Scoping Security Assessments A Project Management Approach Lack

  • Slides: 15
Download presentation
Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning ….

Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP SANS Technology Institute - Candidate for Master of Science Degree 1 1

Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess

Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess Security 3) Overcoming the Scope Management Challenge SANS Technology Institute - Candidate for Master of Science Degree 2

Section 1 of 3 What a Security Assessment IS … • A security assessment

Section 1 of 3 What a Security Assessment IS … • A security assessment is a measurement of the security posture of a system or organization. • It assesses the Technology, People, and Process elements of security using three main methods SANS Technology Institute - Candidate for Master of Science Degree 3

Section 1 of 3 Why Perform Security Assessments • Enables organization to move closer

Section 1 of 3 Why Perform Security Assessments • Enables organization to move closer to its security goal • To move towards the target, we need to know where we are now • Security assessments are complex projects - Applying proper project management increases likelihood of success SANS Technology Institute - Candidate for Master of Science Degree 4

Section 2 of 3 3 -Phase Project Management Approach • Manage complex projects by

Section 2 of 3 3 -Phase Project Management Approach • Manage complex projects by taking phased approach SANS Technology Institute - Candidate for Master of Science Degree 5

Section 2 of 3 Security Assessment Key Deliverable • Key deliverable for security assessment

Section 2 of 3 Security Assessment Key Deliverable • Key deliverable for security assessment project is a quality report • • • Introduction Executive Summary Current Network Security Infrastructure Design Proposed Network Security Infrastructure Design Priority Setting Methodology Security Controls Analysis (Technical – Process – People) High Priority Findings & Recommendations Finding 1 (Process): Recommendation: Option 1: ……… Conclusion SANS Technology Institute - Candidate for Master of Science Degree 6

Section 2 of 3 Tips to Increase Report Value • Findings report the security

Section 2 of 3 Tips to Increase Report Value • Findings report the security weaknesses identified – Add some positive findings too (not everything is negative) • Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority) • Give multiple options in recommendation whenever possible (customer chooses what works for them) • Use report to build a tailored security improvement roadmap (ensuring effective use of security budget) SANS Technology Institute - Candidate for Master of Science Degree 7

Section 3 of 3 Planning Rests On Scope Management • Why lack of planning

Section 3 of 3 Planning Rests On Scope Management • Why lack of planning is planning to fail? (see cost in graph) Complex project & no planning -> many costly changes -> probable failure • Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc. SANS Technology Institute - Candidate for Master of Science Degree 8

Section 3 of 3 What Constitutes Scope Management • Scope management is defining what

Section 3 of 3 What Constitutes Scope Management • Scope management is defining what work is required, and making sure all of that work, and only that work, is done • Scope management consists of five processes: • 1) 2) 3) 4) 5) Collect Requirements Process Define Scope Process Create Work-Breakdown-Structure (WBS) Process Control Scope Process Verify Scope Process Following the five processes will allow you to overcome the security assessment scope management challenge SANS Technology Institute - Candidate for Master of Science Degree 9

Section 3 of 3 1) Collect Requirements Process • Quality is the degree to

Section 3 of 3 1) Collect Requirements Process • Quality is the degree to which requirements are met • Two main types of requirements for security assessments: – Requirements Related to End Result of Assessment (specify what needs to be achieved) – Requirements Related to How the Work is Managed (specify high-level rules of engagement) • Where do requirements come from? Stakeholders • What to use to collect requirements? Interviews & Questionnaires. Ensure requirements are documented SANS Technology Institute - Candidate for Master of Science Degree 10

Section 3 of 3 2) Define Scope Process • Based on earlier Collect Requirements

Section 3 of 3 2) Define Scope Process • Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood • Advisable to reduce frequency of visits to stakeholders • Project Scope Statement states the agreed upon scope, and may include: – – – Progressive elaboration of security assessment requirements collected in earlier process Deliverables Progressive elaboration of acceptance criteria Project exclusions – to reduce scope creep Constraints and assumptions SANS Technology Institute - Candidate for Master of Science Degree 11

Section 3 of 3 3) Create WBS Process • The project is made more

Section 3 of 3 3) Create WBS Process • The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS) • Advisable not to overdo it in decomposition – will lead to non-productive management effort SANS Technology Institute - Candidate for Master of Science Degree 12

Section 3 of 3 4 & 5) Control & Verify Scope Processes • Control

Section 3 of 3 4 & 5) Control & Verify Scope Processes • Control Scope Process is extremely proactive, but often neglected • Controlling scope helps ensure that, at any point in time, scope is being completed according to plan • Catch deviations early and quickly get back on track to prevent unnecessary problems • Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied SANS Technology Institute - Candidate for Master of Science Degree 13

Section 3 of 3 Real-Life Example (Controlling Scope) • Case (Scope Creep Due to

Section 3 of 3 Real-Life Example (Controlling Scope) • Case (Scope Creep Due to Unexpected Outage) – Background: • Security assessor examining information system using vulnerability scanner • Another critical system on same network suddenly crashes • All eyes turn to assessor – becomes prime suspect !! • Assessor starts to investigate and troubleshoot other system • Investigation turns out to be lengthy – Applying Control Scope Process: • By measuring planned scope against activities completed, a variance is identified – scope creep potential detected • Preventive action taken (discuss issue with customer – explain case) • Project back on track, no unplanned scope added to project SANS Technology Institute - Candidate for Master of Science Degree 14

Summary • Security assessments are projects that enable organizations to move closer to their

Summary • Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase) • Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success • Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope • Paper in SANS Reading Room Includes More Info http: //www. sans. org/reading_room/whitepapers/auditing/scoping-securityassessments-project-management-approach_33673 SANS Technology Institute - Candidate for Master of Science Degree 15

SCOPING SCOPING Scoping rules tell you where aSCOPING SCOPING Scoping rules tell you where a
CHAPTER 3 Scoping a Project Scoping a projectCHAPTER 3 Scoping a Project Scoping a project
Systematic Scoping Reviews Systematic Scoping Reviews Why ItSystematic Scoping Reviews Systematic Scoping Reviews Why It
Module 3 Scoping Goal The goal of scopingModule 3 Scoping Goal The goal of scoping
Scoping Scoping phase where developer trying to understandScoping Scoping phase where developer trying to understand
Phase III Scoping and Costing Phase III ScopingPhase III Scoping and Costing Phase III Scoping
Phil Callaghan A Guide to Scoping CRM ScopingPhil Callaghan A Guide to Scoping CRM Scoping
II Scoping EIAScreening 6Gajaseni 2007 1 Scoping DefinitionII Scoping EIAScreening 6Gajaseni 2007 1 Scoping Definition
PHASED ASSESSMENTS Assessments Phased Assessments Approaches to PhasedPHASED ASSESSMENTS Assessments Phased Assessments Approaches to Phased
Ohio Rivers Lack of Access Lack of RecreationOhio Rivers Lack of Access Lack of Recreation
Direction Problem 12 Lack of Motivation Lack ofDirection Problem 12 Lack of Motivation Lack of
Lack of education What is a lack ofLack of education What is a lack of
Prokaryotes Lack nuclei Typically lack or have veryProkaryotes Lack nuclei Typically lack or have very
Security Management Security Management Security Management is theSecurity Management Security Management Security Management is the