First you've got to listen to your project sponsor. This could be an IT director, the CTO, or a VP of internal audit. What is it that he or she wants out of the security assessment? Is it to show regulatory compliance, general business due diligence or to meet business partner demands? Does this person want to see if/how someone can break into the network? Or, maybe he wants to uncover operational security issues to help justify budget, head count or even a company-wide OS upgrade to Vista or Active Directory deployment.
You, your sponsor and other key players have to agree on what the security assessment needs to accomplish. All of this puts everyone on the same page and keeps everything logical and factual, preventing emotions and politics from getting involved. If you can, get it in writing. Depending on who you're doing your testing for, that could be something as basic as an internal email or something as in-depth as a signed statement of work from your client.
Setting your Windows security assessment expectations
Step 1: Determine the business goals
Step 2: Get input and information from others
Step 3: Let everyone know that problems will likely occur
Step 4: Let your testing be known and keep people in the loop
Step 5: Report what happened
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments involving compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He also created the Security On Wheels series of audiobooks. Kevin can be reached at email@example.com.
This was first published in March 2007