Security Assessment: Case Studies for Implementing NSA IAM

You ve delivered the final report and you think you re done? Think again. Many other activities and concerns will continue to occupy the time of all team members for the next couple of weeks. This chapter covers some of the primary issues we commonly see after a final report has been delivered. These topics include:
Document retention Considering any document retention needs the customer may have related to the assessment process and whether any contract requirements are in place to govern the retention of sensitive customer documentation.
Followup Performing quality followup with the customer to ensure that their questions are answered and any remaining needs are met before we mark the assessment completed.
Lessons learned Evaluating any lessons the assessment team learned during this assessment process, and integrating those lessons into your business process for conducting future IAM assessments.
This is not an exhaustive list of activities you may find yourself dealing with once the final report is completed, but they are the most prevalent concerns we typically see. The processes you deal with after the final report has been delivered are just as important as the assessment process itself.
Document retention is subject of tremendous debate in the security world. Should sensitive customer information be held by the assessing agency, even if the customer requests these services? Information from IAM assessments should be considered proprietary due to the sensitive nature of the information. The NSA IAM course does not go...