IT security project management handbook s snedaker (syng

Not everything that counts can be counted and not everything that can be counted counts.—Albert Einstein As the late management guru Peter Drucker once said, “Plans are only goodintentio

w w w s y n g r e s s c o m

Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you will find an assortment

of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE EBOOKS

For readers who can’t wait for hard copy, we offer most of our titles in able Adobe PDF form These eBooks are often available weeks before hard copies, and are priced affordably.

download-SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our ebooks onto servers

in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.

Visit us at

tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Syngress IT Security Project Management

Copyright © 2006 by Syngress Publishing, Inc All rights reserved Printed in Canada Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a com- puter system, but they may not be reproduced for publication.

Printed in Canada.

1 2 3 4 5 6 7 8 9 0

ISBN: 1-59749-076-8

Publisher: Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Jaime Quigley, Erin Heffernan Copy Editor: Judy Eby

Technical Editor: Russ Rogers Indexer: Odessa&Cie

Cover Designer: Michael Kavish

The incredibly hardworking team at Elsevier Science, including JonathanBunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, KristaLeppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, DavidLockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and ChrisReinders for making certain that our vision remains worldwide in scope.David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang AiHua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributorsfor the enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslanefor distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji,Tonga, Solomon Islands, and the Cook Islands

Susan Snedaker(MBA, BA, MCSE, MCT, CPM) is PrincipalConsultant and founder of VirtualTeam Consulting, LLC (www.vir-tualteam.com), a consulting firm specializing in business and tech-nology consulting.The company works with companies of all sizes

to develop and implement strategic plans, operational improvementsand technology platforms that drive profitability and growth Prior

to founding VirtualTeam in 2000, Susan held various executive andtechnical positions with companies including Microsoft, Honeywell,Keane, and Apta Software As Director of Service Delivery forKeane, she managed 1200+ technical support staff delivering phoneand email support for various Microsoft products including

Windows Server operating systems She is author of How to Cheat at

IT Project Management (Syngress Publishing, ISBN: 1-597490-37-7) The Best Damn Windows Server 2003 Book Period (Syngress, ISBN: 1-

931836-12-4) and How to Cheat at Managing Windows Small Business

Server 2003 (Syngress, ISBN: 1-932266-80-1) She has also written

numerous technical chapters for a variety of Syngress Publishingbooks on Microsoft Windows and security technologies and haswritten and edited technical content for various publications Susanhas developed and delivered technical content from security to tele-phony,TCP/IP to WiFi, CIW to IT project management and justabout everything in between (she admits a particular fondness foranything related to TCP/IP)

Susan holds a master’s degree in business administration and abachelor’s degree in management from the University of Phoenix.She also holds a certificate in advanced project management fromStanford University She holds Microsoft Certified Systems Engineer(MSCE) and Microsoft Certified Trainer (MCT) certifications.Susan is a member of the Information Technology Association ofSouthern Arizona (ITASA) and the Project Management Institute(PMI)

Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the

popular Hacking a Terror Network (Syngress Publishing, ISBN

1-928994-98-9), co-author on multiple other books including the best

selling Stealing the Network: How to Own a Continent(Syngress, ISBN 1-931836-05-1), Network Security Evaluation Using the NSA IEM (Syngress, 1-597490-35-0) and Editor in Chief of The Security

Journal; is Co-Founder, Chief Executive Officer, and Chief

Technology Officer of Security Horizon; a veteran-owned smallbusiness based in Colorado Springs, CO Russ has been involved ininformation technology since 1980 and has spent the last 15 yearsworking professionally as both an IT and INFOSEC consultant.Russ has worked with the United States Air Force (USAF),National Security Agency (NSA), and the Defense InformationSystems Agency (DISA) He is a globally renowned security expert,speaker, and author who has presented at conferences around theworld including Amsterdam,Tokyo, Singapore, Sao Paulo, and citiesall around the United States

Russ has an Honorary Doctorate of Science in InformationTechnology from the University of Advancing Technology, a MastersDegree in Computer Systems Management from the University ofMaryland, a Bachelor of Science in Computer Information Systemsfrom the University of Maryland, and an Associate Degree inApplied Communications Technology from the CommunityCollege of the Air Force He is a member of both ISSA and ISACAand co-founded the Global Security Syndicate (gssyndicate.org), theSecurity Tribe (securitytribe.com), and acts in the role of professor

of network security for the University of Advancing Technology(uat.edu)

Technical Editor

Russ would like to thank his father for his lifetime of guidance,his kids (Kynda and Brenden) for their understanding, and Michelefor her constant support A great deal of thanks goes to AndrewWilliams and Jaime Quigley from Syngress Publishing for the abun-dant opportunities and trust they give me Shouts go out to UAT,Security Tribe, the GSS, the Defcon Groups, and the DC Forums.I’d like to also thank my friends, Chris, Greg, Michele, Ping, Pyr0,and everyone in #dc-forums that I don’t have room to list here.

A special thank you to the following authors for contributing theirexpertise to various sections of this book: Bryan Cunningham,Principal at the Denver law firm of Morgan & Cunningham LLC,Norris Johnson, Mike Rash, Frank Thornton, Chris Hurley, andMike O’Dea

Special Contributors

Foreword xxv

Chapter 1 IT Security Project Management Building Blocks 1

Introduction 2

Corporate Security Project Plan Components 3

The True Cost of Security 4

Prevention vs Remediation 6

Potential Economic Impact 8

Business Exposure 11

Cost of Security 12

ROI of Security 14

Project Success Factors 15

Success Factor 1: Executive Support 15

Success Factor 2: User Involvement 17

Success Factor 3: Experienced Project Manager 17

Success Factor 4: Clearly Defined Project Objectives 18

Success Factor 5: Clearly Defined (and Smaller) Scope 19 Success Factor 6: Shorter Schedules, Multiple Milestones 19 Success Factor 7: Clearly Defined Project Management Process 20

Success Factor 8: Standard Infrastructure 20

Project Constraints 21

Corporate Strategy and IT Security 23

How Corporate Culture and Policies Impact IT Security 24

Summary 26

Solutions Fast Track 27

Contents

Chapter 2 Defining the Security Project 31

Introduction 32

Defining the Security Problem 32

Network Security and the CIA 33

Confidentiality 33

Integrity 34

Availability 34

CIA in Context 34

Define the Problem 36

Defining the Outcome 37

Defining Potential Security Project Solutions 38

Defining the Optimal Security Project Solution 39

Applying Security Project Constraints 40

Scope (Amount of Work) 40

Time (Schedule) 41

Cost 42

Quality 42

Developing the Security Project Proposal 44

Identifying the Security Project Sponsor 45

Summary 47

Solutions Fast Track 47

Chapter 3 Organizing the IT Security Project 51

Introduction 52

Identifying the IT Security Project Team 52

Identifying IT Security Project Stakeholders 53

Defining IT Security Project Requirements 55

Defining IT Security Project Objectives 59

Defining IT Security Project Processes 61

Acceptance Criteria 62

Risk Management 62

Change Management 63

Communication 65

Quality 65

Status Reporting 66

Defect, Error, and Issue Tracking 66

Escalation Procedures 67

Approval Procedures 68

Deployment 69

Operations 69

Training 70

Summary 71

Solutions Fast Track 71

Chapter 4 Building Quality Into IT Security Projects 75

Introduction 76

Planning IT Security Project Quality 76

User Requirements 78

Functional Requirements 79

Technical Requirements 81

Acceptance Criteria 81

Quality Metrics 82

Change Management Procedures 84

Standard Operating Procedures 84

Monitoring IT Security Project Quality 85

Testing IT Security Project Quality 88

Summary 90

Solutions Fast Track 91

Chapter 5 Forming the IT Security Project Team 95

Introduction 96

Identifying IT Security Project Team Requirements 96

Roles and Responsibilities 97

Competencies 100

Technical 101

Communication 102

Training 102

Negotiation 103

Translating Technical Language 103

Reporting 104

Legal, Financial, and Regulatory 104

Identifying Staffing Requirements and Constraints 105

Acquiring the Needed Staff 107

Forming the IT Security Project Team 108

Identify Training Needs 109

Team Processes and Procedures 109

Team Kick-off Meeting 111

Summary 113

Solutions Fast Track 114

Chapter 6 Planning The IT Security Project 117

Introduction 118

Creating the IT Security Project Work Breakdown Structure 118 Defining Project Tasks and Sub-tasks 121

Checking Project Scope .123

Developing Task Details 125

Owner 126

Resources 127

Completion Criteria 128

Schedule 129

Budget 130

Dependencies 130

Constraints 131

Expertise 132

Tools 132

Budget 132

Organizational Change 133

Governmental or Regulatory Requirements 134

Lessons Learned 135

Identifying and Working With the Critical Path 135

Testing IT Security Project Results 136

Budget, Schedule, Risks, and Communications 138

Budget 138

Schedule 139

Risks 140

Communications 140

Summary 142

Solutions Fast Track 143

Chapter 7 Managing the IT Security Project 147

Introduction 148

Initiating the IT Security Project 148

Monitoring and Managing IT Security Project Progress 149

Completion Criteria Example - Strong Passwords 152

Project Progress 154

Issues Reporting and Resolution 155

Documentation 156

Monitoring IT Security Project Risk 157

Managing IT Security Project Change 158

Key Stakeholder Change 158

Key Staff Change 160

Key Environmental Change 160

Testing IT Security Project Results 161

Summary 164

Solutions Fast Track 165

Chapter 8 Closing Out the IT Security Project 169

Introduction 170

Evaluating Project Completion 170

Closing Issues Log, Change Requests, and Error Reports 172 Preparing for Implementation, Deployment, and Operational Transfer 173

Preparing for Implementation 174

Preparing for Deployment 175

Preparing for Operational Transfer 176

Reviewing Lessons Learned 178

Documentation and Compliance Reports 181

Summary 185

Solutions Fast Track 186

Chapter 9 Corporate IT Security Project Plan 189

Introduction 190

Defining Your Security Strategy 190

Legal Standards Relevant to Corporate IT Security 192

Selected Federal Laws 194

Gramm-Leach-Bliley Act 194

Health Insurance Portability and Accountability Act 195 Sarbanes-Oxley Act 197

Federal Information Security and Management Act 197 FERPA and the TEACH Act 198 Electronic Communications Privacy

State Laws 200

Unauthorized Access 200

Enforcement Actions 201

Three Fatal Fallacies 202

The “Single Law” Fallacy 202

The Private Entity Fallacy 203

The “Penetration Test Only” Fallacy 203

Do It Right or Bet the Company: Tools to Mitigate Legal Liability 204

We Did our Best; What’s the Problem? 204

What Can Be Done? 206

Understand Your Legal Environment 207

Comprehensive and Ongoing Security Assessments, Evaluations, and Implementation 207

Use Contracts to Define Rights and Protect Information 208

Use Qualified Third-party Professionals 209

Making Sure Your Standards-of-Care Assessments Keep Up with Evolving Law 209

Plan for the Worst 210

Insurance 211

Corporate IT Security Project Plan Overview 212

Corporate Security Auditing 215

Choosing A Target 216

Why Security Fails 218

Improper Configuration 218

Failure to Update 219

Faulty Requirements 219

Human Factors 220

Policy Issues 221

Incorrect Assumptions 222

Corporate IT Security Project Parameters 224

Project Objectives 224

Project Parameters 225

Scope 225

Schedule 227

Budget 228

Quality 229

Requirements 230

Key Skills Needed 231

Operating System Skills 233

Network Skills 233

Application Skills 234

Security Tools Skills 234

Programming Skills—Compiled Languages 235

Programming Skills - Scripting Languages 235

Key Personnel Needed 236

Project Processes and Procedures 237

Project Work Breakdown Structure 239

WBS Example 1 239

Work Breakdown Structure Example 2 240

Project Risks 245

Project Constraints 247

Project Assumptions 248

Project Schedule and Budget 248

Managing the Project 252

Closing Out the Project 252

Summary 254

Solutions Fast Track 255

Chapter 10 General IT Security Plan 261

Introduction 262

IT Security Assessment and Auditing 262

Perimeter or Boundaries 265

Internal Network 266

Servers and Hosts 266

Applications and Databases 266

Data 267

Contact Information 267

Business Information 268

Extranet and Remote Access 268

Valid User Accounts 268

System Configuration 269

Vulnerability Scanning 270

Pen Testing 272

Risk Assessment 274

Risk Assessment: Asset Protection 275

Risk Assessment:Threat Prevention 279

Risk Assessment: Legal Liabilities 286

Risk Assessment: Costs 288

Impact Analysis 293

Public Access Networks 295

Legal Implications 296

Authentication 298

Access Control 302

Physical Access to Equipment 302

Local Access to Network 303

Remote Access to Network 303

Auditing 304

Policy Review 304

Physical 305

Technical 305

Administrative 308

Process and Procedure Review 308

Operational Review 309

Legal and Reporting Requirements 309

Attacks 310

Non-intrusive Attacks 310

Intrusive Attacks 312

Assessment and Audit Report 315

Elements of a Findings Report 316

Defining the Steps Taken 316

Defining the Vulnerability or Weakness 317

Defining the Criticality of Findings 317

Defining Mitigation Plans 318

Defining Owners,Timelines, and Deliverables 318

Format of a Findings Report 319

Project Plan 320

Project Problem Statement 320

Problem Mission Statement 321

Project Objectives 321

Potential Solutions 322

Selected Solution 324

General IT Security Project Parameters 325

Requirements 325

Types of Requirements 326

Project Specific Requirements 326

Scope 327

Schedule 329

Budget 330

Quality 330

Key Skills Needed 331

Technical Skills 331

Non-Technical Skills 332

Key Personnel Needed 332

Form the Project Team 333

Project Processes and Procedures 333

General IT Security Project Plan 334

Project WBS .335

Project Risks 336

Project Constraints 336

Project Assumptions 337

Project Schedule and Budget 337

Summary 339

Solutions Fast Track 339

Chapter 11 IT Infrastructure Security Plan 345

Introduction 346

Infrastructure Security Assessment 346

Internal Environment 348

Information Criticality 348

Impact Analysis 349

System Definitions 350

Information Flow 350

Scope 351

People and Process 351

User Profiles 352

Regulatory/Compliance 354

Technology 355

Establishing Baselines 356

Addressing Risks to the Corporate Network 356

External Environment 359

Threats 360

Recognizing External Threats 362

Top 20 Threats 367

Network Security Checklist 369

Devices and Media 370

Topologies 371

Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS) 374

System Hardening 380

Other Infrastructure Issues 381

Other Network Components: Routers, Switches, RAS, NMS, IDS 382

Network 383

External Communications (also see “Remote Access”) 384 TCP/IP (Some TCP/IP Information Also Found in the “Routers” Section) 385

Administration 388

Network Management 392

Routers and Routing 398

Firewall 401

Intrusion Detection/Intrusion Prevention 404

Remote Access 405

Project Parameters 408

Requirements 409

Functional Requirements 410

Technical Requirements 410

Legal/Compliance Requirements 412

Policy Requirements 412

Scope 413

Schedule 413

Budget 414

Quality 415

Key Personnel Needed 417Project Processes and Procedures 418Project Team 419Project Organization 420Project Work Breakdown Structure 420Project Risks and Mitigation Strategies 427Project Constraints and Assumptions 429Project Schedule and Budget 431

IT Infrastructure Security Project Outline 432Summary 434Solutions Fast Track 435

Chapter 12 Wireless Security Project Plan 441

Introduction 442Wireless Security Auditing 443Types of Wireless Network Components and Devices 445Wireless Technologies 448Types of Threats 449War Dialing, Demon Dialing, Carrier Signal Scanning 450Wardriving, NetStumbling, or Stumbling 452Bluetooth Attacks 459Risk Assessment 463Asset Protection 464Threat Prevention 469Legal Liabilities 479Costs 480Impact Analysis 483Wireless Security Project Parameters 485Requirements 486Functional Requirements 487Technical Requirements 488Legal/Compliance Requirements 490Policy Requirements 491Scope 492Schedule 493Budget 494Quality 495

Project Processes and Procedures 499Project Team 500Project Organization 501Project Work Breakdown Structure 502Project Risks 506Project Constraints and Assumptions 507Project Schedule and Budget 508Wireless Security Project Outline 509Summary 510Solutions Fast Track 512

Chapter 13 IT Operational Security Plan 517

Introduction 518Operational Security Assessment 519Incident response 521Company-Wide Incident Response Teams 523Response Team Services 525Response Team Assessment 529Security Management Services 529Risk Analysis 530Trend Analysis 530Disaster Planning 530Education and Awareness 531Policies 537Founding Principles of a Good Security Policy 538Understanding Current Policy Standards 539Creating Corporate Security Policies 542Policy Distribution and Education 552Maintaining Corporate Security Policies 553Disaster Recovery 554Facilities .556Operations 556Information and Communications 557Business Insurance 558Regulatory Issues 559Health Insurance Portability and Accountability Act 561Gramm-Leach-Bliley Act 562

Project Parameters 565Problem 566Mission/Outcome 567Solution 567Scope 568Cost 569Time 569Quality 570Functional Requirements 571Technical Requirements 572Legal/Compliance Requirements 574Success Factors 574Required Skills 574Personnel Needed 575Project Processes and Procedures 576Project Team 577Project Organization 578Project Work Breakdown Structure 579Project Risks and Mitigation Strategies 584Incident response 584Policy management 585Disaster planning 585Regulatory/compliance 585Project Constraints and Assumptions 586Project Schedule and Budget 586

IT Operational Security Project Outline 587Summary 590Solutions Fast Track 591Operational Security Assessment 591Project Parameters 593Project Team 593Project Organization 593Project Work Breakdown Structure 594Project Risks and Mitigation Strategies 594Project Constraints and Assumptions 594Project Schedule and Budget 595

Not everything that counts can be counted and not everything that can be counted counts.

—Albert Einstein

As the late management guru Peter Drucker once said, “Plans are only goodintentions unless they immediately degenerate into hard work.”The intent ofthis book is not to lead you through long, arduous planning processes whilehackers are stealing your network out from under you.The intent is to provideyou with effective network security planning tools so that you can “degenerateinto hard work” as quickly as possible to keep your network secure with theleast amount of effort

Rather than losing sleep at night wondering who’s wandering around yournetwork in the dark, you can create a comprehensive security solution for yourcompany that will meet your security needs today and will allow you to addressnew security requirements in the future.This book is designed to help you doexactly that

—Susan Snedaker

Principal Consultant and Founder VirtualTeam Consulting, LLC

Foreword

Thanks to all the hardworking folks at Syngress for all the front- and back-endwork they do Chris and Andrew, thanks for suggesting this book and makingthis project a reality; Jaime, thanks for staying around to get this project com-pleted and keeping me sane along the way; Erin, thanks for bringing this pro-ject across the finish line Many thanks to my ace technical editor, Russ Rogers,who contributed his superlative security expertise to this book And last but notleast, thank you to Lisa, my family, friends, and clients who supported (and put

up with) me during this project

IT Security Project Management

Building Blocks

Solutions in this chapter:

■ Corporate Security Project Plan Components

■ The True Cost of IT Security

■ IT Security Project Success Factors

■ Project Constraints

■ Corporate Strategy and IT Security

■ How Corporate Culture and Policies Impact

Let’s start by stating two assumptions we’re making in this book First,we’re assuming you have a solid understanding of IT project management

If not, we have provided you with a free download of the book How to

Cheat at IT Project Management (visit www.syngress.com/solutions to

reg-ister this book and download the PDF) so you can fill in any gaps youmay have Second, we’ll assume that you have a fairly good understanding

of network security.This book is not intended to teach you basic IT ject management nor is it intended to teach you how to implement spe-cific network security solutions for your particular situation What this

pro-book will do is provide an operational framework for you to use in

designing your own IT security project plan

Now that we’ve gotten those details out of the way, let’s talk aboutnetwork security It’s a massive subject and an enormous undertaking forany network administrator out there in the real world right now By cre-ating a project plan for addressing network security, you can approach thissometimes onerous task with a well thought-out plan By creating a com-prehensive plan for network security, you can be confident your network

is as secure as humanly possible.There is no magic bullet and networksecurity is a never-ending task, but using a consistent methodology willreduce your errors and omissions In network security, it’s often what youoverlook that intruders exploit

In this chapter, we’re going to look at project management from asecurity planning perspective We’re not going to specifically cover IT pro-ject management, but we will use that framework to develop our IT secu-rity project plan.This will help reinforce your IT project managementskills while providing you with a roadmap for implementing IT security

in your organization

Corporate Security Project Plan Components

Before discussing the specifics of IT security project planning, let’s setthe stage Every company has a wide variety of diverse network com-ponents that have an effect on security (e.g., users, firewalls, and net-work topologies) As such, every company usually ends up with oneoverarching corporate security project plan, and many individual secu-rity project plans, each covering a specific area (see Figure 1.1) Informal project management language, the corporate security projectplan is considered a “program,” which by definition is a related set ofproject plans that are managed across the enterprise to enable optimaluse of resources and to reduce project conflict (i.e., time, cost,

resources) To keep it simple, we refer to the “corporate IT securityproject plan” as the “master plan” and to the sub-level plans as “indi-vidual focus areas” or “individual security area project plans.” The largerthe project, the more difficult it is to manage successfully; therefore,you are more likely to be successful if your corporate security is brokendown into small project areas We’ll refer back to this model

throughout the book as we explore how to create successful IT rity project plans

secu-One important note at this juncture is that the topic areas included

in Figure 1.1 may not be the topic areas you need for your corporatesecurity project plan.You may not need all of these or there may be one

or more additional security areas you need to include.The areas listed inFigure 1.1 are commonly used in many organizations but this is not con-sidered an exhaustive list by any means

Figure 1.1 Corporate Security Project Plan Components

The True Cost of Security

Let’s begin with a brief overview of why we even care about networksecurity If our networks and data didn’t need to be secured, we could justleave the gates open and allow anyone in.The reality is obviously far fromthat Data needs to be secured because it provides your company with acompetitive edge or because it’s confidential personal information such ascredit card data or social security numbers.There are thousands of reasonswhy networks and data need to be secured and the unfortunate truth isthat there is always someone out there looking for a new way in.Thatsaid, it’s also true that the majority of security breaches are internal

Whether permissions are incorrectly set allowing a user to access an

important file or whether a sophisticated user manages to get a hold of hisboss’s password in order to look at pay rates or performance reviews; mali-cious or inadvertent security breaches are most often an inside job

Individual Security Area Project Plans Corporate IT Security Project Plan

Instant Messaging Email Remote Access

Communication Security WirelessSecurity

System Hardening

Intrusion Prevention/

Detection Topologies

Cryptography

Public Key (PKI)

General Security

Voice over IP (VoIP)

According to the FBI, nearly 80 percent of security violations arecaused by authorized users with legitimate access (i.e., “insiders”) Security

threats include disgruntled employees, unsuspecting users, and outside

contractors with insider access U.S companies spend over $6 billion

annually on computer security hardware and software, but the best

fire-walls and security tools cannot prevent internal security breaches caused

by internal issues (e.g., poor end-user security practices, inadvertent

mis-takes, lax attitudes, employee exploitation of security holes and intentional

attacks or hacks)

How much is security worth? Network administrators are constantlyunder pressure to reduce costs and expand services A recent study shows

that as a percentage of revenues, IT budgets have gone down over the

past few years So, while the actual dollar amount of the corporate

budget has risen, the percentage allocated to IT from corporate revenues

has dropped (i.e., your company is growing but is not giving you the

financial resources you need to do your job) For the sake of argument,

let’s assume that you have trimmed all the fat from your budget.You are

running lean and mean and have no more “give” in your budget What

do you do when push comes to shove? Whatever your answer, it

prob-ably directly or indirectly impacts network security (e.g., not having

enough IT staff to maintain systems; fewer upgrades to secure operating

systems; fewer purchases or upgrades of intrusion detection systems; less

time to plan and implement a comprehensive security solution)

So, rather than fall victim to decreasing IT budgets, let’s discuss a

proactive stance As discussed in How to Cheat at IT Project Management ,

one of the keys to success in the IT world is understanding the company’s

business plan No one is going to hand you a blank check; you have to be

savvy.To that end, we look at some quantifiable and verifiable numbers

that can be used to develop a strategy for getting your IT security budget

approved

Business Intelligence…

How IT Budgets Are Actually Spent

The February 2006 issue of “CIO Insight Magazine” discusses a research study on IT spending The conclusions? Many IT professionals agree that their companies do not spend enough on IT (i.e., IT departments are han- dling an ever-increasing number of projects while IT spending is moving away from hardware and software to staffing and services) The study also surveyed how IT budgets are spent Interestingly, security software was eighth on the list of technology spending Disaster recovery and business continuity was first on the list of initiatives According to Ken Goldstein, an economist with the Conference Board (a business research organization), part of the reason companies are reluctant to spend more

on IT is that businesses “haven’t gotten full utilization out of what they’ve already spent, and they need to They will not necessarily cut back their spending, but what we will get is this cautious, conservative spending.” (CIO Insight, February 2006, p 69.) Making the effort to align

IT projects with corporate strategies and to develop and present a ness case for key IT projects, continues to be one of the best ways to ensure that your IT department has the tools and resources it needs Security spending should be a discrete line item in your IT budget You should prepare the business case for security separately (though in an integrated manner), otherwise it may get lost in the larger IT budget.

busi-Prevention vs Remediation

One of the best ways to support an increase in IT spending for security, is

to clearly delineate the cost of preventing a security breach versus the cost

of fixing a security breach Most corporate executives appreciate a rationalapproach to the business end of IT, and find a risk analysis and financialoverview helpful tools in justifying additional expenditures A recent study

by Computer Economics shows that spending on security is mately 3 percent of all IT expenditures, which has remained fairly con-stant for the past three years Most telling is that security spending has

approxi-remained constant while other areas of IT spending have fallen over the

same period of time In addition, spending on security has shifted Many

of the efforts made in the past several years to harden networks against

attack are paying off in lower remediation efforts

This is the key take away for IT professionals today in making the ness case for security Security spending in the past has reduced the cost of

busi-remediation efforts today Sometimes it’s hard to make the case for

some-thing that’s absent, but this is an opportunity to tout how successful past

efforts have been If you don’t have specific data you can point to, you can

generate some realistic estimates Determine how much you’ve spent on

hardening the network and calculate about how much time that has saved

in both IT staff time and in productivity on the network When the

net-work is attacked, you have three expenses: the IT staff time, the

produc-tivity of people trying to use the network and the often more intangible

cost to the company’s reputation (which sometimes becomes a legal issue

with financial implications) If you’re hard pressed to figure out how much

your company has saved by not having security breaches, do some research

and find industry averages applicable to your industry or company size.To

assist in that, we’ve provided a few numbers, courtesy of research by the

Computer Economics group While this data may be generic, it’s a good

starting point to help you make the business case for the return on

invest-ment for past security spending and why it’s a good idea to keep spending

that money Here’s another hint: Sit down with your company’s financial

expert and have a few financial metrics generated based on your findings If

you can show a positive return on investment (ROI) or an internal rate of

return (IRR), your company’s management will have to sit up and pay

attention Along the way, you’ll help secure your reputation as someone

who understands the business of IT.

The independent research firm, Computer Economics, suggests usingthe following four steps to create a generic ROI for computer security:

1 Analyze the potential economic impact of a security breach (youmay want to delineate the potential impact of several different cate-gories of security issues such as virus, phishing, DoS, etc.)

2 Determine the business exposure (network, Internet connectivity, commerce intensity, and so on).

e-3 Examine and delineate the cost of security

4 Calculate the ROI of security

For example, if a virus invades your network, you can track how many

IT staff hours were required to remediate the situation, by calculating howlong you spent fixing the problem (e.g., 60 minutes × 48 users × an

average hourly rate based on overall salary levels in the organization).Sometimes, you can determine how much revenue was lost during thattime (e.g., if you had to shut down an e-commerce server for four hours,what were the average hourly sales for that particular day and time?) Canyou calculate how many of those customers will not return or will spendless in the future? Probably not, but you know the four-hour outage willhave a ripple effect that is larger than the calculated hourly loss In gen-eral, some quantifiable data is better than none, and you can use it tobegin tracking and analyzing the true cost of security breaches Someexecutives only understand the value of security spending when theyunderstand the actual cost of such a breach to the organization

Potential Economic Impact

In order to understand the potential economic impact of a security breach,you have to look at the cost of remediation and the short- and long-termimpact to the organization.The immediate impact of remediation includesthe cost of labor and parts to repair damaged systems, the loss of organiza-tional productivity during the repair phase, and the impact these repairshave on the cash flow and financial transactions of the company If yourcompany is e-commerce-intensive, this impact will likely be even more sig-nificant.The loss of security around credit card data or the destruction of amonth’s worth of e-commerce transaction data clearly has an economicimpact beyond the cost of repairing the security breach Look at all areas ofyour business where the network and the Internet are factors (A specificplan to assess the risk to your network is discussed later in this book.) Atthis point, your goal is to look at the cost of security so that you can make

a business case to corporate to gain the necessary organizational, political,

and financial support you need for your security projects

The short-term impact of a security breach (e.g., if your e-commercesite experiences a DOS attack) includes the potential loss of sales and the

potential loss of contracts and relationships with suppliers, vendors, and

key customers If your organization has suffered a serious and very public

security breach, your sales team might have more difficulty closing a big

deal Clearly, the reputation of the organization suffers and, while it might

be difficult to quantify, it reduces the company’s reputation and associated

“goodwill.”

The long-term impact of a security breach includes the loss of keycustomers, the loss of market confidence, and the erosion of share price if

the company is publicly held.The public perception of a company in the

marketplace is not built overnight, but it can be destroyed overnight by an

avoidable security breach.The news is full of recent examples of

compa-nies that inappropriately managed data security and ultimately paid the

price It is hard to recover from that kind of major security lapse, both in

the real terms of remediation and in the less tangible terms in the minds

of suppliers, customers, shareholders, and the community

The bottom line is: the more devices attached to your network andthe more reliant your company is on the Internet for doing business, the

more a security breach will cost.The Computer Economics group

esti-mates that if you are highly reliant on the network and the Internet for

your business activities and you have 100 attached devices, the cost of a

security breach is approximately $250,000 If you have 250 devices, the

cost is approximately $500,000.These costs include cleaning infected

sys-tems, recovery from hacks and intrusions, a loss of revenue, and a loss of

employee productivity As you can see, it becomes much easier to justify

security-related spending when you clearly delineate the cost of not

doing so

Business Intelligence…

The Real Cost of Remediation

A quick scan of the headlines will tell you that security breaches are on the rise It takes time and effort to stay one step ahead of hackers However, a recent report reveals that many companies would rather spend money cleaning up the aftermath of an attack on their network security, than deal with it proactively Security spending is still seen by some as a giant black hole where money goes in and nothing comes out However, a glance at the headlines shows that companies that experience massive public security breaches end up in trouble with their customers, their employees, their shareholders, and often the government.

A well-publicized incident in June 2005, involved a serious security breach by CardSystems, a credit card processing company The company was holding on to credit card data it was not supposed to have in order to

“analyze” it However, the data was not properly secured and 40 million credit card holders’ personal data was compromised Credit card compa- nies had to re-issue millions of credit cards (MasterCard alone had to re- issue 13.9 million cards.) CardSystems was sold to another company in what appeared to be a “fire sale” in September 2005 After reviewing the incident, the Federal Trade Commission determined there were clear secu- rity problems and required the company to have an independent security audit every other year for the next 20 years This is a classic example of a security breach that could have been avoided It started on the inside from apparently “benign” behavior (i.e., no one initially attempted to hack the data) The data was stolen because internal procedures violated two areas: their agreement with credit card companies on how they would handle customer data, and their decision not to follow appropriate protocols for monitoring and managing data to ensure its security (For additional

information, go to www.consumeraffairs.com/news04/2006/02/ftc_

cardsystems.html.)

A Vermont college system employee on vacation in Canada, had her laptop stolen from a locked car The laptop contained personal and finan- cial data for over 20,000 Vermont college system employees and stu- dents The data was not encrypted Details about the theft were not

Continued

disclosed for three weeks, even though the data at risk included people’s social security numbers, birth dates, bank account numbers, and payroll information A second security breach involved a hacker using an IT staff person’s e-mail address to send a system-wide message regarding the

stolen laptop (For additional information, go to

http://www.burlington-freepress.com/apps/pbcs.dll/article?AID=/20060409/NEWS01/60409031 6/1009/NEWS05.

A security breach in Spokane, Washington left hundreds of bank and credit union debit card customers in a tight spot when they were informed their debit cards had been compromised New cards and PIN numbers were issued The breach cost banks, credit unions, and cus- tomers thousands of hours for canceling and re-issuing debit cards The cost to banks, credit unions, and customers ran into the hundreds of thousands of dollars (For additional information, go to

secu-Business Exposure

This section discusses the relative exposure of your business, which will

help you present your business case for security-related spending, and help

you gain critical support for your IT security project Some business

exposure can be assessed by looking at the following categories and

deter-mining what percentage of your business they comprise:

1 E-commerce Retail Sales If your company sells product via the

Internet, there are numerous security issues that must be addressed

From Web site security to transaction security, and from credit cardprocessing to identifiable user information, your company has a legaland ethical obligation to maintain a certain level of security

2 Business-to-business (B2B) Transactions Some companies only

deal with other businesses (i.e., not the general public).These B2Btransactions are vulnerable to outside and inside attacks Disruption

of this revenue stream can be devastating, because it can damage a

company’s cash flow and its relationship with key business partners(i.e., eroding trust and confidence reduces the value of the business transaction).

3 Internet Connectivity and Reliance Some companies rely heavily

on the Internet If your company uses the Internet to connect withcustomers, vendors, regulatory authorities, employees, or shareholders,you must assess the risk of loss or disruption in each of those cate-gories.The more you rely on the Internet as a business tool, thegreater your need for tight security and additional security funds

4 Dispersed Workforce If your company’s employees work from

home, work on the road, connect from airports, coffee shops orvendor’s locations, your network security needs to take this work-force model into account.The risks to the network obviouslyincrease when users are roaming around out in the wild unsecuredworld of coffee shop (or hotel) wireless networks and your networksecurity plan has to account for these types of arrangements

5 Electronic Data Interchange with Businesses and Consumers

You risk a security breach whenever you exchange data directlyacross the Internet.There are numerous technologies that will securethose exchanges

6 Data Sensitivity Legislation regarding the privacy of medical

his-tory and other personal data (e.g., social security numbers, credit cardnumbers, household income, credit scores, and so on) has expanded.Any company dealing with confidential personal information musthave strong security processes in place to ensure that the data is han-dled properly at all stages (i.e., from collection to storage, retrieval,and analysis) Disruptions in this area can result in serious financialand legal consequences

Cost of Security

The amount of money spent on security should match the risks associatedwith a potential breach of security (e.g., a financial firm has a higher riskprofile than a paper supply company) However, both companies must

assess their risk and decide on a reasonable level of protection.You can

spend a lot of money on security, but at some point your ROI diminishes

because you are outspending your risk

When planning for the cost of security, evaluate the following:

■ Company size

■ Nature of company business

■ Government regulations

■ Reliance on e-commerce, Internet, and network connectivity

■ Nature of business transactions

■ Business structure (centralized, multiple locations, mobile workforce,and so on)

■ The tangible and intangible value of the information and company data

■ The potential impact of a security breach on the company’s tion and bottom line

reputa-One point that can be easy to miss in all of this is that your securityreally should be calibrated to the value of your company’s data.To use an

analogy, there’s no point on putting a $5,000 alarm system on a 1979

Chevrolet Cavalier that has a rusted out frame and 150,000 miles on it It’s

probably pretty low on the list of cars that get stolen (no offense intended

toward anyone who owns such a vehicle, but chances are you don’t worry

about it getting hot wired in your driveway) On the other hand, if you

own a $250,000 custom sports car, a $5,000 alarm system might not be

enough.You might also add a low-jack system that disables the engine

when the car is reported stolen and you might also install a GPS tracking

device so you can locate the vehicle if it is stolen.The point is that your

security measures need to really take into account the value of the data

and the potential impact if that data (or network services) are disrupted

However, since you will have defend your budget, you also need to make

sure your security solution is commensurate with the value of the data

and network services and the relative cost of business disruption