150 likes | 493 Views
Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that ’ s all. Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP. Objective. 1) Quick Overview of Security Assessments
E N D
Scoping Security Assessments:A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP SANS Technology Institute - Candidate for Master of Science Degree
Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess Security 3) Overcoming the Scope Management Challenge SANS Technology Institute - Candidate for Master of Science Degree
Section 1 of 3 What a Security Assessment IS … • A security assessment is a measurement of the security posture of a system or organization. • It assesses the Technology, People, and Process elements of security using three main methods SANS Technology Institute - Candidate for Master of Science Degree
Section 1 of 3 Why Perform Security Assessments • Enables organization to move closer to its security goal • To move towards the target, we need to know where we are now • Security assessments are complex projects - Applying proper project management increases likelihood of success SANS Technology Institute - Candidate for Master of Science Degree
Section 2 of 3 3-Phase Project Management Approach • Manage complex projects by taking phased approach SANS Technology Institute - Candidate for Master of Science Degree
Key deliverable for security assessment project is a quality report Section 2 of 3 Security Assessment Key Deliverable • Introduction • Executive Summary • Current Network Security Infrastructure Design • Proposed Network Security Infrastructure Design • Priority Setting Methodology • Security Controls Analysis (Technical – Process – People) • High Priority Findings & Recommendations • Finding 1 (Process): • Recommendation: • Option 1: • ……… • Conclusion SANS Technology Institute - Candidate for Master of Science Degree
Tips to Increase Report Value Section 2 of 3 • Findings report the security weaknesses identified – Add some positive findings too (not everything is negative) • Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority) • Give multiple options in recommendation whenever possible (customer chooses what works for them) • Use report to build a tailored security improvement roadmap (ensuring effective use of security budget) 7 SANS Technology Institute - Candidate for Master of Science Degree
Section 3 of 3 Planning Rests On Scope Management • Why lack of planning is planning to fail? (see cost in graph) Complex project & no planning -> many costly changes -> probable failure • Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc. SANS Technology Institute - Candidate for Master of Science Degree
Section 3 of 3 What Constitutes Scope Management • Scope management is defining what work is required, and making sure all of that work, and only that work, is done • Scope management consists of five processes: • Collect Requirements Process • Define Scope Process • Create Work-Breakdown-Structure (WBS) Process • Control Scope Process • Verify Scope Process • Following the five processes will allow you to overcome the security assessment scope management challenge SANS Technology Institute - Candidate for Master of Science Degree
Section 3 of 3 1) Collect Requirements Process • Quality is the degree to which requirements are met • Two main types of requirements for security assessments: • Requirements Related to End Result of Assessment (specify what needs to be achieved) • Requirements Related to How the Work is Managed (specify high-level rules of engagement) • Where do requirements come from? Stakeholders • What to use to collect requirements? Interviews & Questionnaires. Ensure requirements are documented SANS Technology Institute - Candidate for Master of Science Degree
Section 3 of 3 2) Define Scope Process • Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood • Advisable to reduce frequency of visits to stakeholders • Project Scope Statement states the agreed upon scope, and may include: • Progressive elaboration of security assessment requirements collected in earlier process • Deliverables • Progressive elaboration of acceptance criteria • Project exclusions – to reduce scope creep • Constraints and assumptions SANS Technology Institute - Candidate for Master of Science Degree
Section 3 of 3 3) Create WBS Process • The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS) • Advisable not to overdo it in decomposition – will lead to non-productive management effort SANS Technology Institute - Candidate for Master of Science Degree
Section 3 of 3 4 & 5) Control & Verify Scope Processes • Control Scope Process is extremely proactive, but often neglected • Controlling scope helps ensure that, at any point in time, scope is being completed according to plan • Catch deviations earlyand quickly get back on track to prevent unnecessary problems • Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied SANS Technology Institute - Candidate for Master of Science Degree
Real-Life Example (Controlling Scope) Case (Scope Creep Due to Unexpected Outage) Background: Security assessor examining information system using vulnerability scanner Another critical system on same network suddenly crashes All eyes turn to assessor – becomes prime suspect !! Assessor starts to investigate and troubleshoot other system Investigation turns out to be lengthy Applying Control Scope Process: By measuring planned scope against activities completed, a variance is identified – scope creep potential detected Preventive action taken (discuss issue with customer – explain case) Project back on track, no unplanned scope added to project Section 3 of 3 14 SANS Technology Institute - Candidate for Master of Science Degree
Summary • Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase) • Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success • Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope • Paper in SANS Reading Room Includes More Info http://www.sans.org/reading_room/whitepapers/auditing/scoping-security-assessments-project-management-approach_33673 SANS Technology Institute - Candidate for Master of Science Degree