Department of Interior, major broadband Internet service providers (ISPs),
banking institutions, power companies, higher educational institutes, medical
organizations, and even small, family-run businesses. From experience we have
found that although security as a whole is improving, knowledge growth is still
needed in the public sector as well as the private sector.
When we originally departed from doing strictly federal government work,
we thought that it would be easier to sell this service in the commercial world.
We were wrong. It is just as difficult to convince a higher educational institute
that they have critical information that must be protected from exposure as it was
to convince federal agencies that they were not protecting everything as well as
they thought. Both sides, public and private, rarely know how or what they need
to address. So, the first step is the education of both what an INFOSEC assess-
ment is and how this methodology applies to the customer’s field.
What This Book Is About
What is an INFOSEC assessment? It is a baseline measurement of the controls
implemented to protect information that is transmitted, processed, or stored by
a specific system. Simplified, this is a measurement of the security posture of a
system or organization.This approach has been endorsed by the Critical
Infrastructure Assurance Office (CIAO) for compliance with PDD-63
(www.fas.org/irp/offdocs/pdd/index.html) agency/department vulnerability
analysis (www.ciao.gov).
Under President George W. Bush, the functions of the CIAO have been
integrated into the Department of Homeland Security (DHS) under the
Information Analysis and Infrastructure Protection (IAIP) Directorate, by order
of the National Security Presidential Directive One (NSPD-1). More informa-
tion on the current functions of the IAIP can be found at
www.dhs.gov/dhspublic/theme_home6.jsp.
INFOSEC posture is the way INFOSEC is implemented. An INFOSEC
assessment is not any of the following:
■
Inspection You are invited by the organization.

Chapter 6 you will understand how to implement this phase.We provide a
template for the assessment plan, the key work product that is accomplished in
the pre-assessment phase.
In Chapters 7 through 9, we address the on-site activities. Beyond the
kickoff meeting are normal activities that need to be explained. Some of these
include the interview process; at the end of Chapter 7 we provide sample inter-
view questions that we use in our process.Through Chapters 8 and 9, we
address the identification of findings. Findings are not always bad, as you will
see, but it is crucial that your customer know what you find. It is key that there
are no surprises for your customer during this process.The customer should be
aware of all findings that you identify, and we show you how to address the sig-
www.syngress.com
Introduction xxxi
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxi
nificant findings during the out-briefing.To assist you in developing your own
style of out-briefing, we provide a template that you can tailor to fit your situa-
tion and style.
Once you finish the on-site phase with your customer, it is time to go
home and put the final report together.This is the post-assessment phase, just as
important as the two previous phases. In this phase, you develop the final
report, coordinate delivery of the report, and do the internal housekeeping
activities to close out the assessment. In Chapter 10 we address the report activ-
ities; in Chapter 11we cover the closeout activities.
Throughout this book you will see special elements we’ve added to assist
you in understanding the subject material.These special elements include text
sidebars of value-added information that complements or expands on the topic
under discussion.These sidebars are brief but contain valuable information to
clarify everything from “Understanding Why” or “From the Trenches” to
“Terminology Alert,” even including checklists that can assist you in developing
your own business processes.

This book is aimed at several kinds of people: practitioners, customers, man-
agers, and salespeople. All of them are important to the process, depending on
which side of the fence you are on.
Practitioners
There are two kinds of practitioner: those who have attended the IAM class
and those who have not.We want this book to be useful to both.The goal is to
provide a standardized approach that all can use to help their customers.
For the practitioner, this book helps provide the nuts and bolts to improve
the processes that you already have in place. If you are new to doing assess-
ments, this is good reading for you.You will learn what to expect, and that will
make you a better team member.
Customers
There are three types of customer: those responsible for contracting the work,
those responsible for assisting with the work, and those responsible for imple-
mentation of the results. If you are on the contracting side, it is imperative that
you understand what is to be accomplished during an IAM assessment.You
don’t want to pay too much, and at the same time you don’t want to undercut
the time and resources needed to provide a valuable product for your organiza-
tion.This book will help you identify what you should be paying for and what
work products should be delivered.
For customers who are going to assist as team members, you need to know
what to expect.What should be your role, and how much involvement should
you have? This information will help you be a better team member and help
www.syngress.com
Introduction xxxiii
286_NSA_IAM_Intro.qxd 12/16/03 2:49 PM Page xxxiii
your organization achieve a valuable product. Lastly, there is the individual who
ends up with the report and is responsible for the implementations to improve
the security posture.This book will help that customer understand how and why
the assessment was done, which will enable you to see the value of what you get.

Foundation for Your
Assessment
Solutions in this Chapter:
■
Determining Contract Requirements
■
Understanding Contract Pitfalls
■
Staffing Your Project
■
Adequately Understanding Customer
Expectations
■
Understanding What You Should Expect
■
Case Study: Scoping Effort for Organization
for Optimal Power Supply (OOPS)
Chapter 1
1
 Summary
 Solutions Fast Track
 Frequently Asked Questions
286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 1
Introduction
The National Security Agency (NSA) Information Security (INFOSEC)
Assessment Methodology (IAM) is a detailed and systematic method for exam-
ining security vulnerabilities from an organizational perspective as opposed to a
only a technical perspective. Often overlooked are the processes, procedures, doc-
umentation, and informal activities that directly impact an organization’s overall
security posture but that might not necessarily be technical in nature.The IAM

vince the customer of the type of assessment they need. Somewhere during this
process, either a basic set of requirements is set or a request for proposal (RFP) is
written.
At this point, it can officially be said that the need for an assessment has been
identified.The time has come to develop the scope and contract for the assess-
ment. Every IAM-related assessment starts with documentation that describes the
requirements and expectations between those that are conducting the assessment
and those that are receiving the assessment. In the commercial environment, the
contracting process lays the foundation for the effort. In the government envi-
ronment, it can be a contract or a memorandum of agreement (MOA) or mem-
orandum of understanding (MOU) between two organizations that can drive the
assessment effort. Ultimately, the majority of information is the same in either
www.syngress.com
Laying the Foundation for Your Assessment • Chapter 1 3
Contracting and the NSA IAM
NSA intentionally does not specifically address business processes in the
IAM methodology. The IAM was originally designed as a government
methodology (NSA providing services to other government agencies)
and therefore had no need for contract considerations. Once it was dis-
covered that the methodology had applicability in the commercial
world, NSA decided to stay out of the contracting side and let each
entity handle contracting-related obligations. NSA is not generally
involved with developing contract requirements, formats, or contents.
The information contained in this chapter comes primarily from the
authors’ experience in preparing contracts and scoping the efforts for
IAM assessments. Each individual IAM provider must address con-
tracting requirements without NSA assistance.
Understanding Why…
286_NSA_IAM_01.qxd 12/15/03 3:15 PM Page 3