tion that was gathered and to rank the risks to the organization. Measuring the risk is
often the most difficult part of this task as the cost of a successful exploitation of a vulner
-
ability may be hard to measure.
Finally, the team will put all of the information on risks and recommendations into a
report that is provided to the organization. Often the team will provide a draft report to
the security officer for an initial review to make sure that details about the organization
are correct.
Presentation
The final task of the assessment phase is the presentation of the assessment report.
Ideally, this presentation will be scheduled with senior members of the organization’s
management team as well as the security officer.
The organization should then review the report and determine if the report is cor
-
rect so it can form the basis of the detailed project plan for phases 2 through 4. If this is
the case, the security officer should develop a detailed project plan for the remainder of
the year.
CRITICAL FIXES PHASE
Phase 2 of the security project plan is also called the critical fixes phase. This phase typi-
cally lasts between two weeks and three months, depending on the number of critical
tasks and the type of organization. During phase 2, the organization is correcting vulner-
abilities that meet two criteria:
▼ They are critical to the security of the organization.
▲
They can be quickly corrected.
Figure A-3 shows the detail associated with this phase of the project plan. The follow
-
ing sections go into more detail on each of the security process task areas.
Assessment
No new assessment tasking will be performed during this phase. However, there should
be continued review of the findings of the initial assessment and this review should feed

into the detailed project plans for the upcoming phases of the project.
Policy
Policy is often identified as an important issue within organizations. During the critical
fixes phase, two policies should be specifically addressed: the Information Policy and the
Security Policy. The reason for this is that these policies have a great effect on the com
-
puter users of the organization as well as the administrators, and they form the basis for
security-awareness training classes.
Appendix A: The Process Project Plan
347
348
Network Security: A Beginner’s Guide
If resources allow, these two policies can be developed in parallel. Based on the neces-
sary review and approval cycles in your organization, it may take as little as a week to de-
velop a policy or as much as two months. However, it is critical to develop the policy in
such a way that the organization will buy into it and follow the policy (see Chapter 5 for
more detail on policy development).
Implementation
During the critical fixes phase, system administrators will be correcting serious vulnera
-
bilities in their systems. This should be a top priority for the administrators. Make sure
each system is identified properly and that there are detailed instructions on how each
vulnerability should be fixed. Many can be corrected by installing the latest patches from
the computer system or software vendor.
Also as part of the implementation task, some extremely important new hardware or
software implementations may occur. For example, if the assessment identified an un
-
protected network connection, the project plan may call for the immediate procurement
and implementation of a firewall. However, most procurements for increasing security
will take place in later phases of the project.

Training
There is no specific training task associated with the critical fixes phase of the project.
However, the development of the security-awareness training classes for employees may
begin as the information and security policies near completion. More likely, most of the
work here will take place in the next phase.
Figure A-3.
Detailed project plan for the critical fixes phase
Audit
There is no specific audit task for the critical fixes phase of the project plan. Some plan
-
ning for future compliance checking may occur as the information and security policies
are completed.
UPDATE PHASE
The update phase of the security project begins once the critical fixes have been com
-
pleted. During the update phase of the project, the less immediate security issues are
dealt with. The overall security at the organization should be improving by this time.
Most of the high-risk issues should have either been corrected or in some other way miti
-
gated. The update phase may last two to six months (see Figure A-4).
Assessment
During the update phase, the Security department should begin working with depart-
ments that are deploying or building new projects. The idea is for Security to be involved
in projects early on in their lifecycles. New project requirements should reflect the secu-
rity policy and the Security department should provide assistance in the design of new
systems.
Appendix A: The Process Project Plan
349
Figure A-4.
Update phase project plan

350
Network Security: A Beginner’s Guide
Policy
The remaining policies and procedures that are necessary for the organization should be
developed. These will include
▼
Use policies
■
Incident response procedures
■
User management procedures
▲
Disaster recovery plans
The development of a DRP is a long process that will require the assistance of other
departments within the organization. It is likely that development of the DRP will be
started but not completed during the update phase.
Implementation
Now that the security policy is complete, the system administrators should be working
with the Security department to make sure that their systems comply with the security
policy. In addition, less serious vulnerabilities should be fixed on all computer systems.
During the update phase, any procurements of new security systems should be
started. Depending on the organization, procurement of new hardware and software
products can take a fair amount of time as vendors and products are evaluated, the RFP
sent out for bid, and the bids evaluated.
Training
The security-awareness training class should be completed and reflect the user require-
ments of the information and security policies. At the same time, an awareness program
that includes posters and newsletter articles should be started.
Once the security-awareness training class is completed, it should be taught first to
new employees as part of the new employee orientation program. This will provide a

way to pilot the classes and to train internal trainers. Next, the training program should
be rolled out to all employees. This will require a training schedule that eventually in
-
cludes all employees. Depending on the number of employees in your organization, it
may take six to nine months to run all of them through the security-awareness program.
Also in this phase, security reporting to senior management should begin with a reg
-
ular executive security briefing.
NOTE:
Reporting on project status should begin with the project. However, these meetings will pro
-
vide information to senior management on the status of security within the organization.
Audit
The audit program is now beginning to define its procedures and structure to manage the
compliance with organization policies. By the end of the update phase, the audit program
TEAMFLY























































Team-Fly
®

Appendix A: The Process Project Plan
351
should have well-defined procedures for monitoring the security of the computer sys
-
tems as well as a developed compliance program.
ONGOING WORK PHASE
The final phase of the security project is the ongoing work phase. Simply put, all of the
policies, procedures, and processes that have been put in place now have to work to
maintain the security of the organization.
Assessment
The Security department maintains its relationship with development and continues to
advise on security regarding new projects. At the same time, an assessment schedule is
developed to provide regular assessments of the organization, individual departments or
locations, and systems as necessary.
Policy
With the exception of the DRP (which may take more time), all of the significant security
policies and procedures should be complete by this phase. The Security department
should establish regular review dates for all policies and follow the schedule.

Testing of the Incident Response Plan and the DRP (when complete) must now pro-
ceed. Regular test plans, both announced and unannounced, should commence and con-
tinue at regular intervals.
Implementation
System administrators should be making necessary security changes to systems. These
changes may be instigated by the identification of a new vulnerability or by the identifica
-
tion of a non-compliance issue. System administrators should be looking at systems to
identify suspicious activity and investigate that activity with the help of the Security de
-
partment.
Training
The awareness program of posters and newsletter articles should be in full swing. The se
-
curity-awareness training classes should cover new employees, existing employees, ex
-
ecutives, and the technical staff. Schedules of classes should be established so that every
employee receives a refresher class at least every two years. Classes for executives should
include briefings on the state of security within the organization.
Audit
The security policy–compliance program should now be in full swing. Each system
within the organization should be checked for policy compliance on a regular basis. At
the same time, regular system monitoring and network monitoring should be performed
to watch for signs of suspicious activity.
This page intentionally left blank.