Best Practices for a Meaningful Information Security Assessment (Part 2)

In the first part of this series I focused on the best practices of understanding the intent of the assessment, the value that a dedicated project manager will add to the effort, and the importance of selecting the right firm.  In the second part I will focus on the best practices of selecting the right framework, preparation of materials, and presentation of materials.  These efforts are discussed separately however they are tightly coupled and rely heavily on good communication. 

Agree upon the assessment framework

Just because the organization has always done it that way does not mean that the organization has to continue doing it that way.  Select a framework that works for your organization.  You may find that prevailing frameworks such as COBIT, NIST 800-30, OCTAVE are too strict for your organization or do not provide the flexibility that you need to easily assess your information security posture.  In that case, work with your assessor / security expert to identify a framework that best suits your organization and level of maturity.  It is critical that your assessor is familiar with the framework you select in order to maximize the value of the assessment.

Focus on preparation versus defense

Many people fear external reviews of their work.  This is natural given that many organizations have the mindset of cramming for the exam and then going back to whatever they were doing before.  People tend to provide evidence of what they are excelling at (even if it is not a priority) and forget the messy, untouched effort (that may be a bigger overall priority).  They gear up to defend why they did not do something.  This may have short-term benefits but negatively affects the information security program in the long run.

Information SecurityAs stakeholders prepare for the assessment, focus on reality.  Prepare materials to support what you are doing to improve the information security posture of the organization.  Acknowledge existing gaps, in-process efforts, and planned future efforts.  Use the assessment as an opportunity to validate the priority of in-process and future projects.

Organize and present evidence clearly

After working with assessors, agreeing to the assessment framework, and preparing materials to support the assessment, it’s time to share those materials with the assessment team.  Some people take an adversarial approach and hand the team a large pile of documents and say “it’s all there – find it”; others respond on a request by request basis and prolong the effort until the team leaves (with an incomplete assessment).  If you follow the recommended approach described in this series, the work is already done – present it to the team in advance and let them ask clarifying questions.

A preferred format is a wiki (electronic) or set of binders (physical) that the team can review independently.  The organization is as follows:

  • Executive Summary / Management Overview
  • Definition / Outline of framework
  • Tabs for each section of framework that include:
    • Summary
      • Point of contact
      • Summary of relevant information with exhibits cited
    • Exhibits / evidence of anything included in summary
  • Appendices (as necessary)
  • Complete list of exhibits

Communication is key

Successful communication to all stakeholders all the time – not just during an assessment – is critical to maintaining an effective information security posture.  Information security is everyone’s responsibility but everyone has other responsibilities too!  By assigning a dedicated project manager the organization will maintain visibility and focus on the trajectory of improved information security posture.

The result

Good preparation, organization, and communication will yield positive results.

I recently read the final version of the information security assessment report described in this series.  The Executive Summary included the following description by the security firm that completed the assessment:

“The assessment team reviewed each workstream summary to understand and verify the specific improvements that were completed.  The team then reviewed all of the exhibits that were provided for each improvement and assessed each one against the items laid out in the spreadsheet matrix.  The assessment team sought to understand whether the improvements had addressed prior assessment concerns, had been successfully completed, and were properly documented.  When the team had questions or concerns about the exhibit of a workstream item, the team posed these questions to… the client IT Security Project Manager (PM) overseeing this effort.  The PM provided the assessment team additional exhibits or verbally defined the status.  The team captured these comments and updated them in the findings for this report.  The client also made their staff available for interviews as necessary; the assessment team found that many of the items could be verified without the need for interviews.”

The assessment firm further “…recommends continuing the practice of having a dedicated Information Security Project Manager in place to assist the CISO in executing security projects.”  This further validates the best practices revealed in this series:

  • Understand the driving force behind the assessment
  • Appoint a project manager and select a firm that will provide action-oriented feedback and guidance
  • Agree upon the assessment framework
  • Focus on preparation versus defense
  • Organize and present evidence clearly
  • Communication is key

Now it’s a matter of using these best practices to make your next information security assessment a successful one.

Chris Olson

About Chris Olson