Pre-Project Activities

Pre-project activities include several steps that assist the assessment providers in assuring a basic understanding of the security needs of the customer. Several primary actions in the pre-project area are important to prepare the assessors for conducting the assessment process. These include:

▪ Vetting the assessment request

▪ Gaining management and technical buy-in for the assessment

▪ Researching the organization

▪ Researching the current regulatory and policy requirements

▪ Determining whether the action is a baseline activity or a repeated assessment

▪ Making a go/no-go decision

Vetting the Assessment Request

Vetting, in this case, is simply assuring that the customer is getting both what they expect and what they need from the assessment process. Many times, organizations will catch hold of a buzzword like “penetration testing,” “assessment,” or “evaluation” without having an understanding of what the terms mean. A good approach to vetting is to spend quality time with the customer discussing the positive and negative aspects of each of the processes and explaining what the customer can expect at the end of the process, including deliverables.