basic elements, and you will be in good shape.
Q: What happens if the customer rejects the final report?
A: This is very, very rare, but you must understand the reasons that the final
report was rejected. Make sure that you do quality work on the report.
Report organization and clarity are extremely critical to the customer under-
standing the results. If the assessment team has been working the IAM pro-
cess correctly, there should have been no surprises to the customer. When a
report is rejected, it’s likely that it was not in the right format or a new player
got involved who did not understand why the assessment was conducted and
the benefit the assessment will provide to the customer. Once you under-
stand the reason behind the rejection, make the necessary corrections and
resubmit it.
www.syngress.com

366 Chapter 10 • Final Reporting
286_NSA_IAM_10.qxd 12/16/03 12:59 PM Page 366