APPENDIX
A
The Process
Project Plan
343
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
I
n Chapter 7, we talked about the information security process. In that chapter, five
phases were identified in the process:
▼
Assessment
■
Policy
■
Implementation
■
Training
▲
Audit
The process is a wonderful concept, but I sometimes find that the actual doing of the
process is not as obvious as the process itself. This appendix is intended to lay out how
the process might be performed at an organization.
For this discussion, let’s assume that we are talking about a mid-sized organization
(500 employees, several locations in the eastern portion of the United States). The indus
-
try does not matter for this discussion. We will assume that the organization wishes to
improve its security posture and has given the security officer of the company a year to
accomplish something.
The question is: what can we accomplish in a year? The short answer is: a lot. Of
course, exactly what is accomplished depends upon the risks to the organization and the
amount of resources the organization is willing to put against the problem. For this dis-

cussion, we will assume that the management of the organization is behind this effort and
the resources provided to the security officer are appropriate for the project.
Figure A-1 shows the very high-level project plan for the security project. As you can
see from the plan, the process is followed but the steps in the process are not conducted in
344
Network Security: A Beginner’s Guide
Figure A-1.
High-level security project plan
Appendix A: The Process Project Plan
345
serial order but rather in parallel. As we talk about what is being done later in this discus
-
sion, you will begin to see why this can and should be done.
I have also divided the project plan into phases. Specifically, there are four major
phases of the project:
▼
Assessment
■
Critical fixes
■
Update
▲
Ongoing work
The reason I divide the project into these four phases is that each marks a change in
the mindset of the security team charged with the overall security project. The following
sections detail what is done in each phase of the project.
ASSESSMENT PHASE
The initial assessment of the organization is the only part of the project that must be done
in serial order. The initial assessment identifies the risks present in the organization and
also recommends changes to manage this risk. When starting a security project such as

this, the assessment is very important for the organization as it will define the direction of
the project plan and may fill out the details of the remaining three phases.
Figure A-2 shows a project plan for the assessment. The calendar time for the assess-
ment will depend on the size of your organization. At a minimum, the project plan
should allow for 30 days. This time could easily expand to two or three months for large
assessments. If the assessment is likely to last longer than this, it is best to break it up so
that some results come back to the organization within two months.
The assessment project plan has four primary tasks:
▼
Planning
■
Information gathering
■
Analysis
▲
Presentation
Planning
The planning task is used to map out how the assessment will be performed. During this
task, the individuals performing the assessment will try to identify who in the organiza
-
tion should be interviewed as well as the key locations to visit. Normally, this task is per
-
formed jointly between the individuals performing the assessment and the security
officer of the organization. It is the security officer who will be able to provide guidance
as to who in the organization will have the information needed for the assessment.
Information Gathering
Once the planning is complete, the assessment team will begin gathering information.
Some of this information will be paper such as existing policies and procedures and net
-
work diagrams. Most of the information will come through interviews. The schedule

should allow approximately one hour for each interview and about six interviews per
day. The assessment team should assign two members for each interview.
The team may also use tools to identify the state of security on various systems. The
tools may include commercially available vulnerability scanners or scanning tools that
are freely available on the Internet.
Analysis
As the information gathering is continuing, the assessment team will begin the analysis of
the information. It is helpful to do this while the information gathering is still going on so
that the team can ask for clarifications on points that are unclear or for more information
if the early analysis uncovers something of interest.
The analysis continues for some period of time after the information gathering is com
-
plete. During this part of the task, the team will attempt to assimilate all of the informa
-
346
Network Security: A Beginner’s Guide
Figure A-2.
Assessment project plan
tion that was gathered and to rank the risks to the organization. Measuring the risk is
often the most difficult part of this task as the cost of a successful exploitation of a vulner
-
ability may be hard to measure.
Finally, the team will put all of the information on risks and recommendations into a
report that is provided to the organization. Often the team will provide a draft report to
the security officer for an initial review to make sure that details about the organization
are correct.
Presentation
The final task of the assessment phase is the presentation of the assessment report.
Ideally, this presentation will be scheduled with senior members of the organization’s
management team as well as the security officer.

The organization should then review the report and determine if the report is cor
-
rect so it can form the basis of the detailed project plan for phases 2 through 4. If this is
the case, the security officer should develop a detailed project plan for the remainder of
the year.
CRITICAL FIXES PHASE
Phase 2 of the security project plan is also called the critical fixes phase. This phase typi-
cally lasts between two weeks and three months, depending on the number of critical
tasks and the type of organization. During phase 2, the organization is correcting vulner-
abilities that meet two criteria:
▼ They are critical to the security of the organization.
▲
They can be quickly corrected.
Figure A-3 shows the detail associated with this phase of the project plan. The follow
-
ing sections go into more detail on each of the security process task areas.
Assessment
No new assessment tasking will be performed during this phase. However, there should
be continued review of the findings of the initial assessment and this review should feed
into the detailed project plans for the upcoming phases of the project.
Policy
Policy is often identified as an important issue within organizations. During the critical
fixes phase, two policies should be specifically addressed: the Information Policy and the
Security Policy. The reason for this is that these policies have a great effect on the com
-
puter users of the organization as well as the administrators, and they form the basis for
security-awareness training classes.
Appendix A: The Process Project Plan
347