I've made the mistakes myself and I see it happening over and over again whereby a network administrator, internal security team or a third-party consultant performs security assessments without setting the expectations of everyone involved. Everything from which systems to test, when to perform the testing, which tools to use and what deliverables to expect are often not properly communicated. This ends up causing major headaches, political problems and the creation of unnecessary business risks.
These issues are the same whether you're testing your own internal Windows-based systems or testing those of a client. Here are some key areas you can focus on to ensure everyone's expectations are properly set and security assessment-related problems are kept to a minimum.
Setting your Windows security assessment expectations
Step 1: Determine the business goals
Step 2: Get input and information from others
Step 3: Let everyone know that problems will likely occur
Step 4: Let your testing be known and keep people in the loop
Step 5: Report what happened
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments involving compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He also created the Security On Wheels series of audiobooks. Kevin can be reached at firstname.lastname@example.org.
This was first published in March 2007