tion that was gathered and to rank the risks to the organization. Measuring the risk is often the most difficult part of this task as the cost of a successful exploitation of a vulner - ability may be hard to measure. Finally, the team will put all of the information on risks and recommendations into a report that is provided to the organization. Often the team will provide a draft report to the security officer for an initial review to make sure that details about the organization are correct. Presentation The final task of the assessment phase is the presentation of the assessment report. Ideally, this presentation will be scheduled with senior members of the organization’s management team as well as the security officer. The organization should then review the report and determine if the report is cor - rect so it can form the basis of the detailed project plan for phases 2 through 4. If this is the case, the security officer should develop a detailed project plan for the remainder of the year. CRITICAL FIXES PHASE Phase 2 of the security project plan is also called the critical fixes phase. This phase typi- cally lasts between two weeks and three months, depending on the number of critical tasks and the type of organization. During phase 2, the organization is correcting vulner- abilities that meet two criteria: ▼ They are critical to the security of the organization. ▲ They can be quickly corrected. Figure A-3 shows the detail associated with this phase of the project plan. The follow - ing sections go into more detail on each of the security process task areas. Assessment No new assessment tasking will be performed during this phase. However, there should be continued review of the findings of the initial assessment and this review should feed into the detailed project plans for the upcoming phases of the project. Policy Policy is often identified as an important issue within organizations. During the critical fixes phase, two policies should be specifically addressed: the Information Policy and the Security Policy. The reason for this is that these policies have a great effect on the com - puter users of the organization as well as the administrators, and they form the basis for security-awareness training classes. Appendix A: The Process Project Plan 347 348 Network Security: A Beginner’s Guide If resources allow, these two policies can be developed in parallel. Based on the neces- sary review and approval cycles in your organization, it may take as little as a week to de- velop a policy or as much as two months. However, it is critical to develop the policy in such a way that the organization will buy into it and follow the policy (see Chapter 5 for more detail on policy development). Implementation During the critical fixes phase, system administrators will be correcting serious vulnera - bilities in their systems. This should be a top priority for the administrators. Make sure each system is identified properly and that there are detailed instructions on how each vulnerability should be fixed. Many can be corrected by installing the latest patches from the computer system or software vendor. Also as part of the implementation task, some extremely important new hardware or software implementations may occur. For example, if the assessment identified an un - protected network connection, the project plan may call for the immediate procurement and implementation of a firewall. However, most procurements for increasing security will take place in later phases of the project. Training There is no specific training task associated with the critical fixes phase of the project. However, the development of the security-awareness training classes for employees may begin as the information and security policies near completion. More likely, most of the work here will take place in the next phase. Figure A-3. Detailed project plan for the critical fixes phase Audit There is no specific audit task for the critical fixes phase of the project plan. Some plan - ning for future compliance checking may occur as the information and security policies are completed. UPDATE PHASE The update phase of the security project begins once the critical fixes have been com - pleted. During the update phase of the project, the less immediate security issues are dealt with. The overall security at the organization should be improving by this time. Most of the high-risk issues should have either been corrected or in some other way miti - gated. The update phase may last two to six months (see Figure A-4). Assessment During the update phase, the Security department should begin working with depart- ments that are deploying or building new projects. The idea is for Security to be involved in projects early on in their lifecycles. New project requirements should reflect the secu- rity policy and the Security department should provide assistance in the design of new systems. Appendix A: The Process Project Plan 349 Figure A-4. Update phase project plan 350 Network Security: A Beginner’s Guide Policy The remaining policies and procedures that are necessary for the organization should be developed. These will include ▼ Use policies ■ Incident response procedures ■ User management procedures ▲ Disaster recovery plans The development of a DRP is a long process that will require the assistance of other departments within the organization. It is likely that development of the DRP will be started but not completed during the update phase. Implementation Now that the security policy is complete, the system administrators should be working with the Security department to make sure that their systems comply with the security policy. In addition, less serious vulnerabilities should be fixed on all computer systems. During the update phase, any procurements of new security systems should be started. Depending on the organization, procurement of new hardware and software products can take a fair amount of time as vendors and products are evaluated, the RFP sent out for bid, and the bids evaluated. Training The security-awareness training class should be completed and reflect the user require- ments of the information and security policies. At the same time, an awareness program that includes posters and newsletter articles should be started. Once the security-awareness training class is completed, it should be taught first to new employees as part of the new employee orientation program. This will provide a way to pilot the classes and to train internal trainers. Next, the training program should be rolled out to all employees. This will require a training schedule that eventually in - cludes all employees. Depending on the number of employees in your organization, it may take six to nine months to run all of them through the security-awareness program. Also in this phase, security reporting to senior management should begin with a reg - ular executive security briefing. NOTE: Reporting on project status should begin with the project. However, these meetings will pro - vide information to senior management on the status of security within the organization. Audit The audit program is now beginning to define its procedures and structure to manage the compliance with organization policies. By the end of the update phase, the audit program TEAMFLY Team-Fly ® Appendix A: The Process Project Plan 351 should have well-defined procedures for monitoring the security of the computer sys - tems as well as a developed compliance program. ONGOING WORK PHASE The final phase of the security project is the ongoing work phase. Simply put, all of the policies, procedures, and processes that have been put in place now have to work to maintain the security of the organization. Assessment The Security department maintains its relationship with development and continues to advise on security regarding new projects. At the same time, an assessment schedule is developed to provide regular assessments of the organization, individual departments or locations, and systems as necessary. Policy With the exception of the DRP (which may take more time), all of the significant security policies and procedures should be complete by this phase. The Security department should establish regular review dates for all policies and follow the schedule. Testing of the Incident Response Plan and the DRP (when complete) must now pro- ceed. Regular test plans, both announced and unannounced, should commence and con- tinue at regular intervals. Implementation System administrators should be making necessary security changes to systems. These changes may be instigated by the identification of a new vulnerability or by the identifica - tion of a non-compliance issue. System administrators should be looking at systems to identify suspicious activity and investigate that activity with the help of the Security de - partment. Training The awareness program of posters and newsletter articles should be in full swing. The se - curity-awareness training classes should cover new employees, existing employees, ex - ecutives, and the technical staff. Schedules of classes should be established so that every employee receives a refresher class at least every two years. Classes for executives should include briefings on the state of security within the organization. Audit The security policy–compliance program should now be in full swing. Each system within the organization should be checked for policy compliance on a regular basis. At the same time, regular system monitoring and network monitoring should be performed to watch for signs of suspicious activity. This page intentionally left blank. . six months (see Figure A-4). Assessment During the update phase, the Security department should begin working with depart- ments that are deploying or building new projects. The idea is for Security. corrected by installing the latest patches from the computer system or software vendor. Also as part of the implementation task, some extremely important new hardware or software implementations. gathered and to rank the risks to the organization. Measuring the risk is often the most difficult part of this task as the cost of a successful exploitation of a vulner - ability may be hard to