General Data Collectio

Objective: To obtain information related to information security, including technical, organizational and compliance information, through interviews, documentation and other general methods.

Following on the earlier section, special attention should be paid to achieving this objective, since this is one of the key phases in IS2ME (considering that the collected information will be the source for the analysis and action plan).

During this phase there will be substantial interaction between the organization and the data collection team. Members of the team will visit the company premises. The face to face meeting with the company contact will facilitate the data collection for both sides. Therefore, an appropriate work space should be provided, as well as availability of the company representative.

Previous to the work team visit, a questionnaire is sent for the company representative to fill in and return. The questionnaire includes technical and organizational questions regarding the scope of the work. This way the data collection team can focus its efforts during their visit, maximizing results and minimizing the length of this phase.

The baseline information to obtain in this phase includes:

  • Technical Aspects
    • Network and services architecture and topology.
    • Public and internal services. Access medium (Internet, VPNs, etc.)
    • Existing security devices and functional description (firewalls, IDSs, IPSs, Centralized/Distributed antivirus systems, proxies, etc.)
    • Interconnection points to other networks, description of existing DMZs, security levels.
    • Identified points of failure, devices, servers, etc. High availability mechanisms, emergency procedures, etc.
    • Network addressing plans (public and private) and related procedures (address allocation, requesting, etc.)
    • Network- and services-related documentation and procedures.
    • Network management methods. Description and related procedures.
  • Organizational and Compliance aspects.
    • Definition of the organization, areas or departments included affected (functions, responsibilities, etc.).
    • Organizational structure of the organization within the scope of the work. Links with other areas, departments or organizations. Existing roles, flows, managers, etc.
    • List and description of policies, procedures, guidelines or regulations in the company (ISO9001, security policies, communication policies, resources policies, etc.)
    • List and description of other existing security policies or documents.
    • List and description of current compliance regarding information technologies.