Before I can begin to effectively analyze systems for an organization, I read the security policy and standards. This gives me a reasonable feel for how the organization approaches security. Then, I speak with leaders about the risks they are willing to take, and those that they cannot—business risks that seem to have nothing to do with computers may still be quite enlightening. I further query technical leaders about the security that they think systems have and that systems require.
I then spend time learning the infrastructure—how it’s implemented, who administers it, the processes in place to grant access, the organization’s approach to security l ayers, monitoring, and event analysis. Who performs these tasks, with what technology help, and under what response timing (“SLA”). In other words, what security is already in place and how does a system inherit that security?
My investigations help me understand the difference between past organization expectations and current ones. These help me to separate my sense of appropriate security from that of the organization. Although I may be paid to be an expert, I’m also paid to execute the organization’s mission, not my own. As we shall see, a big part of risk is separating my risk tolerance from the desired risk tolerance.
Once I have a feel for the background knowledge sets listed in this introduction, then I’m ready to start looking at systems. I try to remember that I’ll learn more as I analyze. Many assessments are like peeling an onion: I test my understandings with the stakeholders. If I’m off base or I’ve missed something substantive, the stakeholders will correct me. I may check each “fact” as I believe that I’ve come to understand something about the system. There are a lot of questions. I need to be absolutely certain of every relevant thing that can be known at the time of the assessment. I reach for absolute technical certainty. Through the process, my understanding will mature about each system under consideration and about the surrounding and supporting environment. As always, I will make mistakes; for these, I prepare myself and I prepare the organization.