A lack of access/credentials is often a major showstopper -- it's hard to assess something that you can't get to! Allow appropriate padding to the schedule to ensure that customer credential/account provisioning systems/processes work. If the assessment is full-knowledge, make sure the consultants have access to any documentation, personnel and/or training that may be required. For example, a white-box line-of-business application assessment should begin with a review of software design and specification documentation, plus any necessary training on accessing software source code and bug-tracking repositories. Without these items, the assessment team can sit idle while the customer gets little value -- all due to a simple lack of preparation.
Another necessity of preparation is to ensure that permissions have been granted to assess all of the elements within scope. It never hurts to re-clarify with the customer if there are any doubts, particularly around partner/third-party systems that may be of unclear ownership. This issue commonly arises in outsourced data center hosting arrangements, where many organizations are hosted near each other by a common provider(s), and access to the customer potentially crosses third-party-owned infrastructure. Be sure that the assessment techniques being employed are well-understood by all parties, so as to avoid unnecessary risks of downtime or policy violations to unrelated systems.
About the author:
Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.