Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is.

Published byCale Risher Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess Security 3) Overcoming the Scope Management Challenge

3 SANS Technology Institute - Candidate for Master of Science Degree 3 What a Security Assessment IS … A security assessment is a measurement of the security posture of a system or organization. It assesses the Technology, People, and Process elements of security using three main methods Section 1 of 3

4 SANS Technology Institute - Candidate for Master of Science Degree 4 Why Perform Security Assessments Section 1 of 3 Enables organization to move closer to its security goal To move towards the target, we need to know where we are now Security assessments are complex projects - Applying proper project management increases likelihood of success

5 SANS Technology Institute - Candidate for Master of Science Degree 5 Manage complex projects by taking phased approach Section 2 of 3 3-Phase Project Management Approach

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Key deliverable for security assessment project is a quality report Section 2 of 3 Security Assessment Key Deliverable Introduction Executive Summary Current Network Security Infrastructure Design Proposed Network Security Infrastructure Design Priority Setting Methodology Security Controls Analysis (Technical – Process – People) High Priority Findings & Recommendations Finding 1 (Process): Recommendation: Option 1: ……… Conclusion

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Section 2 of 3 Tips to Increase Report Value Findings report the security weaknesses identified – Add some positive findings too (not everything is negative) Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority) Give multiple options in recommendation whenever possible (customer chooses what works for them) Use report to build a tailored security improvement roadmap (ensuring effective use of security budget)

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Why lack of planning is planning to fail? (see cost in graph) Complex project & no planning -> many costly changes -> probable failure Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc. Planning Rests On Scope Management Section 3 of 3

9 SANS Technology Institute - Candidate for Master of Science Degree 9 What Constitutes Scope Management Scope management is defining what work is required, and making sure all of that work, and only that work, is done Scope management consists of five processes: 1)Collect Requirements Process 2)Define Scope Process 3)Create Work-Breakdown-Structure (WBS) Process 4)Control Scope Process 5)Verify Scope Process Following the five processes will allow you to overcome the security assessment scope management challenge Section 3 of 3

10 SANS Technology Institute - Candidate for Master of Science Degree 10 1) Collect Requirements Process Section 3 of 3 Quality is the degree to which requirements are met Two main types of requirements for security assessments: –Requirements Related to End Result of Assessment (specify what needs to be achieved) –Requirements Related to How the Work is Managed (specify high-level rules of engagement) Where do requirements come from?  Stakeholders What to use to collect requirements?  Interviews & Questionnaires. Ensure requirements are documented

11 SANS Technology Institute - Candidate for Master of Science Degree 11 Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood Advisable to reduce frequency of visits to stakeholders Project Scope Statement states the agreed upon scope, and may include: –Progressive elaboration of security assessment requirements collected in earlier process –Deliverables –Progressive elaboration of acceptance criteria –Project exclusions – to reduce scope creep –Constraints and assumptions Section 3 of 3 2) Define Scope Process

12 SANS Technology Institute - Candidate for Master of Science Degree 12 3) Create WBS Process Section 3 of 3 The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS) Advisable not to overdo it in decomposition – will lead to non-productive management effort

13 SANS Technology Institute - Candidate for Master of Science Degree 13 4 & 5) Control & Verify Scope Processes Control Scope Process is extremely proactive, but often neglected Controlling scope helps ensure that, at any point in time, scope is being completed according to plan Catch deviations early and quickly get back on track to prevent unnecessary problems Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied Section 3 of 3

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Real-Life Example (Controlling Scope) Case (Scope Creep Due to Unexpected Outage) –Background: Security assessor examining information system using vulnerability scanner Another critical system on same network suddenly crashes All eyes turn to assessor – becomes prime suspect !! Assessor starts to investigate and troubleshoot other system Investigation turns out to be lengthy –Applying Control Scope Process: By measuring planned scope against activities completed, a variance is identified – scope creep potential detected Preventive action taken (discuss issue with customer – explain case) Project back on track, no unplanned scope added to project Section 3 of 3

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase) Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope Paper in SANS Reading Room Includes More Info http://www.sans.org/reading_room/whitepapers/auditing/scoping-security- assessments-project-management-approach_33673

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Scoping Security Assessments: A Project Management Approach Lack of planning is."

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
Project Planning and Scope

Project Planning and Scope
Project Management Shuffle Directions: take the definitions from the following cards and write a song using the tune from “Cupid Shuffle”

Project Management Shuffle Directions: take the definitions from the following cards and write a song using the tune from “Cupid Shuffle”
Project Scope Management It’s a good thing…or is it a pain? Richard Polendey, PMP Business Systems Analyst Hawaii Pacific Health PMI-Honolulu Presentation.

Project Scope Management It’s a good thing…or is it a pain? Richard Polendey, PMP Business Systems Analyst Hawaii Pacific Health PMI-Honolulu Presentation.
Quick Recap. Quick Recap The Project Plan Plan Your Work, then Work Your Plan.

Quick Recap. Quick Recap The Project Plan Plan Your Work, then Work Your Plan.
Project Mangement Chapter 4 Framework for Project Management.

Project Mangement Chapter 4 Framework for Project Management.
NEES Project Management Workshop June 16 June 18 1 Segment 2.

NEES Project Management Workshop June 16 June 18 1 Segment 2.
Project Scope Management

Project Scope Management
Degree and Graduation Seminar Scope Management

Degree and Graduation Seminar Scope Management
Supporting people with a learning disability Introduction to Project Management Presenter: Steve Raw FInstLM, FCMI.

Supporting people with a learning disability Introduction to Project Management Presenter: Steve Raw FInstLM, FCMI.
Project Scope Management

Project Scope Management
IT Project Management Weeks 2 and 3. Topics of Discussion Introduction Identify the Business Case Scope the Project Plan the Project Delivery and Outcome.

IT Project Management Weeks 2 and 3. Topics of Discussion Introduction Identify the Business Case Scope the Project Plan the Project Delivery and Outcome.
Project Management Session 7

Project Management Session 7
إدارة المشروعات Projects Management

إدارة المشروعات Projects Management
Chapter 5: Project Scope Management

Chapter 5: Project Scope Management
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
02 Apr 2010Saleh Eid, KAU, EMBA, PMP Course2 Introduction: Do you feel that work in this project never ends? Are the people in your team unsure of what.

02 Apr 2010Saleh Eid, KAU, EMBA, PMP Course2 Introduction: Do you feel that work in this project never ends? Are the people in your team unsure of what.
IS&T Project Management: How to Engage the Customer September 27, 2005.

IS&T Project Management: How to Engage the Customer September 27, 2005.
Sharif University of Technology Session # 4.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),

Sharif University of Technology Session # 4.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?

Similar presentations

Ads by Google