Have access credentials, documentation and training been provided?

As a security site assessment begins, make sure you're fully prepared with credentials, documentation, training and permissions. Learn how this preparation can ensure a smooth security site assessment.

About the author
Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

A lack of access/credentials is often a major showstopper -- it's hard to assess something that you can't get to! Allow appropriate padding to the schedule to ensure that customer credential/account provisioning systems/processes work. If the assessment is full-knowledge, make sure the consultants have access to any documentation, personnel and/or training that may be required. For example, a white-box line-of-business application assessment should begin with a review of software design and specification documentation, plus any necessary training on accessing software source code and bug-tracking repositories. Without these items, the assessment team can sit idle while the customer gets little value -- all due to a simple lack of preparation.

Another necessity of preparation is to ensure that permissions have been granted to assess all of the elements within scope. It never hurts to re-clarify with the customer if there are any doubts, particularly around partner/third-party systems that may be of unclear ownership. This issue commonly arises in outsourced data center hosting arrangements, where many organizations are hosted near each other by a common provider(s), and access to the customer potentially crosses third-party-owned infrastructure. Be sure that the assessment techniques being employed are well-understood by all parties, so as to avoid unnecessary risks of downtime or policy violations to unrelated systems.

This was first published in May 2008

Dig deeper on Introductory Security Services

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close