ABSTRACT
Prior to the security risk assessment team’s arriving on-site at the customer location, there are a number of activities to be performed to ensure an efficient project. These activities include introducing the assessment team to the organization, obtaining permission for testing and data gathering, and reviewing available information. Prior to gathering data, the security risk assessment team must obtain the proper authorization for certain data gathering activities. These activities include monitoring of user communications and access to information systems. The security risk assessment team must specify to the sponsor the number and types of accounts that will be required. The accounts required for any particular security risk assessment are dependent on the processes to be used by the security risk assessment team and the permissions that the customer will grant. To the extent possible, the security risk assessment team should attempt to obtain the business mission prior to visiting the organization.
