Department of Interior, major broadband Internet service providers (ISPs),
banking institutions, power companies, higher educational institutes, medical
organizations, and even small, family-run businesses. From experience we have
found that although security as a whole is improving, knowledge growth is still
needed in the public sector as well as the private sector.
When we originally departed from doing strictly federal government work,
we thought that it would be easier to sell this service in the commercial world.
We were wrong. It is just as difficult to convince a higher educational institute
that they have critical information that must be protected from exposure as it was
to convince federal agencies that they were not protecting everything as well as
they thought. Both sides, public and private, rarely know how or what they need
to address. So, the first step is the education of both what an INFOSEC assess-
ment is and how this methodology applies to the customer’s field.
What This Book Is About
What is an INFOSEC assessment? It is a baseline measurement of the controls
implemented to protect information that is transmitted, processed, or stored by
a specific system. Simplified, this is a measurement of the security posture of a
system or organization.This approach has been endorsed by the Critical
Infrastructure Assurance Office (CIAO) for compliance with PDD-63
(www.fas.org/irp/offdocs/pdd/index.html) agency/department vulnerability
analysis (www.ciao.gov).
Under President George W. Bush, the functions of the CIAO have been
integrated into the Department of Homeland Security (DHS) under the
Information Analysis and Infrastructure Protection (IAIP) Directorate, by order
of the National Security Presidential Directive One (NSPD-1). More informa-
tion on the current functions of the IAIP can be found at
www.dhs.gov/dhspublic/theme_home6.jsp.
INFOSEC posture is the way INFOSEC is implemented. An INFOSEC
assessment is not any of the following:
■
Inspection You are invited by the organization.

■
Evaluation It involves no hands-on testing. Instead, we utilize demon-
strations by the customer to validate certain control implementations.
www.syngress.com
xxx Introduction
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxx
■
Certification/accreditation An assessment can be part of a certifi-
cation, but it does not provide a proper level of assurance in and of
itself because it does not contain hands-on testing.
■
Risk assessment Although INFOSEC assessments have aspects of
risk assessment, they focus on vulnerabilities and impact. Most people
think of risk assessment as including quantitative measurements and/or
cost analysis.
The INFOSEC assessment is broken into three phases:
1. Pre-assessment
2. On-site activities
3. Post-assessment
Each of these phases has specific objectives and outputs that will always be
present.
Overview of the IAM
In Chapter 1 we address some issues that are not taught in the class: how to
determine that an assessment is needed and the contractual issues.You need to
understand these issues to set the foundation for your assessment. Once you
have the foundation completed, you can address the pre-assessment activities,
which include refining customer needs; gaining an understanding of the criti-
cality of the customer’s information; identifying the system, including system
boundaries; coordinating logistics with the customer; and writing an assessment
plan. All these steps are covered in Chapters 2 through 6. By the end of

Chapter 6 you will understand how to implement this phase.We provide a
template for the assessment plan, the key work product that is accomplished in
the pre-assessment phase.
In Chapters 7 through 9, we address the on-site activities. Beyond the
kickoff meeting are normal activities that need to be explained. Some of these
include the interview process; at the end of Chapter 7 we provide sample inter-
view questions that we use in our process.Through Chapters 8 and 9, we
address the identification of findings. Findings are not always bad, as you will
see, but it is crucial that your customer know what you find. It is key that there
are no surprises for your customer during this process.The customer should be
aware of all findings that you identify, and we show you how to address the sig-
www.syngress.com
Introduction xxxi
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxi
nificant findings during the out-briefing.To assist you in developing your own
style of out-briefing, we provide a template that you can tailor to fit your situa-
tion and style.
Once you finish the on-site phase with your customer, it is time to go
home and put the final report together.This is the post-assessment phase, just as
important as the two previous phases. In this phase, you develop the final
report, coordinate delivery of the report, and do the internal housekeeping
activities to close out the assessment. In Chapter 10 we address the report activ-
ities; in Chapter 11we cover the closeout activities.
Throughout this book you will see special elements we’ve added to assist
you in understanding the subject material.These special elements include text
sidebars of value-added information that complements or expands on the topic
under discussion.These sidebars are brief but contain valuable information to
clarify everything from “Understanding Why” or “From the Trenches” to
“Terminology Alert,” even including checklists that can assist you in developing
your own business processes.

What Isn’t Covered in the Methodology?
If you have attended the class, you already know that several issues are not cov-
ered by the IAM. Contracts, staffing, and vendor expectations are good exam-
ples.What needs to be in the contract? Everybody has their own business
model and legal requirements based on location and legal counsel. How many
people do you need to do the job? If we were to tell you that you only need
four people, we would be lying.This book is designed to assist you in
improving your business process or internal controls.To do that, we address
them through examples in the book.
So the question is, why was this information not covered in the class? To
answer that, you have to understand and remember that this material was devel-
oped in and based on the way NSA provides this service. NSA doesn’t have to
deal with many of the business issues that the private sector does. NSA does
not do contracts, since the service is free to federal agencies that request and
need the help.
Also remember that this methodology is just that—a methodology.We
show you how to move from theory to practice. In addition, people who have
been doing assessments for a while will agree that one shoe does not fit all.
www.syngress.com
xxxii Introduction
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxii
Every customer is different. Every organization is unique.Yes, there are many
similarities among them, but those minor differences and recognition of them
(or failure to recognize them) can make for a quality assessment or a poor
assessment.The core mission, such as a bank or credit union, is the same, but
the management is different.The staff probably has different backgrounds, so
they will have different views on how to handle the work and priorities. Even
your own team’s experience and background will affect what they see as
important, even the priorities of importance.
The Audience for This Book

This book is aimed at several kinds of people: practitioners, customers, man-
agers, and salespeople. All of them are important to the process, depending on
which side of the fence you are on.
Practitioners
There are two kinds of practitioner: those who have attended the IAM class
and those who have not.We want this book to be useful to both.The goal is to
provide a standardized approach that all can use to help their customers.
For the practitioner, this book helps provide the nuts and bolts to improve
the processes that you already have in place. If you are new to doing assess-
ments, this is good reading for you.You will learn what to expect, and that will
make you a better team member.
Customers
There are three types of customer: those responsible for contracting the work,
those responsible for assisting with the work, and those responsible for imple-
mentation of the results. If you are on the contracting side, it is imperative that
you understand what is to be accomplished during an IAM assessment.You
don’t want to pay too much, and at the same time you don’t want to undercut
the time and resources needed to provide a valuable product for your organiza-
tion.This book will help you identify what you should be paying for and what
work products should be delivered.
For customers who are going to assist as team members, you need to know
what to expect.What should be your role, and how much involvement should
you have? This information will help you be a better team member and help
www.syngress.com
Introduction xxxiii
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxiii
your organization achieve a valuable product. Lastly, there is the individual who
ends up with the report and is responsible for the implementations to improve
the security posture.This book will help that customer understand how and why
the assessment was done, which will enable you to see the value of what you get.

Understanding can help you meet your organization’s security objectives.
Managers
Managers also need to read this book. Over the years we have seen companies
that have tried unsuccessfully to turn this methodology into a business process.
Business managers want a profitable process without a large investment.
Without knowing how the process works in reality, managers can make mis-
takes.They need to know what the team should be doing and who has what
responsibilities during the assessment process.This knowledge will help man-
agers price the service better and define the skill sets needed and staffing for a
particular assessment.
Sales
The salespeople are crucial from a commercial standpoint due to the fact that
they are the ones selling the service and need to understand how to accurately
price the work. Not every assessment will be the same price. Organizations of
different sizes, complexities, scopes, skill set requirements, and more will have
different pricing.There are many factors to address, and for the salesperson, the
pre-assessment phase of this book is probably the most important. Chapters 1
through 6 will help you understand what it is you are selling and the value of
that service.You will learn some terminology and how the assessment flows so
that you can speak with confidence to your customers.
Final Thoughts
We wrote this book with you in mind.This book is not the answer to every
question or situation, but it’s a good guide to assist you in improving your pro-
cesses.The class laid the foundation; now we turn that methodology into reality
for you.Welcome to the IAM process, and we hope that you find this book
useful.
www.syngress.com
xxxiv Introduction
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxiv
Laying the

Foundation for Your
Assessment
Solutions in this Chapter:
■
Determining Contract Requirements
■
Understanding Contract Pitfalls
■
Staffing Your Project
■
Adequately Understanding Customer
Expectations
■
Understanding What You Should Expect
■
Case Study: Scoping Effort for Organization
for Optimal Power Supply (OOPS)
Chapter 1
1
 Summary
 Solutions Fast Track
 Frequently Asked Questions
286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 1
Introduction
The National Security Agency (NSA) Information Security (INFOSEC)
Assessment Methodology (IAM) is a detailed and systematic method for exam-
ining security vulnerabilities from an organizational perspective as opposed to a
only a technical perspective. Often overlooked are the processes, procedures, doc-
umentation, and informal activities that directly impact an organization’s overall
security posture but that might not necessarily be technical in nature.The IAM

was developed by experienced NSA and commercial INFOSEC assessors and has
been in practice within the U.S. government since 1997. It was made available
commercially in 2001.
NSA developed the IAM to give organizations that provide INFOSEC
assessments a repeatable framework for conducting organizational types of assess-
ments as well as provide assessment consumers appropriate information on what
to look for in an assessment provider.The IAM is also intended to raise awareness
of the need for organizational types of assessment versus the purely technical type
of assessment. In addition to assisting the government and private sectors, an
important result of supplying baseline standards for INFOSEC assessments is fos-
tering a commitment to improve an organization’s security posture.
As with any project, the first step is to identify a need; in this case, it’s the
need for an assessment.This identification can happen in two ways. An organiza-
tion’s leaders may realize they need an assessment, or a potential provider can
convince them that they need an assessment.The justification for an assessment
can include legislative requirements, response to a security incident, part of good
security engineering practice, requirements for contracts or insurance, or simply
because it’s the right thing to do.This book does not focus on selling the IAM to
customers, since that is a specific business practice. Instead, it focuses on the pro-
cess of conducting the IAM within a customer environment. In this chapter, we
examine the beginning of the process, focusing on establishing the scope and
contractual requirements for an assessment.
www.syngress.com
2 Chapter 1 • Laying the Foundation for Your Assessment
286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 2
Determining Contract Requirements
The process doesn’t truly start at writing the contract.The process probably starts
one or two months earlier, when the customer decides that they need to do
something related to information security, and they need to do it soon.The
provider company or another company probably spent some time trying to con-

vince the customer of the type of assessment they need. Somewhere during this
process, either a basic set of requirements is set or a request for proposal (RFP) is
written.
At this point, it can officially be said that the need for an assessment has been
identified.The time has come to develop the scope and contract for the assess-
ment. Every IAM-related assessment starts with documentation that describes the
requirements and expectations between those that are conducting the assessment
and those that are receiving the assessment. In the commercial environment, the
contracting process lays the foundation for the effort. In the government envi-
ronment, it can be a contract or a memorandum of agreement (MOA) or mem-
orandum of understanding (MOU) between two organizations that can drive the
assessment effort. Ultimately, the majority of information is the same in either
www.syngress.com
Laying the Foundation for Your Assessment • Chapter 1 3
Contracting and the NSA IAM
NSA intentionally does not specifically address business processes in the
IAM methodology. The IAM was originally designed as a government
methodology (NSA providing services to other government agencies)
and therefore had no need for contract considerations. Once it was dis-
covered that the methodology had applicability in the commercial
world, NSA decided to stay out of the contracting side and let each
entity handle contracting-related obligations. NSA is not generally
involved with developing contract requirements, formats, or contents.
The information contained in this chapter comes primarily from the
authors’ experience in preparing contracts and scoping the efforts for
IAM assessments. Each individual IAM provider must address con-
tracting requirements without NSA assistance.
Understanding Why…
286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 3