Visit us at
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.

SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our Web pages. There you will find an assortment
of value-added features such as free e-booklets related to the topic of this book,
URLs of related Web site, FAQs from the book, corrections, and any updates from
the author(s).

ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.

DOWNLOADABLE EBOOKS
For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These eBooks are often available weeks before hard copies,
and are priced affordably.

SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.

SITE LICENSING
Syngress has a well-established program for site licensing our ebooks onto servers

in corporations, educational institutions, and large organizations. Contact us at
for more information.

CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.
Contact us at for more information.



Sy n g r e s s

IT Security
Project
Management
Handbook

Susan Snedaker
Russ Rogers Technical Editor


Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010

SERIAL NUMBER
HJIRTCV764
PO9873D5FG
829KM8NJH2
BC1289MPQV
CVPLQ6WQ23
VBP965T5T5
HJJJ863WD3E
2987GVTWMK
629MP5SDJT
IMWQ295T6T


PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Syngress IT Security Project Management

Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Printed in Canada. Except as permitted
under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any
form or by any means, or stored in a database or retrieval system, without the prior written permission of
the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in Canada.
1 2 3 4 5 6 7 8 9 0
ISBN: 1-59749-076-8
Publisher: Andrew Williams
Acquisitions Editor: Jaime Quigley, Erin Heffernan
Technical Editor: Russ Rogers
Cover Designer: Michael Kavish

Page Layout and Art: Patricia Lupien
Copy Editor: Judy Eby
Indexer: Odessa&Cie

Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,
at Syngress Publishing; email or fax to 781-681-3585.


Acknowledgments
Syngress would like to acknowledge the following people for their kindness

and support in making this book possible.
Syngress books are now distributed in the United States and Canada by
O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,
and we would like to thank everyone there for their time and efforts to bring
Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike
Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol
Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle
Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal
Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue
Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki,
Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden.
The incredibly hardworking team at Elsevier Science, including Jonathan
Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,
Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista
Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David
Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,
Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris
Reinders for making certain that our vision remains worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai
Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors
for the enthusiasm with which they receive our books.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,
Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane
for distributing our books throughout Australia, New Zealand, Papua New
Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands.

v




Author
Susan Snedaker (MBA, BA, MCSE, MCT, CPM) is Principal
Consultant and founder of VirtualTeam Consulting, LLC (www.virtualteam.com), a consulting firm specializing in business and technology consulting.The company works with companies of all sizes
to develop and implement strategic plans, operational improvements
and technology platforms that drive profitability and growth. Prior
to founding VirtualTeam in 2000, Susan held various executive and
technical positions with companies including Microsoft, Honeywell,
Keane, and Apta Software. As Director of Service Delivery for
Keane, she managed 1200+ technical support staff delivering phone
and email support for various Microsoft products including
Windows Server operating systems. She is author of How to Cheat at
IT Project Management (Syngress Publishing, ISBN: 1-597490-37-7)
The Best Damn Windows Server 2003 Book Period (Syngress, ISBN: 1931836-12-4) and How to Cheat at Managing Windows Small Business
Server 2003 (Syngress, ISBN: 1-932266-80-1). She has also written
numerous technical chapters for a variety of Syngress Publishing
books on Microsoft Windows and security technologies and has
written and edited technical content for various publications. Susan
has developed and delivered technical content from security to telephony,TCP/IP to WiFi, CIW to IT project management and just
about everything in between (she admits a particular fondness for
anything related to TCP/IP).
Susan holds a master’s degree in business administration and a
bachelor’s degree in management from the University of Phoenix.
She also holds a certificate in advanced project management from
Stanford University. She holds Microsoft Certified Systems Engineer
(MSCE) and Microsoft Certified Trainer (MCT) certifications.
Susan is a member of the Information Technology Association of
Southern Arizona (ITASA) and the Project Management Institute
(PMI).
vii



Technical Editor
Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the
popular Hacking a Terror Network (Syngress Publishing, ISBN 1928994-98-9), co-author on multiple other books including the best
selling Stealing the Network: How to Own a Continent(Syngress, ISBN
1-931836-05-1), Network Security Evaluation Using the NSA IEM
(Syngress, 1-597490-35-0) and Editor in Chief of The Security
Journal; is Co-Founder, Chief Executive Officer, and Chief
Technology Officer of Security Horizon; a veteran-owned small
business based in Colorado Springs, CO. Russ has been involved in
information technology since 1980 and has spent the last 15 years
working professionally as both an IT and INFOSEC consultant.
Russ has worked with the United States Air Force (USAF),
National Security Agency (NSA), and the Defense Information
Systems Agency (DISA). He is a globally renowned security expert,
speaker, and author who has presented at conferences around the
world including Amsterdam,Tokyo, Singapore, Sao Paulo, and cities
all around the United States.
Russ has an Honorary Doctorate of Science in Information
Technology from the University of Advancing Technology, a Masters
Degree in Computer Systems Management from the University of
Maryland, a Bachelor of Science in Computer Information Systems
from the University of Maryland, and an Associate Degree in
Applied Communications Technology from the Community
College of the Air Force. He is a member of both ISSA and ISACA
and co-founded the Global Security Syndicate (gssyndicate.org), the
Security Tribe (securitytribe.com), and acts in the role of professor
of network security for the University of Advancing Technology
(uat.edu).


viii


Russ would like to thank his father for his lifetime of guidance,
his kids (Kynda and Brenden) for their understanding, and Michele
for her constant support. A great deal of thanks goes to Andrew
Williams and Jaime Quigley from Syngress Publishing for the abundant opportunities and trust they give me. Shouts go out to UAT,
Security Tribe, the GSS, the Defcon Groups, and the DC Forums.
I’d like to also thank my friends, Chris, Greg, Michele, Ping, Pyr0,
and everyone in #dc-forums that I don’t have room to list here.

Special Contributors
A special thank you to the following authors for contributing their
expertise to various sections of this book: Bryan Cunningham,
Principal at the Denver law firm of Morgan & Cunningham LLC,
Norris Johnson, Mike Rash, Frank Thornton, Chris Hurley, and
Mike O’Dea.

ix


x


Contents

Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Chapter 1 IT Security Project
Management Building Blocks . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Corporate Security Project Plan Components . . . . . . . . . . . .3
The True Cost of Security . . . . . . . . . . . . . . . . . . . . . . . . . .4
Prevention vs. Remediation . . . . . . . . . . . . . . . . . . . . . . .6
Potential Economic Impact . . . . . . . . . . . . . . . . . . . . .8
Business Exposure . . . . . . . . . . . . . . . . . . . . . . . . . .11
Cost of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
ROI of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Project Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Success Factor 1: Executive Support . . . . . . . . . . . . . . . .15
Success Factor 2: User Involvement . . . . . . . . . . . . . . . .17
Success Factor 3: Experienced Project Manager . . . . . . .17
Success Factor 4: Clearly Defined Project Objectives . . . .18
Success Factor 5: Clearly Defined (and Smaller) Scope . .19
Success Factor 6: Shorter Schedules, Multiple Milestones 19
Success Factor 7: Clearly Defined
Project Management Process . . . . . . . . . . . . . . . . . . . . .20
Success Factor 8: Standard Infrastructure . . . . . . . . . . . . .20
Project Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Corporate Strategy and IT Security . . . . . . . . . . . . . . . . . . .23
How Corporate Culture and Policies Impact IT Security . . .24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

xi


xii

Contents


Chapter 2 Defining the Security Project . . . . . . . . . . . . 31
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Defining the Security Problem . . . . . . . . . . . . . . . . . . . . . .32
Network Security and the CIA . . . . . . . . . . . . . . . . . . .33
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
CIA in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Define the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Defining the Outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Defining Potential Security Project Solutions . . . . . . . . . . . .38
Defining the Optimal Security Project Solution . . . . . . . . . .39
Applying Security Project Constraints . . . . . . . . . . . . . . . . .40
Scope (Amount of Work) . . . . . . . . . . . . . . . . . . . . . . .40
Time (Schedule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Developing the Security Project Proposal . . . . . . . . . . . . . . .44
Identifying the Security Project Sponsor . . . . . . . . . . . . . . .45
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Chapter 3 Organizing the IT Security Project . . . . . . . . 51
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Identifying the IT Security Project Team . . . . . . . . . . . . . . .52
Identifying IT Security Project Stakeholders . . . . . . . . . . . .53
Defining IT Security Project Requirements . . . . . . . . . . . . .55
Defining IT Security Project Objectives . . . . . . . . . . . . . . .59
Defining IT Security Project Processes . . . . . . . . . . . . . . . .61
Acceptance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Change Management . . . . . . . . . . . . . . . . . . . . . . . . . .63
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Status Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Defect, Error, and Issue Tracking . . . . . . . . . . . . . . . . . .66
Escalation Procedures . . . . . . . . . . . . . . . . . . . . . . . . . .67
Documentation Procedures . . . . . . . . . . . . . . . . . . . . . .67


Contents

Approval Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Chapter 4 Building Quality Into IT Security Projects . . . 75
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Planning IT Security Project Quality . . . . . . . . . . . . . . . . . .76
User Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Functional Requirements . . . . . . . . . . . . . . . . . . . . . . .79
Technical Requirements . . . . . . . . . . . . . . . . . . . . . . . .81
Acceptance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Quality Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Change Management Procedures . . . . . . . . . . . . . . . . . .84
Standard Operating Procedures . . . . . . . . . . . . . . . . . . .84
Monitoring IT Security Project Quality . . . . . . . . . . . . . . .85
Testing IT Security Project Quality . . . . . . . . . . . . . . . . . . .88
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Chapter 5 Forming the IT Security Project Team . . . . . . 95
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Identifying IT Security Project Team Requirements . . . . . . .96
Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . .97
Competencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Translating Technical Language . . . . . . . . . . . . . . . .103
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Legal, Financial, and Regulatory . . . . . . . . . . . . . . .104
Identifying Staffing Requirements and Constraints . . . . . . .105
Acquiring the Needed Staff . . . . . . . . . . . . . . . . . . . . . . . .107
Forming the IT Security Project Team . . . . . . . . . . . . . . . .108
Identify Training Needs . . . . . . . . . . . . . . . . . . . . . .109

xiii


xiv

Contents

Team Processes and Procedures . . . . . . . . . . . . . . . .109
Team Kick-off Meeting . . . . . . . . . . . . . . . . . . . . . .111
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Chapter 6 Planning The IT Security Project . . . . . . . . . 117

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Creating the IT Security Project Work Breakdown Structure 118
Defining Project Tasks and Sub-tasks . . . . . . . . . . . . . . . . .121
Checking Project Scope . . . . . . . . . . . . . . . . . . . . . . . . . .123
Developing Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Completion Criteria . . . . . . . . . . . . . . . . . . . . . . . . . .128
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Organizational Change . . . . . . . . . . . . . . . . . . . . . .133
Governmental or Regulatory Requirements . . . . . .134
Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Identifying and Working With the Critical Path . . . . . . . . .135
Testing IT Security Project Results . . . . . . . . . . . . . . . . . .136
Budget, Schedule, Risks, and Communications . . . . . . . . . .138
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Chapter 7 Managing the IT Security Project . . . . . . . . 147
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Initiating the IT Security Project . . . . . . . . . . . . . . . . . . . .148

Monitoring and Managing IT Security Project Progress . . .149
Task Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151


Contents

Completion Criteria Example - Strong Passwords . .152
Project Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Issues Reporting and Resolution . . . . . . . . . . . . . . . . .155
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Monitoring IT Security Project Risk . . . . . . . . . . . . . . . . .157
Managing IT Security Project Change . . . . . . . . . . . . . . . .158
Key Stakeholder Change . . . . . . . . . . . . . . . . . . . . . . .158
Key Staff Change . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Key Environmental Change . . . . . . . . . . . . . . . . . . . . .160
Testing IT Security Project Results . . . . . . . . . . . . . . . . . .161
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Chapter 8 Closing Out the IT Security Project. . . . . . . 169
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Evaluating Project Completion . . . . . . . . . . . . . . . . . . . . .170
Closing Issues Log, Change Requests, and Error Reports . .172
Preparing for Implementation,
Deployment, and Operational Transfer . . . . . . . . . . . . . . . .173
Preparing for Implementation . . . . . . . . . . . . . . . . . . .174
Preparing for Deployment . . . . . . . . . . . . . . . . . . . . . .175
Preparing for Operational Transfer . . . . . . . . . . . . . . . .176
Reviewing Lessons Learned . . . . . . . . . . . . . . . . . . . . . . .178
Documentation and Compliance Reports . . . . . . . . . . . . .181
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Chapter 9 Corporate IT Security Project Plan . . . . . . . 189
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Defining Your Security Strategy . . . . . . . . . . . . . . . . . . . . .190
Legal Standards Relevant to Corporate IT Security . . . . . .192
Selected Federal Laws . . . . . . . . . . . . . . . . . . . . . . . . .194
Gramm-Leach-Bliley Act . . . . . . . . . . . . . . . . . . . .194
Health Insurance Portability and Accountability Act 195
Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . .197
Federal Information Security and Management Act .197
FERPA and the TEACH Act . . . . . . . . . . . . . . . . . .198
Electronic Communications Privacy
Act and Computer Fraud and Abuse Act . . . . . . . . .199

xv


xvi

Contents

State Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Unauthorized Access . . . . . . . . . . . . . . . . . . . . . . . .200
Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . .201
Three Fatal Fallacies . . . . . . . . . . . . . . . . . . . . . . . . . .202
The “Single Law” Fallacy . . . . . . . . . . . . . . . . . . . .202
The Private Entity Fallacy . . . . . . . . . . . . . . . . . . . .203
The “Penetration Test Only” Fallacy . . . . . . . . . . . .203
Do It Right or Bet the Company:
Tools to Mitigate Legal Liability . . . . . . . . . . . . . . . . . .204

We Did our Best; What’s the Problem? . . . . . . . . . .204
What Can Be Done? . . . . . . . . . . . . . . . . . . . . . . . . . .206
Understand Your Legal Environment . . . . . . . . . . . .207
Comprehensive and Ongoing
Security Assessments, Evaluations,
and Implementation . . . . . . . . . . . . . . . . . . . . . . . .207
Use Contracts to Define Rights
and Protect Information . . . . . . . . . . . . . . . . . . . . .208
Use Qualified Third-party Professionals . . . . . . . . . .209
Making Sure Your Standards-of-Care
Assessments Keep Up with Evolving Law . . . . . . . . . . .209
Plan for the Worst . . . . . . . . . . . . . . . . . . . . . . . . .210
Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Corporate IT Security Project Plan Overview . . . . . . . . . .212
Corporate Security Auditing . . . . . . . . . . . . . . . . . . . . . . .215
Choosing A Target . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Why Security Fails . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Improper Configuration . . . . . . . . . . . . . . . . . . . . .218
Failure to Update . . . . . . . . . . . . . . . . . . . . . . . . . .219
Faulty Requirements . . . . . . . . . . . . . . . . . . . . . . . .219
Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Policy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Incorrect Assumptions . . . . . . . . . . . . . . . . . . . . . . .222
Corporate IT Security Project Parameters . . . . . . . . . . . . .224
Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227



Contents

Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Operating System Skills . . . . . . . . . . . . . . . . . . . . .233
Network Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Application Skills . . . . . . . . . . . . . . . . . . . . . . . . . .234
Security Tools Skills . . . . . . . . . . . . . . . . . . . . . . . .234
Programming Skills—Compiled Languages . . . . . . .235
Programming Skills - Scripting Languages . . . . . . . .235
Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .236
Project Processes and Procedures . . . . . . . . . . . . . . . . .237
Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .239
WBS Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Work Breakdown Structure Example 2 . . . . . . . . . . . .240
Project Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Project Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Project Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .248
Managing the Project . . . . . . . . . . . . . . . . . . . . . . . . .252
Closing Out the Project . . . . . . . . . . . . . . . . . . . . . . .252
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Chapter 10 General IT Security Plan . . . . . . . . . . . . . . 261
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
IT Security Assessment and Auditing . . . . . . . . . . . . . . . . .262
Perimeter or Boundaries . . . . . . . . . . . . . . . . . . . . . . .265
Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Servers and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Applications and Databases . . . . . . . . . . . . . . . . . . . . .266
Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Contact Information . . . . . . . . . . . . . . . . . . . . . . . .267
Business Information . . . . . . . . . . . . . . . . . . . . . . .268
Extranet and Remote Access . . . . . . . . . . . . . . . . . .268
Valid User Accounts . . . . . . . . . . . . . . . . . . . . . . . .268
System Configuration . . . . . . . . . . . . . . . . . . . . . . .269
Types of Security Assessments . . . . . . . . . . . . . . . . . . .269

xvii


xviii

Contents

Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . .270
Pen Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
Risk Assessment: Asset Protection . . . . . . . . . . . . . .275
Risk Assessment:Threat Prevention . . . . . . . . . . . . .279
Risk Assessment: Legal Liabilities . . . . . . . . . . . . . . .286
Risk Assessment: Costs . . . . . . . . . . . . . . . . . . . . . .288
Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Public Access Networks . . . . . . . . . . . . . . . . . . . . .295
Legal Implications . . . . . . . . . . . . . . . . . . . . . . . . . .296
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Physical Access to Equipment . . . . . . . . . . . . . . . . . . .302

Local Access to Network . . . . . . . . . . . . . . . . . . . . . . .303
Remote Access to Network . . . . . . . . . . . . . . . . . . . . .303
Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Policy Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Process and Procedure Review . . . . . . . . . . . . . . . . . .308
Operational Review . . . . . . . . . . . . . . . . . . . . . . . . . .309
Legal and Reporting Requirements . . . . . . . . . . . . . . .309
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Non-intrusive Attacks . . . . . . . . . . . . . . . . . . . . . . .310
Intrusive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Assessment and Audit Report . . . . . . . . . . . . . . . . . . . . . .315
Elements of a Findings Report . . . . . . . . . . . . . . . . . . .316
Defining the Steps Taken . . . . . . . . . . . . . . . . . . . . .316
Defining the Vulnerability or Weakness . . . . . . . . . .317
Defining the Criticality of Findings . . . . . . . . . . . . .317
Defining Mitigation Plans . . . . . . . . . . . . . . . . . . . .318
Defining Owners,Timelines, and Deliverables . . . . .318
Format of a Findings Report . . . . . . . . . . . . . . . . . . . .319
Project Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
Project Problem Statement . . . . . . . . . . . . . . . . . . . . . .320
Problem Mission Statement . . . . . . . . . . . . . . . . . . . . .321


Contents

Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Potential Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

Selected Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
General IT Security Project Parameters . . . . . . . . . . . . . . .325
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Types of Requirements . . . . . . . . . . . . . . . . . . . . . .326
Project Specific Requirements . . . . . . . . . . . . . . . . .326
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Technical Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Non-Technical Skills . . . . . . . . . . . . . . . . . . . . . . . .332
Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .332
Form the Project Team . . . . . . . . . . . . . . . . . . . . . . . .333
Project Processes and Procedures . . . . . . . . . . . . . . . . .333
General IT Security Project Plan . . . . . . . . . . . . . . . . . . . .334
Project WBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Project Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Project Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Project Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Project Schedule and Budget . . . . . . . . . . . . . . . . . . . .337
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Chapter 11 IT Infrastructure Security Plan . . . . . . . . . 345
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Infrastructure Security Assessment . . . . . . . . . . . . . . . . . . .346
Internal Environment . . . . . . . . . . . . . . . . . . . . . . . . .348
Information Criticality . . . . . . . . . . . . . . . . . . . . . .348
Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
System Definitions . . . . . . . . . . . . . . . . . . . . . . . . .350

Information Flow . . . . . . . . . . . . . . . . . . . . . . . . . .350
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
People and Process . . . . . . . . . . . . . . . . . . . . . . . . . . .351
User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Policies and Procedures . . . . . . . . . . . . . . . . . . . . . .353
Organizational Needs . . . . . . . . . . . . . . . . . . . . . . .353

xix


xx

Contents

Regulatory/Compliance . . . . . . . . . . . . . . . . . . . . .354
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Establishing Baselines . . . . . . . . . . . . . . . . . . . . . . . . . .356
Addressing Risks to the Corporate Network . . . . . . . .356
External Environment . . . . . . . . . . . . . . . . . . . . . . . . .359
Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Recognizing External Threats . . . . . . . . . . . . . . . . .362
Top 20 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Network Security Checklist . . . . . . . . . . . . . . . . . . . . .369
Devices and Media . . . . . . . . . . . . . . . . . . . . . . . . .370
Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Intrusion Detection Systems/
Intrusion Prevention Systems (IDS/IPS) . . . . . . . . .374
System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . .380
Other Infrastructure Issues . . . . . . . . . . . . . . . . . . .381
Other Network Components:

Routers, Switches, RAS, NMS, IDS . . . . . . . . . . . . .382
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
External Communications (also see “Remote Access”) 384
TCP/IP (Some TCP/IP Information
Also Found in the “Routers” Section) . . . . . . . . . . .385
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Network Management . . . . . . . . . . . . . . . . . . . . . .392
Routers and Routing . . . . . . . . . . . . . . . . . . . . . . .398
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Intrusion Detection/Intrusion Prevention . . . . . . . .404
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Functional Requirements . . . . . . . . . . . . . . . . . . . .410
Technical Requirements . . . . . . . . . . . . . . . . . . . . .410
Legal/Compliance Requirements . . . . . . . . . . . . . .412
Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . .412
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .415


Contents

Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .417
Project Processes and Procedures . . . . . . . . . . . . . . . . .418
Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420

Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .420
Project Risks and Mitigation Strategies . . . . . . . . . . . . . . .427
Project Constraints and Assumptions . . . . . . . . . . . . . . . . .429
Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .431
IT Infrastructure Security Project Outline . . . . . . . . . . . . .432
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Chapter 12 Wireless Security Project Plan. . . . . . . . . . 441
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Wireless Security Auditing . . . . . . . . . . . . . . . . . . . . . . . . .443
Types of Wireless Network Components and Devices . .445
Wireless Technologies . . . . . . . . . . . . . . . . . . . . . . . . .448
Types of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
War Dialing, Demon Dialing, Carrier Signal Scanning 450
Wardriving, NetStumbling, or Stumbling . . . . . . . . .452
Bluetooth Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .459
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Asset Protection . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . .469
Legal Liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483
Wireless Security Project Parameters . . . . . . . . . . . . . . . . .485
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
Functional Requirements . . . . . . . . . . . . . . . . . . . .487
Technical Requirements . . . . . . . . . . . . . . . . . . . . .488
Legal/Compliance Requirements . . . . . . . . . . . . . .490
Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . .491
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493

Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .499

xxi


xxii

Contents

Project Processes and Procedures . . . . . . . . . . . . . . . . .499
Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .502
Project Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Project Constraints and Assumptions . . . . . . . . . . . . . . . . .507
Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .508
Wireless Security Project Outline . . . . . . . . . . . . . . . . . . .509
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Chapter 13 IT Operational Security Plan . . . . . . . . . . . 517
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Operational Security Assessment . . . . . . . . . . . . . . . . . . . .519
Incident response . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Company-Wide Incident Response Teams . . . . . . . .523
Response Team Services . . . . . . . . . . . . . . . . . . . . . . .525
Response Team Assessment . . . . . . . . . . . . . . . . . . . . .529
Security Management Services . . . . . . . . . . . . . . . .529

Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Trend Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Disaster Planning . . . . . . . . . . . . . . . . . . . . . . . . . .530
Education and Awareness . . . . . . . . . . . . . . . . . . . .531
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
Founding Principles of a Good Security Policy . . . .538
Understanding Current Policy Standards . . . . . . . . .539
Creating Corporate Security Policies . . . . . . . . . . . .542
Policy Distribution and Education . . . . . . . . . . . . . .552
Maintaining Corporate Security Policies . . . . . . . . .553
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .554
Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Information and Communications . . . . . . . . . . . . . .557
Business Insurance . . . . . . . . . . . . . . . . . . . . . . . . .558
Regulatory Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Health Insurance Portability and Accountability Act 561
Gramm-Leach-Bliley Act . . . . . . . . . . . . . . . . . . . .562
Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . .563


Contents

Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Mission/Outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569

Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
Functional Requirements . . . . . . . . . . . . . . . . . . . . . . .571
Technical Requirements . . . . . . . . . . . . . . . . . . . . . . .572
Legal/Compliance Requirements . . . . . . . . . . . . . . . . .574
Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Required Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
Project Processes and Procedures . . . . . . . . . . . . . . . . .576
Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .578
Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .579
Project Risks and Mitigation Strategies . . . . . . . . . . . . . . .584
Incident response . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Disaster planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Regulatory/compliance . . . . . . . . . . . . . . . . . . . . . . . .585
Project Constraints and Assumptions . . . . . . . . . . . . . . . . .586
Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .586
IT Operational Security Project Outline . . . . . . . . . . . . . .587
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
Operational Security Assessment . . . . . . . . . . . . . . .591
Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . .593
Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Project Organization . . . . . . . . . . . . . . . . . . . . . . . .593
Project Work Breakdown Structure . . . . . . . . . . . . .594
Project Risks and Mitigation Strategies . . . . . . . . . .594
Project Constraints and Assumptions . . . . . . . . . . . .594
Project Schedule and Budget . . . . . . . . . . . . . . . . . .595
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597


xxiii