Taking a Look Back

Welcome to the National Security Agency s INFOSEC Evaluation Methodology also, lovingly known as the IEM. In April 2000, I was working as a contractor for the Defense Information System Agency (DISA) when the client asked me to sit on a National Security Agency (NSA) developed course called the INFOSEC Assessment Methodology (IAM). At the time, my background was primarily in the technical areas surrounding information security. My job entailed technical research and development, along with a mattering of penetration testing. Although I wasn t aware of it at the time, that two-day course was going to change the way I thought about information security for the rest of my career.

Individuals who work the technical side of information security aren t normally tuned in to the other areas that are considered more mundane. During penetration testing I never really cared what a company s mission was or what information was critical to that mission. I wasn t sitting back in my computer chair staring blankly at the screen wondering what the actual impact would be to your organization if my network intrusions had been real. The IAM was created to address that part of the equation.

The idea of involving the customer in the security process at such an intimate level was new to me. But as I began using the methodology in real-life situations, I began to see its true value. My experience is as a security professional; the customer could be an expert at researching,...