16 Managing Network Vulnerability Assessment
Where the tasks start and end
Time estimates
Resources assigned to each task
Task dependencies
For our purpose (project scope), the most important of these is where the
tasks start and end (physically and logically) because, with the Project Over-
view Statement and the Task List (complete with limits on the tasks), we can
produce the Project Scope Document for an NVA. When we look at developing
the Task List later in this chapter, we will have to go into more detail than
we have here.
Developing the Project Overview Statement
We develop the Project Overview Statement by discussing the aims and benefits
of the project with the project sponsor. This meeting might also involve other
people, such as the manager of the budget that is going to pay for the project
(if that is not the project sponsor) and some or all of the people with a vested
interest in the project (described earlier in this chapter).
It is important to keep this meeting brief and “on track” because there will
be a tendency for some of the attendees to want to develop many of the
project documents in one sitting. Remember that this discussion is meant to
define the project at a high level only. Remember also that each of the
attendees will have a chance to comment on the Project Overview Statement
after it has been drafted. Remind everybody present that they will be consulted
at many points during development of the project document development.
Trying to do more than develop the draft Project Overview Statement at this
early stage will result in confusion and trying to address too many issues and
agendas at one time.
The definition of the project, using the guidance provided earlier in the
Project Overview Statement section will already have been thought of by the
Exhibit 1. Sample Task List
Project Scoping 17
project sponsor, and he or she will be able to provide the project overview
statement fairly concisely. An NVA project definition might read like this:
This network vulnerability assessment is being carried out to measure
the risk associated with operating [company name’s] network in its
current state. The result of this project will include detailed knowledge
of vulnerabilities present in the network and the actions needed to
reduce the risk posed by those vulnerabilities.
This project definition fulfills the requirements stated earlier, in that it is a
short description and it contains a statement of the benefit of carrying out the
project (“knowledge of vulnerabilities present in the network and the actions
needed to reduce the risk posed by those vulnerabilities”).
The goal of an NVA is fairly standard, and not much time needs to be
spent working on this part. The goal of a NVA is:
As network configurations, organizations, and the outside world change
regularly, the risks associated with operating [company name] network
change. The goal of this project is for [company name] management
to be presented with a clear and concise view of the risks associated
with operating the network in the current control environment.
Many times, when the objectives part of the Project Overview Statement
is being developed, the meeting can “run away” from the meeting coordinator.
There is often a temptation to put detailed objectives in a Project Overview
Statement. Remember that a Project Overview Statement should ideally fill no
more than one page, and the list of objectives contained in it should be short.
A list of objectives for an NVA should resemble the following:
Obtain or compile a book of [company name] business objectives, strategic
business directions, mission statements, etc.
Compile a book of [company name] Information Security Policies, Proce-
dures, and Standards. Include applicable regulations, laws, guidelines,
circulars, etc.
Compile a book of network topography information that includes drawings,
notes, updates, operating system information, release numbers, patches,
etc.
Create an analysis report that comments on the effectiveness of [company
name] Information Security Policies, Procedures, Standards, etc.
Create an analysis report that comments on the current network configu-
ration.
Produce a management report, based on the analyses, that states the risk
associated with operating [company name] network in its current state,
along with detailed information on the actions needed and costs associated
with reducing that risk.
You can see from the above that the list of objectives looks like a very
broad Task List, the basis of a project plan, and it is meant to. While the
18 Managing Network Vulnerability Assessment
objectives listed here are necessarily broad, remember that the Project Over-
view Statement serves as a check for subsequent documents produced in the
planning stage of the project. As we develop the scope of a project, the details
put into subsequent documents must all reflect the Project Overview Statement.
Success factors are the benefits of doing the project. At this stage, it will
not be possible to quantify, in dollar terms, the benefits of doing the project
but there are clear benefits to be had. Some examples include:
Documented details of [company name] Information Security Policies,
Standards, and Procedures in one authoritative book.
Details of [company name] network topography, to include drawings, notes,
updates, operating system information, release numbers, patches, etc. in
one authoritative book.
[Company name] management knowledge of the risks associated with
operating [company name] network in its current state — which will allow
[company name] management to make informed decisions on how to or
whether to reduce that risk.
Assumptions about the project comprise the final section of the Project
Overview Statement and can be the most difficult to complete. It is here that
we list the strengths, weaknesses, opportunities, and threats that might help
or hinder us in completing the project. As with the Objectives section, there
will be a strong tendency to let this list get too long. It is important that we
manage the meeting so that only the most vital assumptions are added here.
Some common assumptions about an NVA project include:
Strengths:
Experience level of network management staff
Management’s commitment to the project
Information security staff level of knowledge about network controls
Weaknesses:
Network topography documentation
Location and currency of information security policies, standards, etc.
Opportunities:
Willingness of network users to communicate
Threats:
Availability of staff to interview
Exhibit 2 provides a completed Project Overview Statement.
Once the Project Overview Statement has been drafted, we must send it
out to be reviewed and approved by the people who are likely to have a
vested interest in the process of the network vulnerability assessment. In most
organizations, the following are likely to be part of that group:
Information security management
Internal audit
Compliance
Legal
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.39.142