Windows security assessment Step 4

Keep security-related problems to a minimum in your Windows shop by setting security assessment expectations

Keep people in the know -- literally. Say, "OK, here we go…" and include dates, timeframes, systems being tested and even any signatures or behaviors that your scanners and other tools may present or leave behind. Undoubtedly you'll miss someone that should've been notified about what you're doing (or have already done). I can't tell you how often I hear, "Oh yeah! We should've warned so-and-so about what we're doing." Notify your ISPs, CoLo/hosting providers or whoever you think needs to know. Ask the project sponsor who needs to know. She may very well think of someone who's not on your radar screen.

Keep people posted. It's not difficult to send out status email from time to time. Tell them things like, "We had a successful first round of testing on the servers," and "Reminder: Tonight we're testing the domain controller, IIS and SQL servers." Err on the side of too much communication. No one ever got in trouble for that.

Setting your Windows security assessment expectations

 Home: Introduction
 Step 1: Determine the business goals
 Step 2: Get input and information from others
 Step 3: Let everyone know that problems will likely occur
 Step 4: Let your testing be known and keep people in the loop
 Step 5: Report what happened

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments involving compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He also created the Security On Wheels series of audiobooks. Kevin can be reached at [email protected]

Read more on IT risk management