Security Assessment: Case Studies for Implementing NSA IAM

Now that we have defined the critical information and where that information is, we can move to the next step: gaining an understanding of the environment in which the assessment will take place. Using this understanding of the information criticality, the assessment team can start to formulate the customer s set of high-level security goals for the organization s systems and networks. System security objectives are dependent on system use, network architecture, laws, regulations, and operating environment. You need to understand that security laws and regulations driving the objectives may differ from customer to customer. In this chapter, we explore and explain the system security environment and how to identify it.
Understanding the customer environment is essential to providing the customer usable recommendations. Unlike some approaches for doing assessments, we take the view that you should provide options to the customer and give them a road map to a better security posture. Here we show you how to identify the cultural environment and the security environment. The cultural environment includes how employees accept situations and change and employees backgrounds. One example of this is higher education. If you have an organization that is focused on open communications, such as a higher education institution, the people who work in your organization might not be willing to implement information segmentation or heavy access controls. The usual philosophy in this kind of organization is that it should be an open environment to promote communication and education. Firewalls and access control lists are seen as...