Translate reports into action

By John Moore  |  Posted 2007-03-09 Print this article Print

An outside consultant can bring fresh insights on a company's security practices. Make sure you establish ground rules first.


Translate reports into action items

The external security assessment culminates with the consul-tant's report, which, in some cases, may be two reports.

A preliminary report, ideally, lists the networks and systems examined, the techniques used in testing, the vulnerabilities encountered and suggestions for remediation. This report becomes the basis for setting remediation priorities. Anywhere from a handful to dozens of vulnerabilities may be uncovered. Consultant and customer work together to determine the order in which lapses will be addressed. "Prioritization is where the real work happens," Ullrich says.

Indeed, the parties may need to reconcile their interpretations of the findings. What a consultant deems a security issue may be a risk the customer is willing to take.

EDS' Morrow says a company may have a solid business reason for not complying with a certain security standard. In the outsourcing business, for instance, a customer may require a vendor to host an application on an older operating system that fails to address the latest security benchmark.

Morrow suggests that close communication between consultant and customer can identify such issues so the auditor doesn't spend time pursuing a dead end. He says auditors should "keep in constant contact" with customers and, if a reason exists for a particular case of noncompliance, "note it and move on."

Once priorities are hammered out, Cybertrust's Mack recommends that customers develop a "mini project plan" to address each vulnerability. In a Payment Card Industry audit, this approach lets customers demonstrate to credit card companies which compliance problems are being addressed and within what time frames. "This gives them a leg to stand on … to show they are actively pursing compliance," Mack says.

After the customer completes the remediation phase, the consultant may be brought back in for a final assessment. This audit verifies that changes have been made and leads to a second report, the final version, which documents the testing of remediated systems.

John writes the Contract Watch column and his own column for the Channel Insider.

John has covered the information-technology industry for 15 years, focusing on government issues, systems integrators, resellers and channel activities. Prior to working with Channel Insider, he was an editor at Smart Partner, and a department editor at Federal Computer Week, a newspaper covering federal information technology. At Federal Computer Week, John covered federal contractors and compiled the publication's annual ranking of the market's top 25 integrators. John also was a senior editor in the Washington, D.C., bureau of Computer Systems News.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.