Have access credentials, documentation and training been provided?

As a security site assessment begins, make sure you're fully prepared with credentials, documentation, training and permissions. Learn how this preparation can ensure a smooth security site assessment.

About the author
Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

A lack of access/credentials is often a major showstopper -- it's hard to assess something that you can't get to! Allow appropriate padding to the schedule to ensure that customer credential/account provisioning systems/processes work. If the assessment is full-knowledge, make sure the consultants have access to any documentation, personnel and/or training that may be required. For example, a white-box line-of-business application assessment should begin with a review of software design and specification documentation, plus any necessary training on accessing software source code and bug-tracking repositories. Without these items, the assessment team can sit idle while the customer gets little value -- all due to a simple lack of preparation.

Another necessity of preparation is to ensure that permissions have been granted to assess all of the elements within scope. It never hurts to re-clarify with the customer if there are any doubts, particularly around partner/third-party systems that may be of unclear ownership. This issue commonly arises in outsourced data center hosting arrangements, where many organizations are hosted near each other by a common provider(s), and access to the customer potentially crosses third-party-owned infrastructure. Be sure that the assessment techniques being employed are well-understood by all parties, so as to avoid unnecessary risks of downtime or policy violations to unrelated systems.

This was first published in May 2008

Dig Deeper



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: