Summary
In this last chapter, we discussed how to perform an assessment, along with developing the current and future state roadmaps. These roadmaps are used to understand your current environment and also to develop a strategic plan of where you want your security program to go in the next three to five years.
There are pros and cons to how one should conduct the assessment. If you decide that you want to perform an assessment on your own, this is called a first-party assessment. This is the least expensive, albeit, fun approach to understanding your environment.
Pay attention to the documents that need to be created first. You will need to have an engagement letter stating that you are allowed to perform the assessment. This should spell out your intentions for the assessment and how you intend to conduct it. If you decide that you are going to perform configuration scans, ensure that is also in the letter.
Once the assessment is complete, score yourself against the tiering...
