Project Scoping 19
Facilities management
IT management
Management of the business units that use the network
The Project Overview Statement will be accompanied by a cover letter
asking the recipients to review the document and indicate their agreement to
and understanding of the contents. In general, it is prudent to allow five
business days for a response; and in some organizations, the cover letter can
include words to the effect that a lack of response indicates agreement. While
the aim here is not to deny anyone the opportunity to respond, we cannot
allow the project to be held up because of a simple failure to respond.
If responses are received that indicate a lack of agreement or understanding
of the contents of the Project Overview Statement, we should meet with the
respondent one-on-one to correct the situation.
Although it would be nice to hold any further activity until all responses
are in and everyone has agreed to the contents of the Project Overview
Statement, we rarely have the luxury to waste that time. While the Project
Overview Statement is out for review, we can go ahead and develop the Task
List (changes to the Task List made necessary by changes to the Project
Overview Statement can be incorporated as we develop the Task List).
Developing the Project Scope
Much of the information needed to determine the scope of the project can
be gathered from the same audience that was needed to develop the Project
Overview Statement but it should be done at a different time to avoid clouding
the concentration when developing the Project Overview Statement.
Task List
In addition to administrative details and information drawn from the Project
Overview Statement, the Project Scope Document includes a Task List —
which will eventually be used in the project plan.
The Task List for an NVA is unusual in that it is fairly constant — changing
only to accommodate the small variables within the environment being
assessed. Otherwise, the tasks involved — and their sequence — remain
constant. Later in the book we list the tasks required to carry out an NVA and
so there is no need to list them here. However, a sample part of the Task
List is shown here in Exhibit 3.
What must be done here is to show how to determine the scope of each
task so that we can determine the overall scope of the project. The scope of
each task defines where the task will start and end — both physically and
logically. The NVA is a project with two distinct elements: top down and
bottom up. Therefore, the scope of the project can be broken into two parts
(and the tasks in each part scoped) before being put together again to form
the entire scope of the project.
20 Managing Network Vulnerability Assessment
Exhibit 2. Project Overview Statement
Company Name: Another Company
Project Title: Network Vulnerability Assessment
Date: 11/01/03 Sponsor: A. N. Other
Project Manager: T. R. Peltier
Project Definition: This network vulnerability assessment is being carried out to measure the risk associated with operating Another
Company’s network in its current state. The result of this project will include detailed knowledg
e of vulnerabilities present i n the network
and the actions needed to reduce the risk posed by those vulnerabilities.
Project Goal: As network configurations, organizations, and the outside world change regularly, the risks associated with operating Another
Company’s network change. The goal of this project is for Another Compan
y’s management to be presented with a clear and concise view
of the risks associated with operating the network in the current control environment.
Objectives:
Obtain or compile a book of [company name] business objectives, strategic business directions, mission statements, etc.
Compile a book of [company name] Information Security Policies, Procedures, and Standards. Include applicable regulations, laws
,
guidelines, circulars, etc.
Compile a book of network topography information that includes drawings, notes, updates, operating system inf
ormation, release numbers,
patches, etc.
Create an analysis report that comments on the effectiveness of [company name] Information Security Policies, Procedures, Standards, etc.
Create an analysis report that comments on the current network configuration.
Produce a management report, based on the analyses, which states the risk associated with operating [compan
y name] network in its
current state, along with detailed information on the actions needed and costs associated with reducing that risk.
Project Scoping 21
Success Factors:
Documented details of [company name] Information Security Policies, Standards, and Procedures in one authoritative book.
Details of [company name] network topography, to include drawings, notes, updates, operating system inf
ormation, release numbers,
patches, etc. in one authoritative book.
[Company name] management knowledge of the risks associated with operating [compan
y name] network in its current state — which
will allow [company name] management to make informed decisions on how to or whether to reduce that risk.
Strengths:
Experience level of network management staff
Commitment of management to the project
Information security staff level of knowledge about network controls
Weaknesses:
Network topography documentation
Location and currency of information security policy, standards, etc.
Opportunities:
Willingness of network users to communicate
Threats:
Availability of staff to interview
22 Managing Network Vulnerability Assessment
Scope of the Top-Down Assessment Tasks
When developing the scope of a project where the tasks are fairly predictable,
the critical things to take into account are those that will vary from company
to company. In a network vulnerability top-down assessment, the things that
are most likely to vary include:
Number, existence, location, and currency of documents; for example,
business objectives; strategic business directions; mission statements; infor-
mation security policies, procedures, and standards; applicable regulations;
laws, guidelines; circulars; etc.
Number of staff to be interviewed
Number of physical locations
The distance between remote locations and the main office
To begin to develop the scope of the top-down assessment, we need to
know what documents will be available for review. The available documents
vary widely from organization to organization. For example, regulated orga-
nizations (such as banking, insurance, etc.) are required to have detailed
current policies, disaster recovery plans, etc. but nonregulated organizations
(such as waste management, oil industries, etc.) are not.
Once again, to determine the scope of the project, it is necessary to
complete a table to show which documents will be reviewed in the project.
Exhibit 4 shows a sample of this table.
When discussing the number of staff, we are looking for people who need
to be interviewed so that we can determine the state of the information security
program as it pertains to network vulnerability. Typically, we would want to
interview the same categories of people as were present at the meeting to
develop the Project Overview Statement; that is:
Exhibit 3. Task List
Project Scoping 23
Information security management
Internal audit
Compliance
Legal
Facilities management
IT management
Management of the business units that use the network
In addition to these people, we will also want to interview:
Network managers
Systems programmers
Applications developers
Taken together, these two lists form a group of people from whom we can
gather a representative picture of the information security program as it pertains
to network vulnerability. Of course, we can document the potential inter-
viewees in a table similar to those used for locations and documents. Such a
table would look similar to the one in Exhibit 5.
When we have discussed the location of staff to be interviewed, we can
complete a table that shows the locations to be visited. This can differ widely
from organization to organization. For example, organizations in the petroleum
Exhibit 4. NVA Step-by-Step: Document Table
Document Location Custodian
Exhibit 5. Interview List: Interviewees
Title Name Department Location
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.