Information Technology Reference
In-Depth Information
n
−
−
Ideal operating state (to-be)
Assessment questionnaire determines as-is.
This is the basis for the assessment, the to-be comparison; include trace-
ability to business drivers.
Gap analysis report
Align with questionnaire and provide value-added insight regarding as-is.
Remediation plan
Transition plan between as-is and to-be.
Provide options as well as recommendations.
Proposal
n
−
n
−
−
n
The assessment found X as-is, the to-be goal is Y, and the remediation plan is Z;
the proposal is a formal document of cost and schedule to perform gap closure
activity.
8.11.1.2
Deliverable Format and Content
Consider the goal of the assessment is to identify the current state of affairs and
compare it to some desired end, the compliance requirement. Compliance require-
ments may find form in legislation (e.g., HIPAA or Sarbanes-Oxley); these are very
broad and at times very vague, and defining the exact goal is matter of interpreta-
tion. Compliance requirements may also be a standard (e.g., ISO 27002 or NIST).
For defense organizations, DoD instructions or directives plus other sources define
compliance requirements. There are many sources for compliance requirements,
and their applicability is entirely situational.
The discovery process determines the current state of policy, standards, proce-
dure, and practice. The discovery questionnaire reflects the compliance require-
ments and aligns with the organization type (e.g., commercial versus government)
and the organization-specific requirements. The vulnerability assessment will be
a subset of the topics in the discovery questionnaire. The specifics of the vulner-
ability analysis are a result of customer requirements and their current situation.
At the least, the results of the discovery questionnaire provide insight into existing
IT and IA infrastructure on which to perform a technical scan. Additional deliver-
able templates are necessary for gap analysis, remediation plan, and proposal for
gap closure.
8.11.2
Patch Management
Operating system vendors and application vendors constantly release patches
as awareness of new vulnerabilities arises. The organization cannot just simply
install patches as they arrive because many patches affect key aspects of the
operating system (OS) and may render currently running applications unus-
