As with most consultative engagements, the scope of the assessment is all-important. Value-added resellers should clarify the parameters of the assessment, including the nature of specific environments/components to be assessed. For example, will the assessment cover physical, network, application, database, personnel, policy and/or wireless assets? This will help the reseller determine the types of tools and skills necessary to deliver. The scale of work (i.e., number of iterations) is also important, e.g., number of IP addresses to be scanned/assessed. The reseller should also ensure it has permission to assess all in-scope assets, especially if third-party assets are to be targeted.Return to the security site assessment FAQ guide and read the rest of Joel's expert answers.
This was first published in May 2008