ahmed abdel aziz september 2011 giac gcia gcih gsna gsec gwapt cissp pmp l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP PowerPoint Presentation
Download Presentation
Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP

Loading in 2 Seconds...

play fullscreen
1 / 15

Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP - PowerPoint PPT Presentation


  • 249 Views
  • Uploaded on

Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that ’ s all. Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP. Objective. 1) Quick Overview of Security Assessments

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP' - yovela


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ahmed abdel aziz september 2011 giac gcia gcih gsna gsec gwapt cissp pmp

Scoping Security Assessments:A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all

Ahmed Abdel-Aziz

September 2011

GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT)

CISSP, PMP

SANS Technology Institute - Candidate for Master of Science Degree

objective
Objective

1) Quick Overview of Security Assessments

2) A Project Management Approach to Assess Security

3) Overcoming the Scope Management Challenge

SANS Technology Institute - Candidate for Master of Science Degree

what a security assessment is

Section 1 of 3

What a Security Assessment IS …
  • A security assessment is a measurement of the security posture of a system or organization.
  • It assesses the Technology, People, and Process elements of security using three main methods

SANS Technology Institute - Candidate for Master of Science Degree

why perform security assessments

Section 1 of 3

Why Perform Security Assessments
  • Enables organization to move closer to its security goal
  • To move towards the target, we need to know where we are now
  • Security assessments are complex projects - Applying proper project management increases likelihood of success

SANS Technology Institute - Candidate for Master of Science Degree

3 phase project management approach

Section 2 of 3

3-Phase Project Management Approach
  • Manage complex projects by taking phased approach

SANS Technology Institute - Candidate for Master of Science Degree

security assessment key deliverable
Key deliverable for security assessment project is a quality report

Section 2 of 3

Security Assessment Key Deliverable
  • Introduction
  • Executive Summary
  • Current Network Security Infrastructure Design
  • Proposed Network Security Infrastructure Design
  • Priority Setting Methodology
  • Security Controls Analysis (Technical – Process – People)
  • High Priority Findings & Recommendations
  • Finding 1 (Process):
  • Recommendation:
  • Option 1:
  • ………
  • Conclusion

SANS Technology Institute - Candidate for Master of Science Degree

tips to increase report value
Tips to Increase Report Value

Section 2 of 3

  • Findings report the security weaknesses identified – Add some positive findings too (not everything is negative)
  • Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority)
  • Give multiple options in recommendation whenever possible (customer chooses what works for them)
  • Use report to build a tailored security improvement roadmap (ensuring effective use of security budget)

7

SANS Technology Institute - Candidate for Master of Science Degree

planning rests on scope management

Section 3 of 3

Planning Rests On Scope Management
  • Why lack of planning is planning to fail? (see cost in graph)

Complex project & no planning -> many costly changes -> probable failure

  • Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc.

SANS Technology Institute - Candidate for Master of Science Degree

what constitutes scope management

Section 3 of 3

What Constitutes Scope Management
  • Scope management is defining what work is required, and making sure all of that work, and only that work, is done
  • Scope management consists of five processes:
    • Collect Requirements Process
    • Define Scope Process
    • Create Work-Breakdown-Structure (WBS) Process
    • Control Scope Process
    • Verify Scope Process
  • Following the five processes will allow you to overcome the security assessment scope management challenge

SANS Technology Institute - Candidate for Master of Science Degree

1 collect requirements process

Section 3 of 3

1) Collect Requirements Process
  • Quality is the degree to which requirements are met
  • Two main types of requirements for security assessments:
    • Requirements Related to End Result of Assessment

(specify what needs to be achieved)

    • Requirements Related to How the Work is Managed

(specify high-level rules of engagement)

  • Where do requirements come from?  Stakeholders
  • What to use to collect requirements?  Interviews & Questionnaires. Ensure requirements are documented

SANS Technology Institute - Candidate for Master of Science Degree

2 define scope process

Section 3 of 3

2) Define Scope Process
  • Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood
  • Advisable to reduce frequency of visits to stakeholders
  • Project Scope Statement states the agreed upon scope, and may include:
    • Progressive elaboration of security assessment requirements collected in earlier process
    • Deliverables
    • Progressive elaboration of acceptance criteria
    • Project exclusions – to reduce scope creep
    • Constraints and assumptions

SANS Technology Institute - Candidate for Master of Science Degree

3 create wbs process

Section 3 of 3

3) Create WBS Process
  • The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS)
  • Advisable not to overdo it in decomposition – will lead to non-productive management effort

SANS Technology Institute - Candidate for Master of Science Degree

4 5 control verify scope processes

Section 3 of 3

4 & 5) Control & Verify Scope Processes
  • Control Scope Process is extremely proactive, but often neglected
  • Controlling scope helps ensure that, at any point in time, scope is being completed according to plan
  • Catch deviations earlyand quickly get back on track to prevent unnecessary problems
  • Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied

SANS Technology Institute - Candidate for Master of Science Degree

real life example controlling scope
Real-Life Example (Controlling Scope)

Case (Scope Creep Due to Unexpected Outage)

Background:

Security assessor examining information system using vulnerability scanner

Another critical system on same network suddenly crashes

All eyes turn to assessor – becomes prime suspect !!

Assessor starts to investigate and troubleshoot other system

Investigation turns out to be lengthy

Applying Control Scope Process:

By measuring planned scope against activities completed, a variance is identified – scope creep potential detected

Preventive action taken (discuss issue with customer – explain case)

Project back on track, no unplanned scope added to project

Section 3 of 3

14

SANS Technology Institute - Candidate for Master of Science Degree

summary
Summary
  • Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase)
  • Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success
  • Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope
  • Paper in SANS Reading Room Includes More Info

http://www.sans.org/reading_room/whitepapers/auditing/scoping-security-assessments-project-management-approach_33673

SANS Technology Institute - Candidate for Master of Science Degree