Visit us at w w w . s y n g r e s s . c o m

  

Syngress is committed to publishing high-quality books for IT Professionals and

delivering those books in media and formats that fit the demands of our cus-

tomers. We are also committed to extending the utility of the book you purchase

via additional materials available from our Web site.

  SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you will find an assortment

of value-added features such as free e-booklets related to the topic of this book,

URLs of related Web site, FAQs from the book, corrections, and any updates from

the author(s).

  ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Configuration, to

name a few.

  DOWNLOADABLE EBOOKS

For readers who can’t wait for hard copy, we offer most of our titles in download-

able Adobe PDF form. These eBooks are often available weeks before hard copies,

and are priced affordably.

  SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt

books at significant savings.

  SITE LICENSING

Syngress has a well-established program for site licensing our ebooks onto servers

in corporations, educational institutions, and large organizations. Contact us at

sales@syngress.com for more information.

  CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal use.

  Contact us at sales@syngress.com for more information.

  S y n g r e s s

  IT Security Project

Management

H a n d b o o k

  Susan Snedaker Technical Editor Russ Rogers

  

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-

tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

  

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

  

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The

Definition of a Serious Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One ™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BC1289MPQV 005 CVPLQ6WQ23 006

  VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010

  IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Syngress IT Security Project Management

Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Printed in Canada. Except as permitted

under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any

form or by any means, or stored in a database or retrieval system, without the prior written permission of

the publisher, with the exception that the program listings may be entered, stored, and executed in a com-

puter system, but they may not be reproduced for publication. Printed in Canada. 1 2 3 4 5 6 7 8 9 0

  ISBN: 1-59749-076-8 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Jaime Quigley, Erin Heffernan Copy Editor: Judy Eby Technical Editor: Russ Rogers Indexer: Odessa&Cie Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,

  Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by

O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,

and we would like to thank everyone there for their time and efforts to bring

Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike

Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle

Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal

Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope.

David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai

Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors

for the enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,

Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane

for distributing our books throughout Australia, New Zealand, Papua New

Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. v

  Author Susan Snedaker (MBA, BA, MCSE, MCT, CPM) is Principal Consultant and founder of VirtualTeam Consulting, LLC (www.vir- tualteam.com), a consulting firm specializing in business and tech- nology consulting.The company works with companies of all sizes to develop and implement strategic plans, operational improvements and technology platforms that drive profitability and growth. Prior to founding VirtualTeam in 2000, Susan held various executive and technical positions with companies including Microsoft, Honeywell,

Keane, and Apta Software. As Director of Service Delivery for

Keane, she managed 1200+ technical support staff delivering phone

and email support for various Microsoft products including

Windows Server operating systems. She is author of How to Cheat at

  IT Project Management (Syngress Publishing, ISBN: 1-597490-37-7) The Best Damn Windows Server 2003 Book Period (Syngress, ISBN: 1- 931836-12-4) and How to Cheat at Managing Windows Small Business Server 2003 (Syngress, ISBN: 1-932266-80-1). She has also written numerous technical chapters for a variety of Syngress Publishing books on Microsoft Windows and security technologies and has written and edited technical content for various publications. Susan has developed and delivered technical content from security to tele- phony,TCP/IP to WiFi, CIW to IT project management and just about everything in between (she admits a particular fondness for anything related to TCP/IP).

  Susan holds a master’s degree in business administration and a bachelor’s degree in management from the University of Phoenix. She also holds a certificate in advanced project management from Stanford University. She holds Microsoft Certified Systems Engineer (MSCE) and Microsoft Certified Trainer (MCT) certifications. Susan is a member of the Information Technology Association of Southern Arizona (ITASA) and the Project Management Institute (PMI). vii

  Technical Editor Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the popular Hacking a Terror Network (Syngress Publishing, ISBN 1- 928994-98-9), co-author on multiple other books including the best selling Stealing the Network: How to Own a Continent(Syngress, ISBN 1-931836-05-1), Network Security Evaluation Using the NSA IEM (Syngress, 1-597490-35-0) and Editor in Chief of The Security

Journal; is Co-Founder, Chief Executive Officer, and Chief

Technology Officer of Security Horizon; a veteran-owned small business based in Colorado Springs, CO. Russ has been involved in information technology since 1980 and has spent the last 15 years working professionally as both an IT and INFOSEC consultant.

Russ has worked with the United States Air Force (USAF),

National Security Agency (NSA), and the Defense Information Systems Agency (DISA). He is a globally renowned security expert, speaker, and author who has presented at conferences around the world including Amsterdam,Tokyo, Singapore, Sao Paulo, and cities all around the United States.

  Russ has an Honorary Doctorate of Science in Information Technology from the University of Advancing Technology, a Masters Degree in Computer Systems Management from the University of Maryland, a Bachelor of Science in Computer Information Systems

from the University of Maryland, and an Associate Degree in

Applied Communications Technology from the Community

College of the Air Force. He is a member of both ISSA and ISACA and co-founded the Global Security Syndicate (gssyndicate.org), the Security Tribe (securitytribe.com), and acts in the role of professor of network security for the University of Advancing Technology (uat.edu). viii

  Russ would like to thank his father for his lifetime of guidance, his kids (Kynda and Brenden) for their understanding, and Michele for her constant support. A great deal of thanks goes to Andrew Williams and Jaime Quigley from Syngress Publishing for the abun- dant opportunities and trust they give me. Shouts go out to UAT, Security Tribe, the GSS, the Defcon Groups, and the DC Forums. I’d like to also thank my friends, Chris, Greg, Michele, Ping, Pyr0, and everyone in #dc-forums that I don’t have room to list here.

  Special Contributors A special thank you to the following authors for contributing their expertise to various sections of this book: Bryan Cunningham, Principal at the Denver law firm of Morgan & Cunningham LLC, Norris Johnson, Mike Rash, Frank Thornton, Chris Hurley, and Mike O’Dea. ix x

  

Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv

Chapter 1 IT Security Project Management Building Blocks . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Corporate Security Project Plan Components . . . . . . . . . . . .3 The True Cost of Security . . . . . . . . . . . . . . . . . . . . . . . . . .4 Prevention vs. Remediation . . . . . . . . . . . . . . . . . . . . . . .6 Potential Economic Impact . . . . . . . . . . . . . . . . . . . . .8 Business Exposure . . . . . . . . . . . . . . . . . . . . . . . . . .11 Cost of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 ROI of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Project Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Success Factor 1: Executive Support . . . . . . . . . . . . . . . .15 Success Factor 2: User Involvement . . . . . . . . . . . . . . . .17 Success Factor 3: Experienced Project Manager . . . . . . .17 Success Factor 4: Clearly Defined Project Objectives . . . .18 Success Factor 5: Clearly Defined (and Smaller) Scope . .19 Success Factor 6: Shorter Schedules, Multiple Milestones 19 Success Factor 7: Clearly Defined Project Management Process . . . . . . . . . . . . . . . . . . . . .20 Success Factor 8: Standard Infrastructure . . . . . . . . . . . . .20 Project Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Corporate Strategy and IT Security . . . . . . . . . . . . . . . . . . .23 How Corporate Culture and Policies Impact IT Security . . .24 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

  xi Contents

  xii Contents

  Chapter 2 Defining the Security Project . . . . . . . . . . . . 31 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Defining the Security Problem . . . . . . . . . . . . . . . . . . . . . .32 Network Security and the CIA . . . . . . . . . . . . . . . . . . .33 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 CIA in Context . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Define the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Defining the Outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Defining Potential Security Project Solutions . . . . . . . . . . . .38 Defining the Optimal Security Project Solution . . . . . . . . . .39 Applying Security Project Constraints . . . . . . . . . . . . . . . . .40 Scope (Amount of Work) . . . . . . . . . . . . . . . . . . . . . . .40 Time (Schedule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Developing the Security Project Proposal . . . . . . . . . . . . . . .44 Identifying the Security Project Sponsor . . . . . . . . . . . . . . .45 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Chapter 3 Organizing the IT Security Project . . . . . . . . 51 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Identifying the IT Security Project Team . . . . . . . . . . . . . . .52 Identifying IT Security Project Stakeholders . . . . . . . . . . . .53 Defining IT Security Project Requirements . . . . . . . . . . . . .55 Defining IT Security Project Objectives . . . . . . . . . . . . . . .59 Defining IT Security Project Processes . . . . . . . . . . . . . . . .61 Acceptance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Change Management . . . . . . . . . . . . . . . . . . . . . . . . . .63 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Status Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Defect, Error, and Issue Tracking . . . . . . . . . . . . . . . . . .66 Escalation Procedures . . . . . . . . . . . . . . . . . . . . . . . . . .67 Documentation Procedures . . . . . . . . . . . . . . . . . . . . . .67

  Contents xiii

Approval Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

  

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

  Chapter 4 Building Quality Into IT Security Projects . . . 75 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Planning IT Security Project Quality . . . . . . . . . . . . . . . . . .76

User Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Functional Requirements . . . . . . . . . . . . . . . . . . . . . . .79

Technical Requirements . . . . . . . . . . . . . . . . . . . . . . . .81

Acceptance Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Quality Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Change Management Procedures . . . . . . . . . . . . . . . . . .84

Standard Operating Procedures . . . . . . . . . . . . . . . . . . .84

Monitoring IT Security Project Quality . . . . . . . . . . . . . . .85

Testing IT Security Project Quality . . . . . . . . . . . . . . . . . . .88

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Chapter 5 Forming the IT Security Project Team . . . . . . 95 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Identifying IT Security Project Team Requirements . . . . . . .96

Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . .97

Competencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Translating Technical Language . . . . . . . . . . . . . . . .103 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Legal, Financial, and Regulatory . . . . . . . . . . . . . . .104

Identifying Staffing Requirements and Constraints . . . . . . .105

Acquiring the Needed Staff . . . . . . . . . . . . . . . . . . . . . . . .107

Forming the IT Security Project Team . . . . . . . . . . . . . . . .108

Identify Training Needs . . . . . . . . . . . . . . . . . . . . . .109

  xiv Contents Team Processes and Procedures . . . . . . . . . . . . . . . .109 Team Kick-off Meeting . . . . . . . . . . . . . . . . . . . . . .111

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

  Chapter 6 Planning The IT Security Project . . . . . . . . . 117 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Creating the IT Security Project Work Breakdown Structure 118 Defining Project Tasks and Sub-tasks . . . . . . . . . . . . . . . . .121 Checking Project Scope . . . . . . . . . . . . . . . . . . . . . . . . . .123 Developing Task Details . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Completion Criteria . . . . . . . . . . . . . . . . . . . . . . . . . .128 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Organizational Change . . . . . . . . . . . . . . . . . . . . . .133 Governmental or Regulatory Requirements . . . . . .134 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Identifying and Working With the Critical Path . . . . . . . . .135 Testing IT Security Project Results . . . . . . . . . . . . . . . . . .136 Budget, Schedule, Risks, and Communications . . . . . . . . . .138 Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Chapter 7 Managing the IT Security Project . . . . . . . . 147 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Initiating the IT Security Project . . . . . . . . . . . . . . . . . . . .148 Monitoring and Managing IT Security Project Progress . . .149 Task Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

  Contents xv Completion Criteria Example - Strong Passwords . .152

Project Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

  

Issues Reporting and Resolution . . . . . . . . . . . . . . . . .155

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Monitoring IT Security Project Risk . . . . . . . . . . . . . . . . .157

Managing IT Security Project Change . . . . . . . . . . . . . . . .158

  

Key Stakeholder Change . . . . . . . . . . . . . . . . . . . . . . .158

Key Staff Change . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Key Environmental Change . . . . . . . . . . . . . . . . . . . . .160

Testing IT Security Project Results . . . . . . . . . . . . . . . . . .161

  

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

  Chapter 8 Closing Out the IT Security Project. . . . . . . 169 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Evaluating Project Completion . . . . . . . . . . . . . . . . . . . . .170

Closing Issues Log, Change Requests, and Error Reports . .172

Preparing for Implementation,

Deployment, and Operational Transfer . . . . . . . . . . . . . . . .173

Preparing for Implementation . . . . . . . . . . . . . . . . . . .174

Preparing for Deployment . . . . . . . . . . . . . . . . . . . . . .175

Preparing for Operational Transfer . . . . . . . . . . . . . . . .176

Reviewing Lessons Learned . . . . . . . . . . . . . . . . . . . . . . .178

Documentation and Compliance Reports . . . . . . . . . . . . .181

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Chapter 9 Corporate IT Security Project Plan . . . . . . . 189 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Defining Your Security Strategy . . . . . . . . . . . . . . . . . . . . .190

Legal Standards Relevant to Corporate IT Security . . . . . .192

Selected Federal Laws . . . . . . . . . . . . . . . . . . . . . . . . .194

Gramm-Leach-Bliley Act . . . . . . . . . . . . . . . . . . . .194 Health Insurance Portability and Accountability Act 195 Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . .197 Federal Information Security and Management Act .197 FERPA and the TEACH Act . . . . . . . . . . . . . . . . . .198 Electronic Communications Privacy Act and Computer Fraud and Abuse Act . . . . . . . . .199

  xvi Contents State Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 Unauthorized Access . . . . . . . . . . . . . . . . . . . . . . . .200 Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . .201 Three Fatal Fallacies . . . . . . . . . . . . . . . . . . . . . . . . . .202

  The “Single Law” Fallacy . . . . . . . . . . . . . . . . . . . .202 The Private Entity Fallacy . . . . . . . . . . . . . . . . . . . .203 The “Penetration Test Only” Fallacy . . . . . . . . . . . .203 Do It Right or Bet the Company:

  Tools to Mitigate Legal Liability . . . . . . . . . . . . . . . . . .204 We Did our Best; What’s the Problem? . . . . . . . . . .204 What Can Be Done? . . . . . . . . . . . . . . . . . . . . . . . . . .206 Understand Your Legal Environment . . . . . . . . . . . .207

  Comprehensive and Ongoing

Security Assessments, Evaluations,

and Implementation . . . . . . . . . . . . . . . . . . . . . . . .207

Use Contracts to Define Rights

and Protect Information . . . . . . . . . . . . . . . . . . . . .208 Use Qualified Third-party Professionals . . . . . . . . . .209

  Making Sure Your Standards-of-Care Assessments Keep Up with Evolving Law . . . . . . . . . . .209 Plan for the Worst . . . . . . . . . . . . . . . . . . . . . . . . .210 Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

  Corporate IT Security Project Plan Overview . . . . . . . . . .212 Corporate Security Auditing . . . . . . . . . . . . . . . . . . . . . . .215 Choosing A Target . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Why Security Fails . . . . . . . . . . . . . . . . . . . . . . . . . . .218

  Improper Configuration . . . . . . . . . . . . . . . . . . . . .218 Failure to Update . . . . . . . . . . . . . . . . . . . . . . . . . .219 Faulty Requirements . . . . . . . . . . . . . . . . . . . . . . . .219 Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Policy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Incorrect Assumptions . . . . . . . . . . . . . . . . . . . . . . .222

  Corporate IT Security Project Parameters . . . . . . . . . . . . .224 Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225

  Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

  Contents xvii Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

  

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230

Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Operating System Skills . . . . . . . . . . . . . . . . . . . . .233 Network Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Application Skills . . . . . . . . . . . . . . . . . . . . . . . . . .234 Security Tools Skills . . . . . . . . . . . . . . . . . . . . . . . .234 Programming Skills—Compiled Languages . . . . . . .235 Programming Skills - Scripting Languages . . . . . . . .235

  

Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .236

Project Processes and Procedures . . . . . . . . . . . . . . . . .237

Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .239

WBS Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

  

Work Breakdown Structure Example 2 . . . . . . . . . . . .240

Project Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Project Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

Project Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .248

Managing the Project . . . . . . . . . . . . . . . . . . . . . . . . .252

  

Closing Out the Project . . . . . . . . . . . . . . . . . . . . . . .252

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Chapter 10 General IT Security Plan . . . . . . . . . . . . . . 261 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 IT Security Assessment and Auditing . . . . . . . . . . . . . . . . .262 Perimeter or Boundaries . . . . . . . . . . . . . . . . . . . . . . .265 Internal Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Servers and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Applications and Databases . . . . . . . . . . . . . . . . . . . . .266 Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267 Contact Information . . . . . . . . . . . . . . . . . . . . . . . .267 Business Information . . . . . . . . . . . . . . . . . . . . . . .268 Extranet and Remote Access . . . . . . . . . . . . . . . . . .268 Valid User Accounts . . . . . . . . . . . . . . . . . . . . . . . .268 System Configuration . . . . . . . . . . . . . . . . . . . . . . .269 Types of Security Assessments . . . . . . . . . . . . . . . . . . .269

  xviii Contents Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . .270 Pen Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

  Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 Risk Assessment: Asset Protection . . . . . . . . . . . . . .275 Risk Assessment:Threat Prevention . . . . . . . . . . . . .279 Risk Assessment: Legal Liabilities . . . . . . . . . . . . . . .286 Risk Assessment: Costs . . . . . . . . . . . . . . . . . . . . . .288 Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Public Access Networks . . . . . . . . . . . . . . . . . . . . .295 Legal Implications . . . . . . . . . . . . . . . . . . . . . . . . . .296

  Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302 Physical Access to Equipment . . . . . . . . . . . . . . . . . . .302 Local Access to Network . . . . . . . . . . . . . . . . . . . . . . .303 Remote Access to Network . . . . . . . . . . . . . . . . . . . . .303 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 Policy Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305

  Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305 Administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . .308 Process and Procedure Review . . . . . . . . . . . . . . . . . .308 Operational Review . . . . . . . . . . . . . . . . . . . . . . . . . .309 Legal and Reporting Requirements . . . . . . . . . . . . . . .309 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

  Non-intrusive Attacks . . . . . . . . . . . . . . . . . . . . . . .310 Intrusive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Assessment and Audit Report . . . . . . . . . . . . . . . . . . . . . .315 Elements of a Findings Report . . . . . . . . . . . . . . . . . . .316

  Defining the Steps Taken . . . . . . . . . . . . . . . . . . . . .316 Defining the Vulnerability or Weakness . . . . . . . . . .317 Defining the Criticality of Findings . . . . . . . . . . . . .317 Defining Mitigation Plans . . . . . . . . . . . . . . . . . . . .318 Defining Owners,Timelines, and Deliverables . . . . .318 Format of a Findings Report . . . . . . . . . . . . . . . . . . . .319

  Project Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Project Problem Statement . . . . . . . . . . . . . . . . . . . . . .320 Problem Mission Statement . . . . . . . . . . . . . . . . . . . . .321

  Contents xix

Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Potential Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

Selected Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

General IT Security Project Parameters . . . . . . . . . . . . . . .325

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

Types of Requirements . . . . . . . . . . . . . . . . . . . . . .326

  Project Specific Requirements . . . . . . . . . . . . . . . . .326

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .331

  Technical Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Non-Technical Skills . . . . . . . . . . . . . . . . . . . . . . . .332

Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .332

Form the Project Team . . . . . . . . . . . . . . . . . . . . . . . .333

Project Processes and Procedures . . . . . . . . . . . . . . . . .333

General IT Security Project Plan . . . . . . . . . . . . . . . . . . . .334

Project WBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335

Project Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Project Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Project Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Project Schedule and Budget . . . . . . . . . . . . . . . . . . . .337

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

  

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Chapter 11 IT Infrastructure Security Plan . . . . . . . . . 345 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 Infrastructure Security Assessment . . . . . . . . . . . . . . . . . . .346 Internal Environment . . . . . . . . . . . . . . . . . . . . . . . . .348 Information Criticality . . . . . . . . . . . . . . . . . . . . . .348 Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .349 System Definitions . . . . . . . . . . . . . . . . . . . . . . . . .350 Information Flow . . . . . . . . . . . . . . . . . . . . . . . . . .350 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351 People and Process . . . . . . . . . . . . . . . . . . . . . . . . . . .351 User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352 Policies and Procedures . . . . . . . . . . . . . . . . . . . . . .353 Organizational Needs . . . . . . . . . . . . . . . . . . . . . . .353

  xx Contents Regulatory/Compliance . . . . . . . . . . . . . . . . . . . . .354 Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

  Establishing Baselines . . . . . . . . . . . . . . . . . . . . . . . . . .356 Addressing Risks to the Corporate Network . . . . . . . .356 External Environment . . . . . . . . . . . . . . . . . . . . . . . . .359 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360

  Recognizing External Threats . . . . . . . . . . . . . . . . .362 Top 20 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 Network Security Checklist . . . . . . . . . . . . . . . . . . . . .369 Devices and Media . . . . . . . . . . . . . . . . . . . . . . . . .370

  Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS) . . . . . . . . .374 System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . .380 Other Infrastructure Issues . . . . . . . . . . . . . . . . . . .381 Other Network Components: Routers, Switches, RAS, NMS, IDS . . . . . . . . . . . . .382 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 External Communications (also see “Remote Access”) 384 TCP/IP (Some TCP/IP Information Also Found in the “Routers” Section) . . . . . . . . . . .385 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Network Management . . . . . . . . . . . . . . . . . . . . . .392 Routers and Routing . . . . . . . . . . . . . . . . . . . . . . .398 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Intrusion Detection/Intrusion Prevention . . . . . . . .404 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . .405 Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408

  Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409 Functional Requirements . . . . . . . . . . . . . . . . . . . .410 Technical Requirements . . . . . . . . . . . . . . . . . . . . .410 Legal/Compliance Requirements . . . . . . . . . . . . . .412 Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . .412 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413

  Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413 Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .415

  Contents xxi

Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .417

Project Processes and Procedures . . . . . . . . . . . . . . . . .418

  

Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419

Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420

Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .420

Project Risks and Mitigation Strategies . . . . . . . . . . . . . . .427

Project Constraints and Assumptions . . . . . . . . . . . . . . . . .429

Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .431

  

IT Infrastructure Security Project Outline . . . . . . . . . . . . .432

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

Chapter 12 Wireless Security Project Plan. . . . . . . . . . 441 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442 Wireless Security Auditing . . . . . . . . . . . . . . . . . . . . . . . . .443 Types of Wireless Network Components and Devices . .445 Wireless Technologies . . . . . . . . . . . . . . . . . . . . . . . . .448 Types of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449 War Dialing, Demon Dialing, Carrier Signal Scanning 450 Wardriving, NetStumbling, or Stumbling . . . . . . . . .452 Bluetooth Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .459 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463 Asset Protection . . . . . . . . . . . . . . . . . . . . . . . . . . .464 Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . .469 Legal Liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . .479 Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480 Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 Wireless Security Project Parameters . . . . . . . . . . . . . . . . .485 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 Functional Requirements . . . . . . . . . . . . . . . . . . . .487 Technical Requirements . . . . . . . . . . . . . . . . . . . . .488 Legal/Compliance Requirements . . . . . . . . . . . . . .490 Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . .491 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493 Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495 Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .497 Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .499

  xxii Contents Project Processes and Procedures . . . . . . . . . . . . . . . . .499 Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500

  Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .502 Project Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506 Project Constraints and Assumptions . . . . . . . . . . . . . . . . .507 Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .508 Wireless Security Project Outline . . . . . . . . . . . . . . . . . . .509 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512