Scoping Security Assessments: A Project Management Approach Lack of planning is actually planning …. It is just planning to fail, that’s all Ahmed Abdel-Aziz September 2011 GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT) CISSP, PMP SANS Technology Institute - Candidate for Master of Science Degree 1 1 Objective 1) Quick Overview of Security Assessments 2) A Project Management Approach to Assess Security 3) Overcoming the Scope Management Challenge SANS Technology Institute - Candidate for Master of Science Degree 2 Section 1 of 3 What a Security Assessment IS … • A security assessment is a measurement of the security posture of a system or organization. • It assesses the Technology, People, and Process elements of security using three main methods SANS Technology Institute - Candidate for Master of Science Degree 3 Section 1 of 3 Why Perform Security Assessments • Enables organization to move closer to its security goal • To move towards the target, we need to know where we are now • Security assessments are complex projects - Applying proper project management increases likelihood of success SANS Technology Institute - Candidate for Master of Science Degree 4 Section 2 of 3 3-Phase Project Management Approach • Manage complex projects by taking phased approach SANS Technology Institute - Candidate for Master of Science Degree 5 Section 2 of 3 Security Assessment Key Deliverable • Key deliverable for security assessment project is a quality report • • • • • • • • • • • • Introduction Executive Summary Current Network Security Infrastructure Design Proposed Network Security Infrastructure Design Priority Setting Methodology Security Controls Analysis (Technical – Process – People) High Priority Findings & Recommendations Finding 1 (Process): Recommendation: Option 1: ……… Conclusion SANS Technology Institute - Candidate for Master of Science Degree 6 Section 2 of 3 Tips to Increase Report Value • Findings report the security weaknesses identified – Add some positive findings too (not everything is negative) • Give a priority setting to negative findings that reflects the associated risk (the higher the risk, the higher the priority) • Give multiple options in recommendation whenever possible (customer chooses what works for them) • Use report to build a tailored security improvement roadmap (ensuring effective use of security budget) SANS Technology Institute - Candidate for Master of Science Degree 7 Section 3 of 3 Planning Rests On Scope Management • Why lack of planning is planning to fail? (see cost in graph) Complex project & no planning -> many costly changes -> probable failure • Scoping is the foundation for all planning, that includes aspects of: time, cost, risk, quality, etc. SANS Technology Institute - Candidate for Master of Science Degree 8 Section 3 of 3 What Constitutes Scope Management • Scope management is defining what work is required, and making sure all of that work, and only that work, is done • Scope management consists of five processes: • 1) 2) 3) 4) 5) Collect Requirements Process Define Scope Process Create Work-Breakdown-Structure (WBS) Process Control Scope Process Verify Scope Process Following the five processes will allow you to overcome the security assessment scope management challenge SANS Technology Institute - Candidate for Master of Science Degree 9 Section 3 of 3 1) Collect Requirements Process • Quality is the degree to which requirements are met • Two main types of requirements for security assessments: – Requirements Related to End Result of Assessment (specify what needs to be achieved) – Requirements Related to How the Work is Managed (specify high-level rules of engagement) • Where do requirements come from? Stakeholders • What to use to collect requirements? Interviews & Questionnaires. Ensure requirements are documented SANS Technology Institute - Candidate for Master of Science Degree 10 Section 3 of 3 2) Define Scope Process • Based on earlier Collect Requirements Process, create a Project Scope Statement to clarify areas where work could easily be misunderstood • Advisable to reduce frequency of visits to stakeholders • Project Scope Statement states the agreed upon scope, and may include: – – – – – Progressive elaboration of security assessment requirements collected in earlier process Deliverables Progressive elaboration of acceptance criteria Project exclusions – to reduce scope creep Constraints and assumptions SANS Technology Institute - Candidate for Master of Science Degree 11 Section 3 of 3 3) Create WBS Process • The project is made more manageable by breaking it down into small components known as a Work Breakdown Structure (WBS) • Advisable not to overdo it in decomposition – will lead to non-productive management effort SANS Technology Institute - Candidate for Master of Science Degree 12 Section 3 of 3 4 & 5) Control & Verify Scope Processes • Control Scope Process is extremely proactive, but often neglected • Controlling scope helps ensure that, at any point in time, scope is being completed according to plan • Catch deviations early and quickly get back on track to prevent unnecessary problems • Verify Scope Process is customer reviewing and accepting completed deliverables – should be smooth if previous processes were properly applied SANS Technology Institute - Candidate for Master of Science Degree 13 Section 3 of 3 Real-Life Example (Controlling Scope) • Case (Scope Creep Due to Unexpected Outage) – Background: • Security assessor examining information system using vulnerability scanner • Another critical system on same network suddenly crashes • All eyes turn to assessor – becomes prime suspect !! • Assessor starts to investigate and troubleshoot other system • Investigation turns out to be lengthy – Applying Control Scope Process: • By measuring planned scope against activities completed, a variance is identified – scope creep potential detected • Preventive action taken (discuss issue with customer – explain case) • Project back on track, no unplanned scope added to project SANS Technology Institute - Candidate for Master of Science Degree 14 Summary • Security assessments are projects that enable organizations to move closer to their security goal (can be multi-phase) • Scoping is the foundation of all planning. Therefore scope management is critical to security assessments’ success • Overcome the scope management challenge by applying the five processes: 1) Collect Requirements, 2) Define Scope, 3) Create WBS, 4) Control Scope, 5) Verify Scope • Paper in SANS Reading Room Includes More Info http://www.sans.org/reading_room/whitepapers/auditing/scoping-securityassessments-project-management-approach_33673 SANS Technology Institute - Candidate for Master of Science Degree 15