Scoping Security Assessments:
A Project Management Approach
Lack of planning is actually planning …. It is just planning to fail, that’s all
Ahmed Abdel-Aziz
September 2011
GIAC (GCIA, GCIH, GSNA, GSEC, GWAPT)
CISSP, PMP
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
1) Quick Overview of Security Assessments
2) A Project Management Approach to Assess Security
3) Overcoming the Scope Management Challenge
SANS Technology Institute - Candidate for Master of Science Degree
2
Section 1 of 3
What a Security Assessment IS …
• A security assessment is a measurement of the security
posture of a system or organization.
• It assesses the Technology, People, and Process elements of
security using three main methods
SANS Technology Institute - Candidate for Master of Science Degree
3
Section 1 of 3
Why Perform Security Assessments
• Enables organization to move closer to its security goal
• To move towards the target, we need to know where
we are now
• Security assessments are complex projects - Applying
proper project management increases likelihood of
success
SANS Technology Institute - Candidate for Master of Science Degree
4
Section 2 of 3
3-Phase Project Management Approach
• Manage complex projects by taking phased approach
SANS Technology Institute - Candidate for Master of Science Degree
5
Section 2 of 3
Security Assessment Key Deliverable
• Key deliverable for security assessment project is a quality report
•
•
•
•
•
•
•
•
•
•
•
•
Introduction
Executive Summary
Current Network Security Infrastructure Design
Proposed Network Security Infrastructure Design
Priority Setting Methodology
Security Controls Analysis (Technical – Process – People)
High Priority Findings & Recommendations
Finding 1 (Process):
Recommendation:
Option 1:
………
Conclusion
SANS Technology Institute - Candidate for Master of Science Degree
6
Section 2 of 3
Tips to Increase Report Value
•
Findings report the security weaknesses identified – Add
some positive findings too (not everything is negative)
•
Give a priority setting to negative findings that reflects the
associated risk (the higher the risk, the higher the priority)
•
Give multiple options in recommendation whenever
possible (customer chooses what works for them)
•
Use report to build a tailored security improvement
roadmap (ensuring effective use of security budget)
SANS Technology Institute - Candidate for Master of Science Degree
7
Section 3 of 3
Planning Rests On Scope Management
• Why lack of planning is planning to fail?
(see cost in graph)
Complex project & no planning -> many costly changes -> probable failure
• Scoping is the foundation for all planning, that includes
aspects of: time, cost, risk, quality, etc.
SANS Technology Institute - Candidate for Master of Science Degree
8
Section 3 of 3
What Constitutes Scope Management
•
Scope management is defining what work is required, and
making sure all of that work, and only that work, is done
•
Scope management consists of five processes:
•
1)
2)
3)
4)
5)
Collect Requirements Process
Define Scope Process
Create Work-Breakdown-Structure (WBS) Process
Control Scope Process
Verify Scope Process
Following the five processes will allow you to overcome
the security assessment scope management challenge
SANS Technology Institute - Candidate for Master of Science Degree
9
Section 3 of 3
1) Collect Requirements Process
• Quality is the degree to which requirements are met
• Two main types of requirements for security assessments:
– Requirements Related to End Result of Assessment
(specify what needs to be achieved)
– Requirements Related to How the Work is Managed
(specify high-level rules of engagement)
• Where do requirements come from?  Stakeholders
• What to use to collect requirements?  Interviews &
Questionnaires. Ensure requirements are documented
SANS Technology Institute - Candidate for Master of Science Degree
10
Section 3 of 3
2) Define Scope Process
• Based on earlier Collect Requirements Process, create a Project
Scope Statement to clarify areas where work could easily be
misunderstood
• Advisable to reduce frequency of visits to stakeholders
• Project Scope Statement states the agreed upon scope, and may
include:
–
–
–
–
–
Progressive elaboration of security assessment requirements
collected in earlier process
Deliverables
Progressive elaboration of acceptance criteria
Project exclusions – to reduce scope creep
Constraints and assumptions
SANS Technology Institute - Candidate for Master of Science Degree
11
Section 3 of 3
3) Create WBS Process
• The project is made more manageable by breaking it
down into small components known as a Work
Breakdown Structure (WBS)
• Advisable not to overdo it in decomposition – will lead
to non-productive management effort
SANS Technology Institute - Candidate for Master of Science Degree
12
Section 3 of 3
4 & 5) Control & Verify Scope Processes
• Control Scope Process is extremely proactive, but often
neglected
• Controlling scope helps ensure that, at any point in time,
scope is being completed according to plan
• Catch deviations early and quickly get back on track to
prevent unnecessary problems
• Verify Scope Process is customer reviewing and accepting
completed deliverables – should be smooth if previous
processes were properly applied
SANS Technology Institute - Candidate for Master of Science Degree
13
Section 3 of 3
Real-Life Example (Controlling Scope)
• Case (Scope Creep Due to Unexpected Outage)
– Background:
• Security assessor examining information system using vulnerability
scanner
• Another critical system on same network suddenly crashes
• All eyes turn to assessor – becomes prime suspect !!
• Assessor starts to investigate and troubleshoot other system
• Investigation turns out to be lengthy
– Applying Control Scope Process:
• By measuring planned scope against activities completed, a variance
is identified – scope creep potential detected
• Preventive action taken (discuss issue with customer – explain case)
• Project back on track, no unplanned scope added to project
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Security assessments are projects that enable organizations
to move closer to their security goal (can be multi-phase)
• Scoping is the foundation of all planning. Therefore scope
management is critical to security assessments’ success
• Overcome the scope management challenge by applying the
five processes: 1) Collect Requirements, 2) Define Scope, 3)
Create WBS, 4) Control Scope, 5) Verify Scope
• Paper in SANS Reading Room Includes More Info
http://www.sans.org/reading_room/whitepapers/auditing/scoping-securityassessments-project-management-approach_33673
SANS Technology Institute - Candidate for Master of Science Degree
15