Over the last 20 years of doing IPPAs, a common process and practice has emerged. This produces relatively repeatable results, subject to minor variations in opinions, given that those performing the process are suitably knowledgeable and put forth the time and effort to do the job properly. The basis of the certification program is providing a way to verify that those performing IPPAs are properly qualified and use the process effectively to generate these sorts of consistent results.
One of the reasons IPPAs are so highly confidential is that they are internal assessments that are very specific to internal issues, threats, vulnerabilities, consequences, and time frames with sequencing for spending monies in mitigation, acceptance, transfer, or acceptance. The revelation of such information can be potentially devastating to an organization, if it is revealable insiders will be highly hesitant to tell it like it is, and the fact that such a document exists subjects it to subpoena and other similar actions that could be dangerous to the enterprise. Unlike an audit that is designed for external consumption, and IPPA presents a wide array of facts and opinions associated with individuals and adds expert opinion and interpretation. IPPAs are not done against a standard, but identify likely outcomes if standards-based audits were undertaken. Companies that do IPPAs may not reveal customers of these IPPAs to others under any circumstance.
People who ask for assistance in doing IPPAs often want to do the same job with lower cost people. They ask for checklists and all sorts, special tools, of other short cuts, but in the end, this is just not how you do a really good protection posture assessment. That is not to say that you cannot do a lower quality assessment with things like checklists and, in fact, many companies offer such a service. But this is not how you do an IPPA properly. The proper approach is described here.
An IPPA is a complex process involving a group of intelligent and experienced people who get at the issues and explain them clearly. While there are some stylistic components, at the heart of the matter is a set of people who know what they are doing in their fields and are not afraid to say what they think.
An IPPA is typically a 30-day process involving a collection of 3-7 individuals with proper mixes of backgrounds and involving from 15 to 30 individuals from the client company. Team leads tend to be very experienced senior people while other team members may have less general experience but specialized backgrounds in areas closely aligned to the efforts undertaken. The total amount of person days in a typical IPPA runs from 40 to 150 depending on the depth and breadth of the overall project.
Resulting report lengths typically run on the order of 40 to 150 pages, corresponding roughly to one page per person day. Reports contain limited amounts of listings and similar technical detail, those being used only to demonstrate specific issues with greater clarity than would be attainable otherwise. Where possible such listings are limited to example cases and explained in detail.
Reports generally consist of (1) an executive summary of 1 page in length - in rare cases it may be 2 pages, (2) a table of contents, (3) an overview of the report and its findings, (4) a details section containing descriptions of what was done and observed where and when and a description of all interviews and what was indicated in them, (5) comparison to standards including the IPPA assessment standard, ISO17799, GAISP, CMM-SEC and other standards as may apply, (6) findings including urgent, tactical, and strategic time frames, what should be done in those time frames, and expected costs and complexities, and (7) summary and conclusions.
All reports are custom written with only pre-defined overall format and tables included for the standards-based assessments. Relatively standard language is used for certain sections like the introduction to each standard which includes a one sentence description of the standard and one sentence description of how it is used in the IPPA, but other than these few sentences, the whole report is written from scratch every time and no standard descriptions may be used. This implies that skilled authorship must be involved, copy editing and review is necessary, and any attempt to pull out results from previous reports should be shunned and are almost certain to result in bad advice, poor clarity, and take longer than doing the job right in the first place.
Areas covered in an IPPA include but are not limited to; protection management, protection policy, standards, procedures, documentation, protection audit, technical safeguards, incident response, testing, physical protection, personnel issues, legal considerations, protection knowledge levels, protection awareness, and organizational suitability. These are described in more detail in the material on all.net including but not limited to the New Security Database, the Feature Articles area, and the "Protection and Security on the Information Superhighway" book.
The information protection posture assessment requires a team of expert personnel with general knowledge and experience in a wide variety of areas, and special expertise in all of the aspects of information protection. Specifically:
The areas covered include organizational perspectives as identified above. However, coverage also goes to issues of (1) business, system, people, and data lifecycles, (2) objectives including integrity, availability, confidentiality, use control, and accountability, (3) Defense processes including deterrence, prevention, detection, reaction, and adaptation, (4) business functions including but not limited to people, sales and marketing, public image and brand, processes and workflows, the transformation of resources into value, financial systems and mechanisms, (5) technologies in use, and most importantly (6) risk management processes and practices. Coverage also takes runs at high-valued vertical application environments from the physical components through the users, looks at interdependencies associated with everything from people to continuity of government, addressed business continuity and disaster recovery issues, and looks at risk aggregation issues. In other words, it is a full spectrum examination at a level of granularity defined by the context of the effort.
Another important issue to be understood is the extent to which depth is pursued in different sorts of protection arenas. At what level of depth and against how many locations is dumpster diving, operations security issues, perception management, external intelligence, and vulnerability testing going to be done? Typically, the IPPAs involve some of each with the objective of demonstrating weaknesses where they exist, but with deeper inspection only when weaknesses are not immediately apparent.
In order to communicate effectively and be viewed as a professional, you must be able to switch languages while speaking to different people and understand the nuances of these different languages. For example, the term wire room means something very different to a facilities manager than to someone in charge of electronic funds transfers. Similarly, the abbreviations used are very different for different people with different backgrounds, so it is vital to have enough knowledge of these areas to be understood and understand properly.
The assessment process consists of the following steps:
The members of the assessment team should be well prepared to ask any question related to their areas and a very thorough record of what was said by whom should be kept. The goal of this effort is to reconnoiter the client operation. That means that, like a grand jury, it is appropriate to go anywhere and ask anything.
For lack of a better analogy, this is very much like a tiger team where you get the best experts to tell you how they could attack. The difference is that you don't touch anything, you just ask questions and make observations that allow you to assess the current situation. If the client doesn't know the answers to the questions, this is an area they should do more work on. If they do know the answers, these answers will reveal the weaknesses and strengths.
Another critical factor to the success of the findings is that they relate the results to comparable organizations so that the client gets a feel for what is normal and prudent, what is critical, etc. In the findings, it is the responsibility of the assessment team to make value judgments about the relative import of different issues. For example, in a glass factory, if a particular router is used to connect the Internet to a file server which is used for advertising, it is vital to understand that regardless of the potential for abuse, this component is inherently less critical to this particular company than the temperature control in the ovens. This combination of technical and business understanding is what makes the findings valuable to the organization being assessed.
In order to meet the typical 30-day time frame, the analysis and findings must be completed in draft form by the end of the second week of the study. Thus, the team members get only one week to generate, write up, and initially integrate their findings.