I’ve learnt the hard way that however much time gets assigned to a business unit security review, that you invariably step off the plane on arriving home and suddenly think of three more questions that you could or should have asked, or on getting back to the office the first question the boss asks just happens to be the one that you didn’t get an answer to.
For most reviews I follow a fairly mature checklist based process. It’s been reliable up until now. However, the environment is changing rapidly but the checklist has stayed the same. It now needs to be modified so that, in many of the instances I deal with, proper account is taken of challenges around things such as joint ventures and externally hosted services. Keep in mind that you might not always be able to get access to review systems that become in scope or talk to the right people to get the information that you need.
My approach is to document what I do know and state what I don’t. The issue, as I’ve discovered lately, is that we frequently don’t know what we don’t know. And as they say, what you don’t know is often far more relevant than what you do know!