TYING UP LOOSE ENDS

The chapter covers some of the primary issues commonly seen after a final report is delivered. These issues include document retention, follow-up, and lessons learned. Document retention is not directly covered in the National Security Agency (NSA) Information Assurance Methodology (IAM) beyond simply stating that the information is customer proprietary and does not belong to the organization conducting the assessment. If anyone is performing these assessments, he/she must consider all documentation sensitive. Documents should never be held by the assessing organization beyond a 90-day period. This time period enables one to answer any customer concerns or questions. Following up with the customer is a highly valuable activity that can lead to answers to questions the customer might not be capable of asking directly or might not have asked for the fear of sounding unintelligent. These activities are not covered directly by the NSA IAM beyond stating that a follow-up is necessary. The process of evaluating lessons learned is important for ensuring the continuing growth and evolution of the assessment services. Lessons can be negative or positive and should be integrated into the processes only if they provide adequate value.