APPENDIX A The Process Project Plan 343 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. I n Chapter 7, we talked about the information security process. In that chapter, five phases were identified in the process: ▼ Assessment ■ Policy ■ Implementation ■ Training ▲ Audit The process is a wonderful concept, but I sometimes find that the actual doing of the process is not as obvious as the process itself. This appendix is intended to lay out how the process might be performed at an organization. For this discussion, let’s assume that we are talking about a mid-sized organization (500 employees, several locations in the eastern portion of the United States). The indus - try does not matter for this discussion. We will assume that the organization wishes to improve its security posture and has given the security officer of the company a year to accomplish something. The question is: what can we accomplish in a year? The short answer is: a lot. Of course, exactly what is accomplished depends upon the risks to the organization and the amount of resources the organization is willing to put against the problem. For this dis- cussion, we will assume that the management of the organization is behind this effort and the resources provided to the security officer are appropriate for the project. Figure A-1 shows the very high-level project plan for the security project. As you can see from the plan, the process is followed but the steps in the process are not conducted in 344 Network Security: A Beginner’s Guide Figure A-1. High-level security project plan Appendix A: The Process Project Plan 345 serial order but rather in parallel. As we talk about what is being done later in this discus - sion, you will begin to see why this can and should be done. I have also divided the project plan into phases. Specifically, there are four major phases of the project: ▼ Assessment ■ Critical fixes ■ Update ▲ Ongoing work The reason I divide the project into these four phases is that each marks a change in the mindset of the security team charged with the overall security project. The following sections detail what is done in each phase of the project. ASSESSMENT PHASE The initial assessment of the organization is the only part of the project that must be done in serial order. The initial assessment identifies the risks present in the organization and also recommends changes to manage this risk. When starting a security project such as this, the assessment is very important for the organization as it will define the direction of the project plan and may fill out the details of the remaining three phases. Figure A-2 shows a project plan for the assessment. The calendar time for the assess- ment will depend on the size of your organization. At a minimum, the project plan should allow for 30 days. This time could easily expand to two or three months for large assessments. If the assessment is likely to last longer than this, it is best to break it up so that some results come back to the organization within two months. The assessment project plan has four primary tasks: ▼ Planning ■ Information gathering ■ Analysis ▲ Presentation Planning The planning task is used to map out how the assessment will be performed. During this task, the individuals performing the assessment will try to identify who in the organiza - tion should be interviewed as well as the key locations to visit. Normally, this task is per - formed jointly between the individuals performing the assessment and the security officer of the organization. It is the security officer who will be able to provide guidance as to who in the organization will have the information needed for the assessment. Information Gathering Once the planning is complete, the assessment team will begin gathering information. Some of this information will be paper such as existing policies and procedures and net - work diagrams. Most of the information will come through interviews. The schedule should allow approximately one hour for each interview and about six interviews per day. The assessment team should assign two members for each interview. The team may also use tools to identify the state of security on various systems. The tools may include commercially available vulnerability scanners or scanning tools that are freely available on the Internet. Analysis As the information gathering is continuing, the assessment team will begin the analysis of the information. It is helpful to do this while the information gathering is still going on so that the team can ask for clarifications on points that are unclear or for more information if the early analysis uncovers something of interest. The analysis continues for some period of time after the information gathering is com - plete. During this part of the task, the team will attempt to assimilate all of the informa - 346 Network Security: A Beginner’s Guide Figure A-2. Assessment project plan tion that was gathered and to rank the risks to the organization. Measuring the risk is often the most difficult part of this task as the cost of a successful exploitation of a vulner - ability may be hard to measure. Finally, the team will put all of the information on risks and recommendations into a report that is provided to the organization. Often the team will provide a draft report to the security officer for an initial review to make sure that details about the organization are correct. Presentation The final task of the assessment phase is the presentation of the assessment report. Ideally, this presentation will be scheduled with senior members of the organization’s management team as well as the security officer. The organization should then review the report and determine if the report is cor - rect so it can form the basis of the detailed project plan for phases 2 through 4. If this is the case, the security officer should develop a detailed project plan for the remainder of the year. CRITICAL FIXES PHASE Phase 2 of the security project plan is also called the critical fixes phase. This phase typi- cally lasts between two weeks and three months, depending on the number of critical tasks and the type of organization. During phase 2, the organization is correcting vulner- abilities that meet two criteria: ▼ They are critical to the security of the organization. ▲ They can be quickly corrected. Figure A-3 shows the detail associated with this phase of the project plan. The follow - ing sections go into more detail on each of the security process task areas. Assessment No new assessment tasking will be performed during this phase. However, there should be continued review of the findings of the initial assessment and this review should feed into the detailed project plans for the upcoming phases of the project. Policy Policy is often identified as an important issue within organizations. During the critical fixes phase, two policies should be specifically addressed: the Information Policy and the Security Policy. The reason for this is that these policies have a great effect on the com - puter users of the organization as well as the administrators, and they form the basis for security-awareness training classes. Appendix A: The Process Project Plan 347 . organization. For this discussion, let’s assume that we are talking about a mid-sized organization (500 employees, several locations in the eastern portion of the United States). The indus - try does. each phase of the project. ASSESSMENT PHASE The initial assessment of the organization is the only part of the project that must be done in serial order. The initial assessment identifies the risks. analysis continues for some period of time after the information gathering is com - plete. During this part of the task, the team will attempt to assimilate all of the informa - 346 Network Security: