FRAAP Meeting Checklist

advertisement
Lab #3
Prepared for
ITIA2300 – Winter 2014
Macomb Community College
Prepared by
Macomb Community College
February 19, 2014
i
Overview
The following is deliverables for Part 1 of the Pre-FRAAP Session for the Purchasing Business
Operation segment of AllSeeingEye Aerospace.
Pre-FRAAP Meeting Checklist
ISSUE
REMARKS
PRIOR TO THE MEETING
1. Date of Pre-FRAAP Meeting
Record when and where the meeting is
scheduled
2. Project Executive Sponsor or Owner
September 22-26, 2014
Corporate Headquarters – Hampton, VA
Brian Macintyre, CEO
Identify the owner or sponsor who has
executive responsibility for the project
3. Project Leader
Rob Johnson, CISO
Identify the individual who is the primary
point of contact for the project or asset under
review
4. Pre-FRAAP Meeting Objective
Identify what you hope to gain from the
meeting – typically the seven deliverables will
be discussed
This meeting will focus on the review of
the pre-screening results, scope
statement, visual diagram of the process
being reviewed, the FRAAP team roster,
meeting mechanics and logistical
requirements, agreement of definitions
used during the FRAAP, and a minibrainstorming session to identify four or
five threats for the business attribute in
scope for the Purchasing Business
Operations of AllSeeingEye Aerospace.
Illustrate the purpose of the project and
its importance to AllSeeingEye
Prepare a project overview for presentation to Aerospace’s continued success. The
5. Project Overview
Page 1
ISSUE
REMARKS
the pre-FRAAP members during the meeting
project deliverables have are to be
utilized to enhance the security posture
of the company and ensure that the
purchasing business operation continues
to provide raw materials, services, and
components to the manufacturing
process.
Your understanding of the project scope
Review the project scope with the
Project Owner to ensure that as the
Facilitator we are on the same page.
The FRAAP methodology
Review the FRAAP methodology with
the pre-FRAAP members, specifically
the Project Owner and Project Lead, and
its importance on meeting the objectives
of the business.
Milestones
Review of what are to be considered
project milestones to use as a
measurement tool for progress and
timing.
Pre-screening methodology
Review the pre-screening methodology
to be used in this analysis. In this case,
an impact analysis on the Purchasing
Business Operation in regards to data
sensitivity and resource impact
financially, internally and externally,
and customer impact.
6. Assumptions
It is assumed that there is a tested
information security policy in place, an
infrastructure risk assessment has been
completed and standards of control
implemented. It is also assumed that a
Project Impact Analysis (PIA) has been
performed and has an active budget.
Identify assumptions used in developing the
approach to performing the FRAAP project
Page 2
ISSUE
REMARKS
7. Pre-screening Results
Record the results of the pre-screening
process
Pre-screening results are to be presented
utilizing the pre-screening matrix.
DURING THE MEETING
8. Business Strategy, Goals and Objectives
Identify what the owner’s objectives are and
how they relate to larger company objectives
9. Project Scope
Define specifically the scope of the project
and document it during the meeting so that all
participating will know and agree
10. Time Dependencies

Identify time limitations and
considerations the client may have
The Project Owner’s objectives are to
ensure that the Purchasing Business
Operation’s risks have been identified
and remediating controls are in place to
support all purchasing activities. This
relates to the larger company objectives
by ensuring that final product is shipped
on time and of expected quality to the
customer.
Within project scope are the building
facilities, personnel, operational flow,
manufacturing facilities, and
information systems that support the
Purchasing Business Operation. All
other business operations not mentioned
are to be excluded.
Time dependencies for this project
require project completion by December
20, 2014. New model production begins
during the first quarter of 2015 and
manufacturing requires this project
complete for all purchasing activities.
Risks that could affect a successful
conclusion of the project include the
Identify risks and/or constraints that could unavailability of the Project Owner and
affect the successful conclusion of the
Project Lead due to sickness or death.
project
Additional risks are inaccessibility to the
meeting location due to travel
11. Risks/Constraints

Page 3
ISSUE
REMARKS
constraints, weather, or
natural/manmade disaster.
12. Budget

Identify any open budget/funding issues
13. FRAAP Participants

Identify by name and position the
individuals whose participation in the
FRAAP session is required
14. Administrative Requirements

Identify facility and/or equipment needs to
perform the FRAAP session
15. Documentation
Funding is limited but has the necessary
backing of the CEO and CFO to meet
project completion goals.
Brian Macintyre, CEO
Steve Macintyre, Vice Chairman
Ron Wilkerson, CFO
John Geneva, CIO
Rob Johnson, CISO
Lindsey Riley, COO
Adam Cerivo, Purchasing Manager
Melanie Hydron, Quality Manager
Alexander Stovl, Accounting Dept Head
Judith Kersmaker, Accounting Dept
Head
Michael Sokorski, Security Analyst
Rebecca Dorian, Security Technician
Jake Ellen, Warehouse Manager
Sean Hodgkins, Shipping Manager
John Mcdowell, Sales Manager
Eric Smith, Legal
Joe Whittaker, Scribe
John Toth, FRAAP Facilitator
Keith Thome, FRAAP Facilitator
Attendees will be provided note taking
materials and lunch. Internet will be
provided via a secure wireless guest
network for those that wish to utilize
their laptops and tablets. The use of an
overhead that can attach to a laptop will
be utilized for any on-screen
presentations required.
The following AllSeeingEye Aerospace
documents are required for the FRAAP
Page 4
ISSUE
REMARKS
Identify what documentation is required to
prepare for the FRAAP session (provide the
client the FRAAP Document Checklist)
session:




Information Security Policy
Project Impact Analysis
Quality Control Manual
Approved Vendor List
Pre-Screening Matrix
Impact Value
5
4
3
2
1
Feature
Purchasing
Sales
Shipping
Production
R&D
Description
Longest Tolerable
Outage
Less Than 1 Day
1-2 Days
2-3 Days
3-4
1 Week
Scope Statement
Raw material and component procurement is critical to manufacturing of AllSeeing Eye
Aerospace’s end product. As such, the purpose of this project is to perform a risk analysis on the
Purchasing Business Operation of AllSeeingEye Aerospace. Within project scope are the
building facilities, personnel, operational flow, and manufacturing facilities including runway,
and information systems that support this business operation. All other business operations not
mentioned are to be excluded. The project customer directly is the CEO, CFO, and COO of
AllSeeingEye Aerospace. Project deliverables will include identifiable threats, appropriate risk
levels, and possible controls to remediate identified threats to all elements listed in scope. Project
resource personnel will require the inclusion of the CEO, CISO, CFO, COO, and Quality
Manager. Project resource equipment will require access to aforementioned building facilities,
manufacturing area, and information systems within scope. Project constraints will require that
all applicable laws in accordance with both United States and German law are adhered to in
regards to import export of raw materials and components. Project success is achieved by
ensuring delivery to the customer on time, within budget, and remediating controls. Resource
Page 5
limitations may be present based on any classified project that may be underway at the facility
thus barring the project teams’ access.
Visual Diagram
FRAAP Team
Name
Brian Macintyre
Title
CEO
Steve Macintyre
Vice Chairman
Ron Wilkerson
CFO
Duties
Primary stakeholder of the company and
charged with the profitable management and
operation of the company.
Secondary stakeholder of the company and
charged with the profitable management and
operation of the company.
Responsible for all finance related processes of
Page 6
John Geneva
CIO
Rob Johnson
CISO
Lindsey Riley
COO
Adam Cerivo
Purchasing Manager
Melanie Hydron
Alexander Stovl
Judith Kersmaker
Michael Sokorski
Rebecca Dorian
Jake Ellen
Sean Hodgkins
Quality Manager
Accounting Dept Head
Accounting Dept Head
Security Analyst
Security Technician
Warehouse Manager
Shipping Manager
John Mcdowell
Sales Manager
Eric Smith
Legal
Joe Whittaker
Scribe
John Toth
FRAAP Facilitator
Keith Thome
FRAAP Facilitator
the company.
Responsible for all information technology
components of the company.
Responsible for all information security related
components of the company.
Is responsible to daily operations of the entire
company.
Manages the purchasing of product, services
and raw materials for inclusion in product
manufacturing.
Management of ISO registered quality system.
Oversees all accounting functions.
Oversees all accounting functions.
Oversees daily information security operations.
Performs daily routine security related tasks.
Manages the storage and process of inventory.
Manages the shipping and receiving of
inventory.
Manages the acquisition and retention of
customers.
Advises on all legal aspects of the company’s
activities.
Responsible for recording the oral discussions
during the meeting in a written format. Ensures
that the threats are properly recorded and all
actions of the risk assessment team are captured
accurately.
Ensure that team members communicate
effectively and adhere to the project scope.
Ensure that team members communicate
effectively and adhere to the project scope.
Meeting Mechanics
The Pre-FRAAP Meeting will be held at our headquarters in Hampton, VA on September 22-26,
2014, 8am-5pm with a one hour lunch break at 12pm. The meeting will be held in the main
conference room on the first floor. Attendees will be provided note taking materials and lunch.
Internet will be provided via a secure wireless guest network for those that wish to utilize their
laptops and tablets. The use of an overhead that can attach to a laptop will be utilized for any onscreen presentations required. Travel arrangements will be provided and include lodging and
transportation between the hotel and office. The secretaries and department heads will set up the
conference room in advance to ensure it is ready.
Page 7
Agreements of Definitions
Term
Asset
Definition
A resource of value. An asset may be a person, physical object,
process or technology.
Impact
The effect of a threat being carried out on an asset, expressed in
tangible or intangible terms.
Key Business Activities Those activities essential to deliver outputs and achievement of
business objectives.
Probability
A measure of how likely it is that a threat may occur.
Resources
The means that support delivery of an identifiable output and/or result.
Resources may be money, physical assets, or most importantly,
people.
Risk
The combination of threat, probability, and impact expressed as a
value in a pre-defined range.
Risk Management
The process of defining and analyzing risks, and then deciding on the
appropriate course of action in order to minimize these risks, whilst
still achieving business goals.
Threat
The potential for an event, malicious or otherwise, that would damage
or compromise an asset.
Vulnerability
Any flaw or weakness in the asset’s defenses that could be exploited
by a threat to create an impact on the asset.
Mini-Brainstorming Threats
1.
2.
3.
4.
5.
6.
7.
Suppliers discontinue product that is used or is an integral part of product design.
Damage or destruction of facility.
Credit Limit from vendor, new or current.
Purchasing more than what is needed or being turned into profit.
Wrong or defective parts from supplier, or misinformed about needed parts.
Not enough money to purchase goods.
Data center compromise.
Page 8
Download
Related flashcards

Computer security

73 cards

Authentication methods

31 cards

Malware in fiction

20 cards

Spamming

18 cards

Create Flashcards