When assessing the security of any environment, the first few hours are the most important. Depending on the organization and its security awareness, these first stages of the assessment will introduce many of the vulnerabilities or security issues that will dominate and direct the next few days. The client's technical authority (or project sponsor) must be nearby to discuss any preliminary findings. With ready access to the client's technical authority, the consultants can discuss the findings and learn how the organization manages risk. For example, the discovery of vulnerabilities that reveal missed patches on Oracle database servers may relate to the fact that different departments are responsible for the security of these hosts and, unlike the Solaris Services team, the Database Services team may have a two-week turnaround for the application of "critical" patches instead of the organization's standard four days.
展开▼