Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is.

Similar presentations


Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess Security 3) Overcoming the Scope Management Challenge

3 SANS Technology Institute - Candidate for Master of Science Degree 3 What a Security Assessment IS … A security assessment is a measurement of the security posture of a system or organization. It assesses the Technology, People, and Process elements of security using three main methods Section 1 of 3

4 SANS Technology Institute - Candidate for Master of Science Degree 4 Why Perform Security Assessments Section 1 of 3 Enables organization to move closer to its security goal To move towards the target, we need to know where we are now Security assessments are complex projects - Applying proper project management increases likelihood of success

5 SANS Technology Institute - Candidate for Master of Science Degree 5 Manage complex projects by taking phased approach Section 2 of 3 3-Phase Project Management Approach

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Key deliverable for security assessment project is a quality report Section 2 of 3 Security Assessment Key Deliverable Introduction Executive Summary Current Network Security Infrastructure Design Proposed Network Security Infrastructure Design Priority Setting Methodology Security Controls Analysis (Technical – Process – People) High Priority Findings & Recommendations Finding 1 (Process): Recommendation: Option 1: ……… Conclusion

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Section 2 of 3 Tips to Increase Report Value Findings report the security weaknesses identified – Add some positive findings too (not everything is negative) Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority) Give multiple options in recommendation whenever possible (customer chooses what works for them) Use report to build a tailored security improvement roadmap (ensuring effective use of security budget)

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Why lack of planning is planning to fail? (see cost in graph) Complex project & no planning -> many costly changes -> probable failure Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc. Planning Rests On Scope Management Section 3 of 3

9 SANS Technology Institute - Candidate for Master of Science Degree 9 What Constitutes Scope Management Scope management is defining what work is required, and making sure all of that work, and only that work, is done Scope management consists of five processes: 1)Collect Requirements Process 2)Define Scope Process 3)Create Work-Breakdown-Structure (WBS) Process 4)Control Scope Process 5)Verify Scope Process Following the five processes will allow you to overcome the security assessment scope management challenge Section 3 of 3

10 SANS Technology Institute - Candidate for Master of Science Degree 10 1) Collect Requirements Process Section 3 of 3 Quality is the degree to which requirements are met Two main types of requirements for security assessments: –Requirements Related to End Result of Assessment (specify what needs to be achieved) –Requirements Related to How the Work is Managed (specify high-level rules of engagement) Where do requirements come from?  Stakeholders What to use to collect requirements?  Interviews & Questionnaires. Ensure requirements are documented

11 SANS Technology Institute - Candidate for Master of Science Degree 11 Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood Advisable to reduce frequency of visits to stakeholders Project Scope Statement states the agreed upon scope, and may include: –Progressive elaboration of security assessment requirements collected in earlier process –Deliverables –Progressive elaboration of acceptance criteria –Project exclusions – to reduce scope creep –Constraints and assumptions Section 3 of 3 2) Define Scope Process

12 SANS Technology Institute - Candidate for Master of Science Degree 12 3) Create WBS Process Section 3 of 3 The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS) Advisable not to overdo it in decomposition – will lead to non-productive management effort

13 SANS Technology Institute - Candidate for Master of Science Degree 13 4 & 5) Control & Verify Scope Processes Control Scope Process is extremely proactive, but often neglected Controlling scope helps ensure that, at any point in time, scope is being completed according to plan Catch deviations early and quickly get back on track to prevent unnecessary problems Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied Section 3 of 3

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Real-Life Example (Controlling Scope) Case (Scope Creep Due to Unexpected Outage) –Background: Security assessor examining information system using vulnerability scanner Another critical system on same network suddenly crashes All eyes turn to assessor – becomes prime suspect !! Assessor starts to investigate and troubleshoot other system Investigation turns out to be lengthy –Applying Control Scope Process: By measuring planned scope against activities completed, a variance is identified – scope creep potential detected Preventive action taken (discuss issue with customer – explain case) Project back on track, no unplanned scope added to project Section 3 of 3

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase) Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope Paper in SANS Reading Room Includes More Info assessments-project-management-approach_33673


Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is."

Similar presentations


Ads by Google