24 Managing Network Vulnerability Assessment
industry may have one or two office locations where staff must be interviewed
but may also have a number of refinery and distribution plants where the
company feels there is not a strong need to interview staff. (We make no
comment here on whether that decision is right or wrong.) In another industry
— perhaps healthcare — the organization’s management may decide that staff
at each location must be interviewed. The healthcare organization may have
its headquarters in one city and hospitals and doctors’ offices in many cities
located many miles apart.
In each case, we will need to know how many offices are to be visited
and their location. We will document that in a table such as the one shown
in Exhibit 6.
If an organization — at the stage of the project when the scope is being
developed — cannot fully answer the questions needed to complete the above
tables (i.e., those in Exhibits 4 through 6), it is still necessary to enter some
values for each of the three areas discussed above. It is acceptable, instead
of entering specific values in each of the three tables above, to enter more
vague descriptions such as “Interview five key personnel to be named” or
“Spend ten hours collecting and reviewing documents” — as long as specific
values are substituted for these vague descriptions before project kickoff. If
the vague details turn out to be too small to accommodate the specific values
(for example, if eight specific individuals need to be interviewed instead of
just five), then a scope change must be initiated. Scope change is discussed
at the end of this chapter.
When these three tables are complete (even temporarily, with vague
descriptions), we have the scope of the top-down assessment and can move
on to developing the scope of the bottom-up assessment.
Scope of the Bottom-Up Assessment Tasks
As we will see later in the book, the bottom-up examination concentrates on
hardware and software implementations of network security by assessing the
network as a discrete entity and by assessing the security of individual
components.
Exhibit 6. Physical Location List
Location Description City/State
To Be Included in Interview Schedule?
YN