CRITICAL FIXES PHASE Phase 2 of the security project plan is also called the critical fixes phase.. During the critical fixes phase, two policies should be specifically addressed: the In
Trang 1tion that was gathered and to rank the risks to the organization Measuring the risk is
often the most difficult part of this task as the cost of a successful exploitation of a
vulner-ability may be hard to measure
Finally, the team will put all of the information on risks and recommendations into a
report that is provided to the organization Often the team will provide a draft report to
the security officer for an initial review to make sure that details about the organization
are correct
Presentation
The final task of the assessment phase is the presentation of the assessment report
Ideally, this presentation will be scheduled with senior members of the organization’s
management team as well as the security officer
The organization should then review the report and determine if the report is
cor-rect so it can form the basis of the detailed project plan for phases 2 through 4 If this is
the case, the security officer should develop a detailed project plan for the remainder of
the year
CRITICAL FIXES PHASE
Phase 2 of the security project plan is also called the critical fixes phase This phase
typi-cally lasts between two weeks and three months, depending on the number of critical
tasks and the type of organization During phase 2, the organization is correcting
vulner-abilities that meet two criteria:
▼ They are critical to the security of the organization
▲ They can be quickly corrected
Figure A-3 shows the detail associated with this phase of the project plan The
follow-ing sections go into more detail on each of the security process task areas
Assessment
No new assessment tasking will be performed during this phase However, there should
be continued review of the findings of the initial assessment and this review should feed
into the detailed project plans for the upcoming phases of the project
Policy
Policy is often identified as an important issue within organizations During the critical
fixes phase, two policies should be specifically addressed: the Information Policy and the
Security Policy The reason for this is that these policies have a great effect on the
com-puter users of the organization as well as the administrators, and they form the basis for
security-awareness training classes
A p p e n d i x A : T h e P r o c e s s P r o j e c t P l a n 347
Trang 2If resources allow, these two policies can be developed in parallel Based on the neces-sary review and approval cycles in your organization, it may take as little as a week to de-velop a policy or as much as two months However, it is critical to dede-velop the policy in such a way that the organization will buy into it and follow the policy (see Chapter 5 for more detail on policy development)
Implementation
During the critical fixes phase, system administrators will be correcting serious vulnera-bilities in their systems This should be a top priority for the administrators Make sure each system is identified properly and that there are detailed instructions on how each vulnerability should be fixed Many can be corrected by installing the latest patches from the computer system or software vendor
Also as part of the implementation task, some extremely important new hardware or software implementations may occur For example, if the assessment identified an un-protected network connection, the project plan may call for the immediate procurement and implementation of a firewall However, most procurements for increasing security will take place in later phases of the project
Training
There is no specific training task associated with the critical fixes phase of the project However, the development of the security-awareness training classes for employees may begin as the information and security policies near completion More likely, most of the work here will take place in the next phase
Figure A-3. Detailed project plan for the critical fixes phase
Trang 3There is no specific audit task for the critical fixes phase of the project plan Some
plan-ning for future compliance checking may occur as the information and security policies
are completed
UPDATE PHASE
The update phase of the security project begins once the critical fixes have been
com-pleted During the update phase of the project, the less immediate security issues are
dealt with The overall security at the organization should be improving by this time
Most of the high-risk issues should have either been corrected or in some other way
miti-gated The update phase may last two to six months (see Figure A-4)
Assessment
During the update phase, the Security department should begin working with
depart-ments that are deploying or building new projects The idea is for Security to be involved
in projects early on in their lifecycles New project requirements should reflect the
secu-rity policy and the Secusecu-rity department should provide assistance in the design of new
systems
A p p e n d i x A : T h e P r o c e s s P r o j e c t P l a n 349
Figure A-4. Update phase project plan
Trang 4The remaining policies and procedures that are necessary for the organization should be developed These will include
▼ Use policies
■ Incident response procedures
■ User management procedures
▲ Disaster recovery plans The development of a DRP is a long process that will require the assistance of other departments within the organization It is likely that development of the DRP will be started but not completed during the update phase
Implementation
Now that the security policy is complete, the system administrators should be working with the Security department to make sure that their systems comply with the security policy In addition, less serious vulnerabilities should be fixed on all computer systems During the update phase, any procurements of new security systems should be started Depending on the organization, procurement of new hardware and software products can take a fair amount of time as vendors and products are evaluated, the RFP sent out for bid, and the bids evaluated
Training
The security-awareness training class should be completed and reflect the user require-ments of the information and security policies At the same time, an awareness program that includes posters and newsletter articles should be started
Once the security-awareness training class is completed, it should be taught first to new employees as part of the new employee orientation program This will provide a way to pilot the classes and to train internal trainers Next, the training program should
be rolled out to all employees This will require a training schedule that eventually in-cludes all employees Depending on the number of employees in your organization, it may take six to nine months to run all of them through the security-awareness program Also in this phase, security reporting to senior management should begin with a reg-ular executive security briefing
NOTE: Reporting on project status should begin with the project However, these meetings will
pro-vide information to senior management on the status of security within the organization
Audit
The audit program is now beginning to define its procedures and structure to manage the compliance with organization policies By the end of the update phase, the audit program
Team-Fly®
Trang 5A p p e n d i x A : T h e P r o c e s s P r o j e c t P l a n 351
should have well-defined procedures for monitoring the security of the computer
sys-tems as well as a developed compliance program
ONGOING WORK PHASE
The final phase of the security project is the ongoing work phase Simply put, all of the
policies, procedures, and processes that have been put in place now have to work to
maintain the security of the organization
Assessment
The Security department maintains its relationship with development and continues to
advise on security regarding new projects At the same time, an assessment schedule is
developed to provide regular assessments of the organization, individual departments or
locations, and systems as necessary
Policy
With the exception of the DRP (which may take more time), all of the significant security
policies and procedures should be complete by this phase The Security department
should establish regular review dates for all policies and follow the schedule
Testing of the Incident Response Plan and the DRP (when complete) must now
pro-ceed Regular test plans, both announced and unannounced, should commence and
con-tinue at regular intervals
Implementation
System administrators should be making necessary security changes to systems These
changes may be instigated by the identification of a new vulnerability or by the
identifica-tion of a non-compliance issue System administrators should be looking at systems to
identify suspicious activity and investigate that activity with the help of the Security
de-partment
Training
The awareness program of posters and newsletter articles should be in full swing The
se-curity-awareness training classes should cover new employees, existing employees,
ex-ecutives, and the technical staff Schedules of classes should be established so that every
employee receives a refresher class at least every two years Classes for executives should
include briefings on the state of security within the organization
Audit
The security policy–compliance program should now be in full swing Each system
within the organization should be checked for policy compliance on a regular basis At
the same time, regular system monitoring and network monitoring should be performed
to watch for signs of suspicious activity