Security Assessment: Case Studies for Implementing NSA IAM

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: Can I add or take away from NSA s 18 Baseline INFOSEC Classes and Categories and still be compliant with the IAM methodology?
A: The IAM is intended to be a flexible methodology that you can either adopt in full or integrate into your own assessment process. You can add to the 18 baseline categories without an issue. If you take away from the required set, just document the fact and you will still be in compliance with the IAM.
Q: What are the most common classes and categories beyond the basic 18 defined by the NSA IAM?
A: Additions to the baseline categories vary greatly by customer. Many customers have asked us to specifically address certain topics, even though they are embedded in the primary 18 baseline categories. We have seen specific topics of:
Encryption
Wireless networking
Intrusion detection systems
Q: What are the greatest obstacles to a good interview?
A: The greatest obstacle is to get the interviewee to relax enough to speak openly about the security practices of the organization. When the interviewer is...