One of the main tenets of the IAM is that it is an assessment, not an audit or an inspection. These terms usually carry a bad connotation of distrust, whether on the side of the auditors or the audited, and generally both. There are key differences between the two concepts, and it often helps to ensure that everyone understands those differences. Something like this may seem rather tedious to present, especially after doing so several times with everyone involved on every assessment. Just remember—you may understand this difference, but chances are that many of your customers will not. The better the customer understands that this process is one of nonattribution, the more detailed and useful data you will be able to elicit from them, and that will ultimately result in a better overall deliverable for the client. Thus a willing and eager participant is always preferred, rather than a closed or guarded individual.

Nonattribution is the act of not establishing a specific individual as responsible for something. This is the specific term NSA uses to describe the process of reporting findings without laying “blame” on any individuals. The major difference between an assessment and an audit or inspection is the overall goal of the process. The audit or inspection is normally understood to be a check for compliance, often bringing with it consequences for failure. This process tends to create a very unfriendly environment in which the people you need to work with are wary and cautious in their dealings with you due to their fear of being held directly responsible for the findings—which will happen, because nonattribution is not an aspect of your typical audit.

In opposition to this concept, we have the goal of an assessment process, which is to help or assist the customer organization in improving its INFOSEC posture, not to pass judgment. In fact, we have often witnessed an organization request an assessment as a means of preparing for an audit. The concept of providing assistance cannot be overstated; many individuals who have been involved with assurance checks in the past likely felt as though they were inspected in a rather judgmental light. An assessment based on the IAM process can be an excellent tool for preparing for any upcoming audits. It allows the organization to work on meeting goals or compliance requirements in a friendly and cooperative environment.

Audits also carry a declaration of fault in regard to inefficiencies; the IAM, on the other hand, is what some people like to call a no-fault or nonattribution process. The objective is to assist in improving security rather than assign blame to anyone who may have forgotten to implement a patch or verify a backup tape. When something like that does occur, it is more likely due to a process and procedure failure, not someone trying to circumvent the system. People are more liable to be honest and forthcoming when they understand that their actions and answers will not be attributed directly to them but merely addressed as a finding in the final report. However, if in an interview one person discusses something that he or she has been arguing about with others for months, it will likely be apparent who made that statement. Furthermore, if only one person operates a system, any findings will be attributable to that operator. Other such scenarios may arise based on the simple process of elimination. However, the IAM will not put a name next to any pieces of information gathered. Any conclusions drawn in regard to attribution are not done so by the assessment team.

There may come a time when malicious or illegal activities are discovered during any security assessment—for example, the discovery of child pornography, pirated software, copyrighted multimedia files, and so forth. The IAM does not have a dedicated policy in regard to these issues beyond the common understanding that you will follow all applicable laws, both local and federal. How you plan to handle these situations is something you should consider documenting as an internal company policy and sharing with your customers. It might be wise to have an attorney specialized in the computer industry field review your policy for you as well.

A good understanding of the assessment process is also a fundamental factor in the overall success of your engagement. It is very important to ensure that the customer organization is comfortable with the what, how, when, why, and who components of what the assessment team is doing. The cornerstone of maintaining management buy-in and a sense of ownership in the final product results from the customer organization’s continued involvement and understanding as the engagement progresses, grows, and changes. The assessment is the client’s product, not yours, so ensure that it is treated as such.

Along those lines, the assessment team needs to realize that its largest role is that of facilitator. During the pre-assessment site visit, you will be helping the customer come to a deeper understanding of their information’s importance. You will be assisting them in determining their security priorities. You will be assisting them in defining goals and objectives. To reiterate, you are there to facilitate!