262 Managing Network Vulnerability Assessment
Internet sources and provide them in a user-friendly interface. Logs of these
tests are included on the CD in the Additional DataIB Data directory. The
test resulted in no significant information being made available to the testers.
The firewall and other external devices did not yield their identities without
direct probing, and that probing was detected by the PIX firewalls. The results
of this test did not yield any findings for this report.
Administrative Controls Summary
The administrative controls testing involved several components. Your Com-
pany examined the policies and procedures provided to us by CLIENT as one
component. Physical and operational controls were tested as another compo-
nent and, finally, interviews were conducted with system and network admin-
istrators as the final step in these tests.
Interviews Summary
Interviews with various IT employees revealed three common themes:
1. A desire to do good work
2. A belief that the word “no” was not in the vocabulary of IT when it came
to the business users
3. A belief that developers were evil and that business users were almost as
bad
The people within the IT group at CLIENT are good people who wish to
succeed; they are, however, tired of being in a reactionary mode and wish
to move to a proactive mode. Their primary concerns and complaints have
made it into this document as parts of findings, but all of them also expressed
pleasure in their work and want to see their environment be successful.
Appendix C-3: Figures and Diagrams
This appendix contains any drawings, figures, or diagrams referenced in the
report or included for explanatory value. Additionally, a network diagram is
also included as a reference for the location and scope of the tests performed
by PA.
Information Security Concept Flow
Exhibit C-3.1 describes how information security concepts flow into and relate
to each other. Of particular concern to this document are the relationships to
vulnerabilities. The goal of this report is to make the owners of assets aware
of the vulnerabilities that lead to risks to the assets that the owners are
responsible for and value.