Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s) ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These eBooks are often available weeks before hard copies, and are priced affordably SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information Sy n g r e s s IT Security Project Management Handbook Susan Snedaker Russ Rogers Technical Editor Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BC1289MPQV CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Syngress IT Security Project Management Copyright © 2006 by Syngress Publishing, Inc All rights reserved Printed in Canada Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in Canada ISBN: 1-59749-076-8 Publisher: Andrew Williams Acquisitions Editor: Jaime Quigley, Erin Heffernan Technical Editor: Russ Rogers Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Copy Editor: Judy Eby Indexer: Odessa&Cie Distributed by O’Reilly Media, Inc in the United States and Canada For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585 Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands v Author Susan Snedaker (MBA, BA, MCSE, MCT, CPM) is Principal Consultant and founder of VirtualTeam Consulting, LLC (www.virtualteam.com), a consulting firm specializing in business and technology consulting.The company works with companies of all sizes to develop and implement strategic plans, operational improvements and technology platforms that drive profitability and growth Prior to founding VirtualTeam in 2000, Susan held various executive and technical positions with companies including Microsoft, Honeywell, Keane, and Apta Software As Director of Service Delivery for Keane, she managed 1200+ technical support staff delivering phone and email support for various Microsoft products including Windows Server operating systems She is author of How to Cheat at IT Project Management (Syngress Publishing, ISBN: 1-597490-37-7) The Best Damn Windows Server 2003 Book Period (Syngress, ISBN: 1931836-12-4) and How to Cheat at Managing Windows Small Business Server 2003 (Syngress, ISBN: 1-932266-80-1) She has also written numerous technical chapters for a variety of Syngress Publishing books on Microsoft Windows and security technologies and has written and edited technical content for various publications Susan has developed and delivered technical content from security to telephony,TCP/IP to WiFi, CIW to IT project management and just about everything in between (she admits a particular fondness for anything related to TCP/IP) Susan holds a master’s degree in business administration and a bachelor’s degree in management from the University of Phoenix She also holds a certificate in advanced project management from Stanford University She holds Microsoft Certified Systems Engineer (MSCE) and Microsoft Certified Trainer (MCT) certifications Susan is a member of the Information Technology Association of Southern Arizona (ITASA) and the Project Management Institute (PMI) vii Technical Editor Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the popular Hacking a Terror Network (Syngress Publishing, ISBN 1928994-98-9), co-author on multiple other books including the best selling Stealing the Network: How to Own a Continent(Syngress, ISBN 1-931836-05-1), Network Security Evaluation Using the NSA IEM (Syngress, 1-597490-35-0) and Editor in Chief of The Security Journal; is Co-Founder, Chief Executive Officer, and Chief Technology Officer of Security Horizon; a veteran-owned small business based in Colorado Springs, CO Russ has been involved in information technology since 1980 and has spent the last 15 years working professionally as both an IT and INFOSEC consultant Russ has worked with the United States Air Force (USAF), National Security Agency (NSA), and the Defense Information Systems Agency (DISA) He is a globally renowned security expert, speaker, and author who has presented at conferences around the world including Amsterdam,Tokyo, Singapore, Sao Paulo, and cities all around the United States Russ has an Honorary Doctorate of Science in Information Technology from the University of Advancing Technology, a Masters Degree in Computer Systems Management from the University of Maryland, a Bachelor of Science in Computer Information Systems from the University of Maryland, and an Associate Degree in Applied Communications Technology from the Community College of the Air Force He is a member of both ISSA and ISACA and co-founded the Global Security Syndicate (gssyndicate.org), the Security Tribe (securitytribe.com), and acts in the role of professor of network security for the University of Advancing Technology (uat.edu) viii Russ would like to thank his father for his lifetime of guidance, his kids (Kynda and Brenden) for their understanding, and Michele for her constant support A great deal of thanks goes to Andrew Williams and Jaime Quigley from Syngress Publishing for the abundant opportunities and trust they give me Shouts go out to UAT, Security Tribe, the GSS, the Defcon Groups, and the DC Forums I’d like to also thank my friends, Chris, Greg, Michele, Ping, Pyr0, and everyone in #dc-forums that I don’t have room to list here Special Contributors A special thank you to the following authors for contributing their expertise to various sections of this book: Bryan Cunningham, Principal at the Denver law firm of Morgan & Cunningham LLC, Norris Johnson, Mike Rash, Frank Thornton, Chris Hurley, and Mike O’Dea ix 600 Index deliverables, 318 denial of service attacks See DOS attacks departmental requirements, 56 dependencies, 130 deployment, 69 preparing for, 175, 187 depth in defense, infrastructure security plans and, 358 devices network security checklist and, 370, 421 wireless, 445–447 direct access, wireless security plans and, 471 disaster planning, operational security plans and, 530, 585 disaster recovery, operational security plans and, 554–559 dispersed workforce, business exposure and, 12 distributed denial of service attacks See DDOS attacks DMZs, 372 documentation, 156, 166 operational transfer and, 176, 177, 187 procedures and, 67 reporting for, 181–184, 188 reviewing original vs final, 183 DOS attacks, 280, 313 infrastructure security plans and, 362 duration of tasks, 129 E earned value analysis (EVA), 155 e-commerce retail sales, business exposure and, 11 economic impact of security breaches, ECPA (Electronic Communications Privacy Act), 199 effort of tasks, 129 Electronic Communications Privacy Act (ECPA), 199 electronic data interchange, business exposure and, 12 enforcement of laws, 201 enumeration, 270 equipment risk assessment costs and, 291 theft of, 286 error reports, closing out, 173, 187 error tracking, 66 escalation procedures, 67 estimating projects, 252 ethical hackers, 216 EVA (earned value analysis), 155 executive support for security projects, 15, 28 expertise, 132 experts LOA and, 200 mitigating legal liabilities and, 209 Index subject matter, 445 external user requirements, 56 extranets, 268 F Family Educational Right to Privacy Act (FERPA), 198 FBI data on security breaches, 4, 27 Federal Information Security and Management Act of 2002 (FISMA), 197 federal laws, 193, 194–200, 255 FERPA (Family Educational Right to Privacy Act), 198 financial competency, 104, 114 financial requirements, 326 findings reports, 316, 319 firewalls, network security checklist and, 401–404 FISMA (Federal Information Security and Management Act of 2002), 197 four C’s of communication, 140 functional requirements, 79, 91, 326 corporate security plans and, 230 faulty, 219 infrastructure security plans and, 410 operational security plans and, 571 wireless security plans and, 487 601 G Gartner Group data on business failures, 15 GLBA (Gramm-Leach-Bliley Act), 194, 562 governmental requirements See regulatory requirements Gramm-Leach-Bliley Act (GLBA), 194, 562 Guidelines Establishing Standards for Safeguarding Customer Information, 194 H hackers, 216–218 ethical, 216 See also attacks hand-offs, 173–178 HIPAA (Health Insurance Portability and Accountability Act of 1996), 34, 38, 55, 56, 79, 195–197 operational security plans and, 561 host active response systems, 377 host discovery, 311 hosts, 266 human factors, security and, 220 I ID cards, 305 identifying 602 Index security project team requirements, 96–105, 114 staffing requirements/constraints, 105–107, 114 training requirements, 109 identity theft, 280 wireless security plans and, 468 IDS (intrusion detection systems), 266 infrastructure security plans and, 374, 380, 404, 423 IEC (International Engineering Consortium), 242 impact analysis, 293–295 infrastructure security plans and, 349 wireless security plans and, 483 implementation, preparing for, 174, 187 incident response teams, 84 incident response, operational security plans and, 521–537, 584 incorrect assumptions, 222 Individual Security Area Projects See ISAPs influential stakeholders, 54, 72 information reconnaissance/gathering, 311 informed stakeholders, 54, 72 InfoSec World conference, 151 infrastructure security plans, 345–440 baselines for, 356 criticality of findings and, 348 infrastructure systems and, 350 network security checklist for, 369–408 outline for, 432, 440 parameters of, 408–419, 436 schedules/budget spending and, 431 threats and, 360–369 WBS for, 420–427 infrastructure, standardizing, 20, 28 “insider” security breaches, 4, 27 insurance, 558 mitigating legal liabilities and, 211 integrity, 34 internal network, 266 International Engineering Consortium (IEC), 242 internet connectivity/reliance, business exposure and, 12 interpersonal requirements, security project team and, 97, 114 intrusion detection systems See IDS intrusion prevention systems See IPS intrusive attacks, 312–315 involved stakeholders, 54, 72 IPS (intrusion prevention systems), infrastructure security plans and, 374, 380, 404, 423 Index ISAPs (Individual Security Area Projects), 3, 59, 118 competencies and, 100 critical path and, 135, 145 testing, 88, 162, 167 ISO 17799, 539 issue tracking, 66 issues closing out, 172, 186 managing, 155, 166 security, 218–223 IT security See entries at security K kick-off meeting, 111, 116 known vulnerabilities, 271 L legal competency, 104, 114 legal issues, war driving and, 454 legal liabilities, 296 mitigating, 204–212, 256 risk assessment and, 274, 286–288 wireless security plans and, 479 legal requirements, 326 legal standards, corporate security plans and, 192–212, 255 caution for, 192, 256 fallacies surrounding, 202, 256 mitigating legal liabilities and, 204–212, 256 lessons learned, 135 reporting for, 182 603 reviewing, 178–181, 188 LOA (Letter of Authorization), 200 log files, 306 logistical requirements, security project team and, 97, 114 M MAC address filtering, 472 malicious data insertion, 284 legal liabilities and, 288 man-in-the-middle (MITM) attacks, 34 wireless systems and, 473 managing security projects, 147–167 monitoring/managing progress and, 149–157, 165 master plan, 3, 118 media, network security checklist and, 370, 421 meetings, 58 milestones See schedules/milestones mission statement, 37, 47, 321 operational security plans and, 567 mitigation plans, defining, 318 mitigation strategies, 204–212, 256 infrastructure security plans and, 427–429, 438 operational security plans and, 584, 594 604 Index wireless security plans and, 506, 514 MITM (man-in-the-middle) attacks, 34 wireless systems and, 473 monitoring quality, 85–88, 92 N negligence, mitigating legal liabilities and, 205 negotiation competency, 103, 114 NetStumbler, 455 network active response systems, 375 network assets, wireless security plans and, 467 network components, network security checklist and, 382–388 network management, network security checklist and, 392–397 network processors, 378 network security checklist, 369–408 network services, auditing, 278 network skills, corporate security plans and, 233, 257 network sniffing, 313 networks encrypted, wireless systems and, 476–478 internal, 266 public access, 295 threats and, top-10 list of, 367 See also infrastructure security plans non-intrusive attacks, 310–312, 341 O objectives See security projects, objectives of operating system attacks, 368 operating system skills, corporate security plans and, 233 operational security plans, 517–595 auditing, 519–565, 591 compliance and, 559–565 disaster planning and, 530 disaster recovery and, 554–559 incident response and, 521–537 outline for, 587–589 parameters of, 565–577, 593 security policies and, 537–554 training and, 531–537 WBSs and, 579–584, 594 operations, 69 reviewing, 309 transfer, preparing for, 176–178, 187 organization infrastructure security plans and, 420, 438 operational security plans and, 578, 593 Index wireless security plans and, 501, 513 organizational change, 133, 160 organizational requirements infrastructure security plans and, 353 security project team and, 97, 114 outcomes, defining, 37, 47 owner of tasks, 126 P PANs (personal area networks), 460 password attacks, 313 password policies, 17 passwords, task completion example for, 152 patches/updates, 271 penetration testing, 272–274 legal liabilities and, 203 people terminology and, 264 testing and, 137 percent complete method, 155 perimeter, 265 personal area networks (PANs), 460 Personal Identification Number (PIN), 305 personal information exposure, 281 physical policies, 305 PIN (Personal Identification Number), 305 605 planning budget spending, 12 quality, 76–85, 91 security projects, 117–146 policies corporate, 24, 56 infrastructure security plans and, 353, 412 operational security plans and, 585 reviewing, 304–308 security project team and, 97 types of, 304 wireless security plans and, 491 political requirements, security project team and, 114 port scans, 312 prevention, vs remediation, 6–8, 27 priorities, setting based on constraints, 47, 48 problem statement, 36, 320 problems See issues; lessons learned procedures, 109–111, 113, 116, 308, 333 corporate security plans and, 237–239, 257 infrastructure security plans and, 353, 418 operational security plans and, 576 wireless security plans and, 499 processes, 61–70, 73, 109–111, 113, 116, 333 606 Index corporate security plans and, 237–239, 257 infrastructure security plans and, 351, 418 list of, 61 operational security plans and, 576 reviewing, 308 terminology and, 264 testing and, 137 wireless security plans and, 499 program management, 139 programming skills, corporate security plans and, 235, 257 progress, monitoring/managing, 149–157, 165 progressive elaboration, 252 project definition team, 108 project estimating, 252 project management process, 20 project manager, experienced, 17, 28 proposals, developing, 44, 49 public access networks, 295 Q quality, 21, 42, 48, 56, 75–93, 330 corporate security plans and, 229, 257 infrastructure security plans and, 415 measuring, 65 monitoring, 85–88, 92 operational security plans and, 570 planning, 76–85, 91 reiterating importance of at project kick-off, 149, 165 testing, 88, 92 wireless security plans and, 495 quality metrics, 82, 91 R regulatory competency, 104, 114 regulatory requirements, 56, 134 change management and, 161 See also compliance remediation vs prevention, 6–8, 27 real cost of, 10 remote access, 268 infrastructure security plans and, 373 network security checklist for, 405–408 reporting, 181–184, 188, 309, 315–320, 342 criticality of findings and, 317 errors, 173, 187 findings reports and, 316, 319 status, 66, 182 vulnerabilities, 317 reporting competency, 104, 114 requirements, 72 corporate security plans and, 230 Index faulty, 219 infrastructure security plans and, 409–412 operational security plans and, 571–574 regulatory, 56, 134, 161 wireless security plans and, 486–492 requirements team, 108 resources, 127 resources for further reading compliance, 134, 200 corporate security plans, 191, 213 economics of computer security, 14 five A’s of SAN security, 80 InfoSec World conference, 151 IT project management, log files, 307 operating system attacks, 368 rootkit attacks, 285 war driving, 452 responsibilities of security project team, 97–99, 114 return on investment (ROI) calculating, 14 developing for IT security, risk assessment, 274–293 tools for, 520 risks, 140, 146, 245–247, 258, 336 infrastructure security plans and, 356–358, 427–429, 438 607 monitoring/managing, 62, 157, 166 operational security plans and, 530, 584, 594 wireless security plans and, 463, 506, 514 ROI (return on investment) calculating, 14 developing for IT security, rootkit attacks, 284, 285 infrastructure security plans and, 382 routers/routing, network security checklist and, 398–401 S SAN (Storage Area Networks), functional requirements and, 80 Sarbanes-Oxley Act (SOX), 56, 197, 203, 563 SAS70, 541 schedules/milestones, 19, 21, 154 as constraint, 41, 48 corporate security plans and, 227, 248–253, 257, 259 defining, 129, 318 developing, 139, 146, 337 finalizing schedules and, 329 infrastructure security plans and, 413, 431, 439 operational security plans and, 569, 586, 595 608 Index wireless security plans and, 493, 508, 515 scope, 19, 21, 40, 48, 56, 327–329 checking, 123–125, 144 corporate security plans and, 225–227, 257 infrastructure security plans and, 351, 413 operational security plans and, 568 wireless security plans and, 492 security corporate culture and, 30 corporate strategy and, 23 cost of See budget spending; cost of security human factors and, 220 policies and, 221 reasons for failure, 218–223, 257 security breaches economic impact of, “insider,” 4, 27 preventing vs fixing, cost considerations and, 6–8, 27 recent cases of, 10 ultimate cost of, 14 security mistakes, 271, 297 security policies creating, 542–552 maintenance for, 553 operational security plans and, 537–554 security problem, defining, 32–37, 47 security project management, 1–30 security project plans, 117–146 components of, 3, 214 corporate, 189–259 creating, 320–338, 343 defining, 31–50 infrastructure, 345–440 operational, 517–595 parameters of, 325–334 problem statement and, 36 reporting for, 182 requirements of, 55–57, 325–327 wireless, 441–515 See also security projects security project results, testing, 136–138, 145, 161–163, 167 security project solutions, 322–325 optimal solution, defining, 39 potential, defining, 38, 48 security project sub-tasks, defining, 121, 144 security project tasks assigning, 318 completion criteria and, 151–154 completion of, evaluating, 170, 186 defining, 121, 144 Index details of, 125–135, 144 reviewing before security project kick-off, 148, 165 security project team, 52, 71, 95–116, 333 corporate security plans and, 231 distributing opportunities and, 100 formally announcing project kick-off to, 149 forming, 108–116, 115 geographically dispersed members and, 112 identifying, 96–105 incident response and, 523–529 infrastructure security plans and, 419, 437 operational security plans and, 577, 593 requirements for, identifying, 114 roles of, 97–99, 114 teams comprising, 108 wireless security plans and, 500, 513 security projects closing out, 169–188, 186 completion of, evaluating, 170–172, 186 constraints and, 21, 29 formal announcement of kickoff, 149, 165 kick-off meeting for, 111, 116 609 managing, 147–167 objectives of, 18, 59, 72, 321 parameters of, 342 planning See security project plans progress of, monitoring/managing, 154, 165 success factors of, 15–21, 28 Security Rule, 195 security spending See budget spending security tools skills, corporate security plans and, 234, 257 sensitive data, 12, 277 wireless security plans and, 466 server discovery, 311 servers, 266 session hijacking, 314 settings, security mistakes and, 271 skills, 331 corporate security plans and, 231–236, 257 infrastructure security plans and, 415–417 operational security plans and, 574 technical/non-technical, 331 wireless security plans and, 497 social engineering, 263, 267 solutions See security project solutions 610 Index SOPs (standard operating procedures), 84, 91 source integrity, 34 SOX (Sarbanes-Oxley Act), 56, 197, 203, 563 spending See budget spending sponsors, 45, 49 checking with before security project kick-off, 149 keeping informed on project status, 155 spoofing, 314 staffing, 332 acquiring needed, 107, 115 changes in, 160 corporate security plans and, 236, 257 identifying requirements/constraints, 105–107, 114 infrastructure security plans and, 351 operational security plans and, 575 risk assessment costs and, 289 wireless security plans and, 482, 499 stakeholders, 53–55, 72 change requests by, 158–160, 166 discussing risks with, 274 requirements of, 57 standard of care, mitigating legal liabilities and, 205, 209 standard operating procedures (SOPs), 84, 91 state laws, 200, 210, 256 status reporting, 66, 182 Storage Area Networks (SAN), functional requirements and, 80 subject matter experts, 53 success criteria for, 62 perception of, 140 system configuration information, 269 system hardening, 380, 424 T task owner, 126 TEACH (Technology, Education, and Copyright Harmonization Act), 198 technical competencies, 114 technical language, translating into user language, 103, 114 technical policies, 305–307 technical requirements, 81, 91, 101, 326 corporate security plans and, 230 faulty, 219 Index infrastructure security plans and, 410 operational security plans and, 572 security project team and, 97, 114 wireless security plans and, 488–490 technology infrastructure security plans and, 355 terminology and, 264 testing and, 137 technology list for security projects, 242–244 Technology, Education, and Copyright Harmonization Act (TEACH), 198 terminology, 264 testing quality, 88, 92 security project results, 136–138, 145, 161–163, 167 third-party attacks, 287 threat prevention, risk assessment and, 274, 279–286 time risk assessment costs and, 292 wireless security plans and, 482 See also schedules/milestones tools, 132 communication, 112 611 topologies, network security checklist and, 371, 422 trade secrets, 282 training, 14, 28, 70, 102, 114 operational security plans and, 531–537 reporting for, 182 requirements for, identifying, 109 risk assessment costs and, 290 security policies and, 552 team for, 108 translating technical language into user language, 103, 114 trend analysis, operational security plans and, 530 U unauthorized access, 280 updates (software), 219, 271 user accounts, 268 user involvement in security projects, 17, 25, 28 user profiles, infrastructure security plans and, 352 user requirements, 55, 56, 78, 91, 326 users, 53, 141 V viruses, 284 612 Index infrastructure security plans and, 364 vulnerabilities See attacks vulnerability scanning, 270–272 W war driving/war dialing, 312, 470 wireless systems and, 450–459 WBSs (Work Breakdown Structures) checking scope and, 123–125, 144 corporate security plans and, 239–245, 258 creating, 118–121, 143, 335 infrastructure security plans and, 420–427, 435, 438 operational security plans and, 579–584, 594 reporting for, 182 wireless security plans and, 502–506, 514 wireless security plans, 441–515 auditing, 443–484 devices and, 445–447 hijacked networks and, 474 infrastructure security plan and, 373 outline for, 509, 515 parameters of, 485–500, 512 requirements and, 486–492 technologies and, 448 WBSs and, 502–506, 514 wireless technologies, 448 Work Breakdown Structures See WBSs worms, 284, 364 Syngress: The Definition of a Serious Security Library Syn•gress (sin-gres): noun, sing Freedom from risk or danger; safety See security AVAILABLE NOW order @ www.syngress.com Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools Christian B Lahti, Roderick Peterson Whether you work for a publicly traded or pre-IPO company or an IT consultant, you are familiar with the daunting task of complying with The Sarbanes-Oxley Act You have no doubt seen the hour and dollar estimates for compliance go up and up Now, you can regain control This ground-breaking, fully integrated book and bootable, “live” CD provide all of the information AND the open source tools required for you to achieve SOX compliance the “cheap and easy” way ISBN: 1-59749-036-9 Price: $49.95 US $69.95 CAN Network Security Assessment: From Vulnerability to Patch COMING SOON order @ www.syngress.com Steve Manzuik, Ken Pfeil, Andre Gold This book will take readers from the discovery of vulnerabilities and the creation of the corresponding exploits, through a complete security assessment, all the way through deploying patches against these vulnerabilities to protect their networks Network Security Assessment is unique in that it details both the management and technical skill and tools required to develop an effective vulnerability management system Business case studies and real-world vulnerabilities are used throughout the book ISBN: 1-59749-101-2 Price: $59.95 US $77.95 CAN AVAILABLE NOW order @ www.syngress.com Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft Dr Eric Cole and Sandra Ring As network defense perimeters get stronger and stronger, IT, security, law enforcement, and intelligence professionals are realizing that the greatest threats to their networks are increasingly coming from within their own organizations These insiders, consisting of current and former employees or contractors, can use their inside knowledge of a target network to carry out acts of sabotage, espionage, and theft of data ISBN: 1-59749-048-2 Price: $34.95 U.S $48.95 CAN ... this project xxvi Chapter IT Security Project Management Building Blocks Solutions in this chapter: ■ Corporate Security Project Plan Components ■ The True Cost of IT Security ■ IT Security Project. .. www.syngress.com Chapter • IT Security Project Management Building Blocks Figure 1.1 Corporate Security Project Plan Components Corporate IT Security Project Plan Individual Security Area Project. .. Managing the IT Security Project 147 Introduction 148 Initiating the IT Security Project 148 Monitoring and Managing IT Security Project