Phạm vi thông tin có thể đến từ nhiều nguồn khác nhau. Một trong những nguồn rõ ràng cho Phạm vi thỏa thuận hoặc RFP mà khách hàng ban hành để có được những dịch vụ giám định. Thông thường thông tin này được cắt ngắn và yêu cầu chi tiết bổ sung để xác định phạm vi. Các nguồn của | 60 Chapter 2 The Pre-Assessment Visit Regular practice Imagine some organizations include an assessment as part of a good overall security practice In this case you usually run into a fairly open and knowledgeable staff. Again your understanding of the customer organization s motives is an additional piece of information you can use to do a better job. When we assess security controls we tend to inspect them rather closely and rightfully so. In a manner of speaking we are security controls as well. We should also look for any way to improve our processes and our work. Defining Roles and Responsibilities Over the course of an assessment you will work with a multitude of people at the customer organization who have different roles and responsibilities regarding information security. It is essential that you understand who is in what role and who can do what to make sure the project progresses smoothly. Many of the people placed in the roles described in this section will be of your choosing. Others will not however we can at least discuss with the customer our expectation for these roles in an effort to maintain customer expectations and help them appoint people we ll need to be successful. As stated earlier in the book the assessment is a team effort and the quality of the final report is heavily dependent on customer involvement. Some of the roles we discuss here and their relationships with security are Decision maker Customer POC Upper-level management Functional area representatives Senior INFOEC manager And many more The Pre-Assessment Visit Chapter 2 61 Who Is the Decision Maker The decision maker is the key player when it comes to setting the scope of the assessment process and determining relevant boundaries. He or she is likely the person who authorized funding to bring in an independent team. The decision maker normally has his or her own objectives in relation to the assessment outcome. The decision maker will ultimately authorize the .