System Configuration

System configuration information is also extremely valuable to an attacker, because he or she can determine what types of attacks to launch. If someone knows you're running Microsoft Windows Server 2003, he or she can specifically attack vulnerabilities of those systems, including exploiting systems that have not been kept up-to-date with critical security patches. An example of this can be found at www.netcraft.com. An alarm on your car doesn't prevent it from being stolen, it simply deters...

Legal Liabilities

We discussed legal liabilities in detail in Chapter 9, and if you skipped that chapter for any reason, be sure to read up on the legal issues surrounding IT security these days.The bottom line is that the laws are changing. Requirements are sometimes unclear or conflicting and lack of attention to detail, and lack of reasonable care can be cause for litigation in the event of a serious security breach. Companies that are attacked that fail to recover quickly have a 50 percent chance of failing...

Project Schedule and Budget

0 Once you've defined your WBS in detail, you should be able to develop a realistic schedule. 0 If you have project management software available to you, this is a good time to input your tasks and schedule into the program to allow the software to assist you in creating a schedule and identifying the critical path. 0 Budgets can be developed by adding the cost of all tasks plus any administrative costs or costs that apply across the project that cannot (or should not) be attributed to any one...

Preparing for Implementation Deployment and Operational Transfer

0 All project documentation should be defined in the project definition phase and consistently collected and reviewed during the project plan phase. 0 During project close out, documentation should be updated and finalized for review or archiving. 0 Project documentation can be construed as legal documents related to the security project plan, and should be treated as such. Consult with legal counsel regarding the appropriate storage or disposition of these documents. 0 Implementation,...

Prevention vs Remediation

One of the best ways to support an increase in IT spending for security, is to clearly delineate the cost of preventing a security breach versus the cost of fixing a security breach. Most corporate executives appreciate a rational approach to the business end of IT, and find a risk analysis and financial overview helpful tools in justifying additional expenditures. A recent study by Computer Economics shows that spending on security is approximately 3 percent of all IT expenditures, which has...

Success Factor Experienced Project Manager

In the case of IT security, it is critical that the project manager have experience successfully managing projects, since any errors or omissions in a security plan can have serious consequences. A project manager using a proven, consistent project management methodology is more likely to generate a solid IT security project plan than one who has no consistent method for approaching an IT project. If you are the project manager for your company's IT security project and you are not an...

Project Work Breakdown Structure

0 The work breakdown structure, or WBS, for an infrastructure project should begin with the high-level objectives for your project, which might include securing devices and media, securing the perimeter, securing infrastructure components, or whatever way you choose to segment the work in this project. 0 Task details should reflect the functional, technical, and regulatory requirements for your project. Check task details against requirements to be sure everything is included at the outset. 0...

Project Team

We've touched on this throughout the chapter because we've talked about the far-reaching nature of an operational security project plan. Once you've defined the functional, technical, and regulatory requirements for the project, you've defined what you need to accomplish in the project. By looking at the specific skills needed to accomplish project work, you've essentially defined who you need. Gathering that team together and coordinating those activities will be your biggest challenge for two...

Work Breakdown Structure Example

Develop RFP to hire an outside security consultant for an enterprise-wide security audit 1.2 Develop a list of companies from whom to solicit RFP responses 2. Perform enterprise-wide security audit 3. Implement security recommendations based on audit results 3.1.1 Develop and implement Infrastructure Security Plan 3.1.2 Develop and implement Wireless Security Plan 3.1.3 Develop and implement Operational Security Plan 3.2 Implement, monitor, and manage defined ISAPs 4. Develop ongoing security...