Letter to the client
July 7, 2010
Dear Client,
I know you have reservations about going through an assessment so I propose a mutual commitment of things we can both do to make this process as painless as possible:
You agree to do the following:
- Gather as many of the policies, procedures, and supporting documentation available before I arrive. In other words, if you say you do something, be able to provide some sort of evidence that it is being done.
- Schedule interviews with the people who “do” the actual work, not the managers that think they know what’s happening down in the trenches. I’m sure you think you know what is supposed to occur, but in the interest of not wasting our time, I’d prefer to speak with those that actually do the work.
- Identify your environment. Make sure there is an updated network diagram and a matrix detailing all of the systems that deal with sensitive information. For example, during the assessment is not the time to discover the backup of the production database under the receptionist’s desk, which was replicated “just in case.”
I agree to do the following:
- I will not be your enemy. My goal is not to publicly humiliate you or your staff. The goal is to work together to identify any gaps in your infosec program in order to make it better.
- I will not know everything there is to know. I encourage you to “push back” if you do not agree with anything I say or find. I welcome conversation as it better helps me understand your environment.
- I will not ask “trick questions.” If you want to mislead me, then that is on you. I am going to ask you what I need and want to know.
An assessment can be a learning experience and by agreeing to the terms listed above you can expect the same courtesy in return. As this can help in easing the pain that is….A security assessment.
Disclaimer: I do not speak for all infosec assessors, neither good nor bad. These are my own thoughts based on my own experiences.
Fear Not the Assessor 
Very nice start! Congratulations! And you sound so much more reasonable than I do …
Great start! It’s straight-forward, cuts out all of the in-between and gets right to what is needed. I definitely agree with each of the points you noted and though there is always room for “more” I think you listed the most important things that should be listed and should keep it “as is” – and should be a default letter that goes out to all clients.
~newfurniturey
As I’ve tweeted and blogged, nice job! I look forward to what you bring us in the future.
Kevin (@kriggins)
Nice start indeed! I like your mindset.
One thing I would add. Always agree on the scope of your assessment before you dive in. As divers say: plan the dive, dive the plan!
Good one,
Really liked it!
Great blog –
Very clear and precise – honesty is key and if they have known issues it is better to tell you then to have it become an public incident.
@ubuntumongol
Great post. I look forward to more.
[…] of mine started a new blog, Fear Not the Assessor. She started it off with an excellent post, Letter to the Client. Almost every QSA goes into a new client with a certain sense of trepidation due to […]
[…] Letter to the client. […]
[…] Letter to the client « Fear Not the Assessor […]
Interesting letter, it should be used in any security assessment as the first step to prepare the environment so the assessment can be a nice experience for both parties.