1 / 15

Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP

Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that ’ s all. Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP. Objective. 1) Quick Overview of Security Assessments

elyse
Download Presentation

Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scoping Security Assessments:A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess Security 3) Overcoming the Scope Management Challenge SANS Technology Institute - Candidate for Master of Science Degree

  3. Section 1 of 3 What a Security Assessment IS … • A security assessment is a measurement of the security posture of a system or organization. • It assesses the Technology, People, and Process elements of security using three main methods SANS Technology Institute - Candidate for Master of Science Degree

  4. Section 1 of 3 Why Perform Security Assessments • Enables organization to move closer to its security goal • To move towards the target, we need to know where we are now • Security assessments are complex projects - Applying proper project management increases likelihood of success SANS Technology Institute - Candidate for Master of Science Degree

  5. Section 2 of 3 3-Phase Project Management Approach • Manage complex projects by taking phased approach SANS Technology Institute - Candidate for Master of Science Degree

  6. Key deliverable for security assessment project is a quality report Section 2 of 3 Security Assessment Key Deliverable • Introduction • Executive Summary • Current Network Security Infrastructure Design • Proposed Network Security Infrastructure Design • Priority Setting Methodology • Security Controls Analysis (Technical – Process – People) • High Priority Findings & Recommendations • Finding 1 (Process): • Recommendation: • Option 1: • ……… • Conclusion SANS Technology Institute - Candidate for Master of Science Degree

  7. Tips to Increase Report Value Section 2 of 3 • Findings report the security weaknesses identified – Add some positive findings too (not everything is negative) • Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority) • Give multiple options in recommendation whenever possible (customer chooses what works for them) • Use report to build a tailored security improvement roadmap (ensuring effective use of security budget) 7 SANS Technology Institute - Candidate for Master of Science Degree

  8. Section 3 of 3 Planning Rests On Scope Management • Why lack of planning is planning to fail? (see cost in graph) Complex project & no planning -> many costly changes -> probable failure • Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc. SANS Technology Institute - Candidate for Master of Science Degree

  9. Section 3 of 3 What Constitutes Scope Management • Scope management is defining what work is required, and making sure all of that work, and only that work, is done • Scope management consists of five processes: • Collect Requirements Process • Define Scope Process • Create Work-Breakdown-Structure (WBS) Process • Control Scope Process • Verify Scope Process • Following the five processes will allow you to overcome the security assessment scope management challenge SANS Technology Institute - Candidate for Master of Science Degree

  10. Section 3 of 3 1) Collect Requirements Process • Quality is the degree to which requirements are met • Two main types of requirements for security assessments: • Requirements Related to End Result of Assessment (specify what needs to be achieved) • Requirements Related to How the Work is Managed (specify high-level rules of engagement) • Where do requirements come from?  Stakeholders • What to use to collect requirements?  Interviews & Questionnaires. Ensure requirements are documented SANS Technology Institute - Candidate for Master of Science Degree

  11. Section 3 of 3 2) Define Scope Process • Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood • Advisable to reduce frequency of visits to stakeholders • Project Scope Statement states the agreed upon scope, and may include: • Progressive elaboration of security assessment requirements collected in earlier process • Deliverables • Progressive elaboration of acceptance criteria • Project exclusions – to reduce scope creep • Constraints and assumptions SANS Technology Institute - Candidate for Master of Science Degree

  12. Section 3 of 3 3) Create WBS Process • The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS) • Advisable not to overdo it in decomposition – will lead to non-productive management effort SANS Technology Institute - Candidate for Master of Science Degree

  13. Section 3 of 3 4 & 5) Control & Verify Scope Processes • Control Scope Process is extremely proactive, but often neglected • Controlling scope helps ensure that, at any point in time, scope is being completed according to plan • Catch deviations earlyand quickly get back on track to prevent unnecessary problems • Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied SANS Technology Institute - Candidate for Master of Science Degree

  14. Real-Life Example (Controlling Scope) Case (Scope Creep Due to Unexpected Outage) Background: Security assessor examining information system using vulnerability scanner Another critical system on same network suddenly crashes All eyes turn to assessor – becomes prime suspect !! Assessor starts to investigate and troubleshoot other system Investigation turns out to be lengthy Applying Control Scope Process: By measuring planned scope against activities completed, a variance is identified – scope creep potential detected Preventive action taken (discuss issue with customer – explain case) Project back on track, no unplanned scope added to project Section 3 of 3 14 SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase) • Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success • Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope • Paper in SANS Reading Room Includes More Info http://www.sans.org/reading_room/whitepapers/auditing/scoping-security-assessments-project-management-approach_33673 SANS Technology Institute - Candidate for Master of Science Degree

More Related