TABLE OF CONTENTS Some actions are necessary precursors to the actual evaluation. To effectively conduct the evaluation, you must first obtain a subset of information about the customer and its network for you to determine that an evaluation is really desired. This chapter focuses on those activities that occur prior to the start of the evaluation. This chapter includes discussion on how and why the evaluation may be requested, the process of validating the evaluation request, and the formal evaluation agreement. These are all actions that occur primarily before the IEM pre-evaluation phase. These are also business process areas that NSA does not cover in the IEM.
The evaluation request plays a critical role in understanding the scope of the evaluation effort. It provides an opportunity to understand the requesting organization s market position, industry, and internal desires. This process also provides an opportunity to educate the customer on the difference among assessments, evaluations, and penetration testing.
Evaluations are requested for many different purposes. They are related to the organization s needs, the industry in which it works, and its internal policies, procedures, and goals. Some of the primary reasons are related to legal and regulatory compliance requirements, response to suspicious activities, third-party reviews, and the knowledge that it is the right thing to do for the organization. For the evaluation to be effective, we do need to understand the answers to these questions so that we can effectively implement the evaluation process.
