SLS Information Security First Draft WBS

Task or Subtask 1 Resources Start & End Dates S: 4/15 E: 4/17

Contact network engineering team Network Architect to ensure hardware device is compatible with network infrastructure Purchase Web Filter Network Architect & Purchasing Group Order Web Filter thru purchasing group Order Web Filter from manufacturer Web Filter delivered Network Architect

2.1

S: 4/18 E: 4/18 S: 4/19 E: 4/19 E: 5/10

2.2

Purchasing Group

2.3

Purchasing Group

Purchase Technical Support Contract Purchase additional software components Submit change request to implement hardware Administrator attends training on new hardware device Installallation/configuration of hardware and software components.

Purchasing Group

S: 4/19 E: 4/19 S:4/19 E:4/19 S: 5/10 E: 5/27 S:5/27 E:6/01 S:5/27 E:6/10

Purchasing Group

Change control board

Training department and administrator Contracted vendors

SLS Ongoing Support WBS

Task or Subtask 1 2 Resources Start & End Dates Ongoing Ongoing

Ongoing Administrative Functions Administrator Monthly subscription Administrator and Purchasing Group

http://webfuse.cqu.edu.au/Courses/2008/T1/COIT13211/Study_Schedule/tute10.htm http://webfuse.cqu.edu.au/Courses/2008/T1/COIT13211/Study_Schedule/tute10.htm

curity First Draft WBS

Estimated Effort Hours 2 Estimated Capital Expense $0 Estimated Non-Capital Expense $200 Dependancies

$0

$0

$18,000

$0

2.1

$0

2.2

$3,240

$0

$550

$0

$0

$0

40

$0

$0

150

$0

$21,000

2,4

g Support WBS
Estimated Effort Hours 4 per week Estimated Capital Expense $0 $250 per month Estimated Non-Capital Expense $0 $0 Dependancies

1 2 3 4 5 6 7 8 9 10

A.Control access by applying the following concepts/methodologies/techniques

Certfied Information Systems Security Professional

CISSP Exam (10 domain areas) Access Control Application Security (changed to "Software Development Security") Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal Regulations, Compliance, and Investigations Operations Security Physical (Environment) Security Security Architecture and Design Telecommunications and Network Security

1. ACCESS CONTROLS new 1.B.1 Threat modelingnew 1.B.2 Asset valuationnew 1.B.3 Vulnerability analysisnew 1.B.4 Access aggregationnew 1.C.1 User entitlementnew 1.C.2 Access review & auditnew 1.D Identity and access provisioning lifecycle (e.g., provisioning, review, revocation) 2.TELECOMMUNICATIONS & NETWORK SECURITY reworded2.AUnderstand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)new2.A.1OSI and TCP/IP modelsnew2.A.2IP networkingnew2.A.3Implications of multilayer protocols

A.Control access by applying the following concepts/methodologies/techniques

Systems Security Certified Practioner SSCP Exam (7 areas)

1 2 3 4 5 6 7 Access Control Cryptography Malicious Code and Activity Monitioring and Analysis Networks and Communication Risk, Response, and Recovery Security Operations and Administration

COIT 13211 Security and the Internet - Module 10 Review Questions

1. True or False. It is good practice for an organization to install all information security componen

2. True or False. Planners do not need to estimate the expected non-capital expenses for the com

3. Based on the feedback loop shown in the figure above, corrective action is required when ____ (a) the estimate was flawed AND performance has lagged (b) EITHER the estimate was flawed OR performance has lagged (c) only the estimate was flawed, BUT NOT when performance has lagged (d) performance has lagged, BUT NOT when the estimate was flawed (e) None of the above 4. The security systems development life cycle (SecSDLC) is made up of ____ phases. (a) four (b) five (c) six (d) seven (e) eight

5. The involvement step to reduce resistance in change means getting key representatives from u (a) application (b) association (c) assistance (d) appreciation (e) available 6. 7. 8. 9. 10. Scenario

What is the primary objective of the implementation phase of a project plan for information sec What is projectitis? How is it cured or its impact reduced? Are there concrete rules about what a capital expense is and what it is not? What is a general List and describe the four layers of the bulls-eye model for security project planning. Create a first draft of a WBS (Work Breakdown Structure) from the scenario below. Make assu

Sequential Label and Supply is having a problem with employees surfing the Web to access material the c Items you should consider:

Your plan requires two sections, one for deployment and another for ongoing operation aft The vendor offers a contracting service for installation at $140 per hour.

Your change control process requires a 17-day lead time for change requests. The manufacturer has a 14-day order time and a 7-day delivery time for this device.

Creating a WBS can be quiet challenging when you havent had practice at the task.

Discussion Question
Would outsourcing your security be always a good idea? Why or Why not?

Internet/Laboratory Exercises
http://www.projectsmart.co.uk/articles.html

1. Have a look at the short articles and papers on the pitfalls of and best practices for project man

2. There are many project management software tools available for fairly large software prices he WBS Chart Pro at http://www.criticaltools.com/wbsmain.htm produces Work Breakdow
Can-Plan freeware at http://can-plan.20m.com/

(Requires Microsoft Excel to run). The section on the on the Six Phases of a Project and R

For a web browser based demo of Project Management software go to onProject, Incs

http://www.onproject.com/con_Brands/onproject/cfm_HomePage/products/asp.cfm

and click the demo link.

More links to project management software at http://www.startwright.com/project1.htm

3. Some brief articles on outsourcing security which could well help in the discussion above.
http://www.csoonline.com/read/050105/offshore.html http://www.csoonline.com/read/030104/counsel.html http://www.csoonline.com/read/070104/counsel.html

Articles from CSO Magazine (Resources for security executives)

http://www.csoonline.com/

4. Some interesting articles on change management. Any large project needs to cater for the effe
http://itmanagement.earthweb.com/service/article.php/3512091 Series of articles here http://www.change-management.com/articles.htm

Review Question Answers

1. 2. 3. 4. 5. 6.

False False b c a The project plan delivers instructions to the individuals who are executing the implementation phas

7. This is when the project manager spends more time documenting project tasks, collecting performa This can be avoided by using simple tools to focus on organization and coordination.

8. There are no concrete rules for what is a capital expense. Most companies budget and expend ca

9. The fundamental concept is that issues are addressed from the general to the specific and that the 1. Policies: The foundation of all effective information security programs is sound information sec 2. Networks: The threats from public networks meet the organizations networking infrastructure. 3. Systems: This layer includes computers used as servers, desktop computers, and systems us 4. Applications: This layer includes packaged applications, such as office automation and e-mai 10 Draft Sample Implementation WBS
Item 1 2 3 4 5 6 7 TASK Contact Network team to ensure hardware device will work with network infrastructure Purchase Web Filter Purchase Technical Support Contract Purchase additional software components Submit change request to implement hardware Send administrator to training on device Install hardware and software components.

Ongoing Support
Item 1 2 Ongoing administration of device Monthly subscription TASK

l information security components at once.

on-capital expenses for the completion of the task, subtask, or action item.

ve action is required when ____.

nce has lagged was flawed

e up of ____ phases.

tting key representatives from user groups to serve as members of the SecSDLC development process. In systems

project plan for information security?

hat it is not? What is a general guideline? urity project planning. the scenario below. Make assumptions as needed based on the section about project planning considerations and

he Web to access material the company has deemed inappropriate for use in a professional environment. The techn

nother for ongoing operation after implementation.

40 per hour.

or change requests.

very time for this device.

at the task.

d best practices for project management at

or fairly large software prices here are a few that you can have a look at which are reasonable priced or free. .htm produces Work Breakdown Structures in conjunction with Microsoft Project or standalone. Sample usually insta

e Six Phases of a Project and Rewards for the Project Manager at the bottom of the DOC worksheet can be very true

software go to onProject, Incs

oducts/asp.cfm

wright.com/project1.htm

p in the discussion above.

oject needs to cater for the effects of change to an organization. Remember change management is about people.

cuting the implementation phase. These instructions focus on the security control changes needed to the hardware,

roject tasks, collecting performance measurements, recording information, and updating information than they spend ordination.

mpanies budget and expend capital according to its own established procedures. The general guidelines are usually

eral to the specific and that the focus is on systematic solutions instead of individual problems. ograms is sound information security and information technology policy. tions networking infrastructure. top computers, and systems used for process control and manufacturing systems. as office automation and e-mail programs as well as high end enterprise resource planning (ERP) packages than sp

Resources Network Engineers Network Engineer & Purchasing Group Purchasing Group Purchasing Group Change control board Training center and Administrator Outside vendors

Start & End Dates Effort Hours S: 11/25 E:11/27 S:11/28 E:12/19 S:11/28 E:12/19 S:11/28 E:12/19 S:12/19 E:01/06 S:01/06 E:01/10 S:01/06 E:01/20 2 1 1 1 1 40 150

Capital Expense $0 $18,000 $3,240 $800 $0 $0 $0

Non-Capital Expense $100 $0 $0 $0 $0 $0 $21,000

Dep.

1 1 1 2 3 2,4

Resources Administrator Administrator/Purchasing Group

Start & End Dates Effort Hours Ongoing Ongoing 4/WK

Capital Expense $0 250/Month

Non-Capital Expense $0 $0

Dep.

t process. In systems development this is referred to as joint ____ development or JAD.

g considerations and constraints in the chapter. In your WBS, describe the resources required for the tasks you have

nvironment. The technology exists to insert a filtering device in the company Internet connection that blocks certain W

priced or free. . Sample usually installed in the Program Files/WBS Chart Pro directory.

sheet can be very true if project planning doesnt work out.

ment is about people.

ded to the hardware, software, procedures, data, and people that make up the organizations information systems. T

mation than they spend on accomplishing meaningful project work.

guidelines are usually separated by expenses for durable assets and expenses for other purposes. The most impo

RP) packages than span the organization.

quired for the tasks you have planned.

nnection that blocks certain Web locations and certain Web content. The vendor has provided you with some initial in

tions information systems. The major steps in executing the project plan are: planning the project, supervising tasks

er purposes. The most important thing is to know your established procedures.

ovided you with some initial information about the filter. The hardware is an appliance that costs $18,000 and require

he project, supervising tasks and actions steps, and wrapping up.

at costs $18,000 and requires a total of 150 effort-hours to install and configure. Technical support on the appliance

cal support on the appliance costs 18 percent of the purchase price and includes a training allowance for the year. A

ng allowance for the year. A software component is needed for administering the appliance that runs on the adminis

nce that runs on the administrators desktop computer and it costs $550. A monthly subscription provides the list of

scription provides the list of sites to be blocked and costs $250 per month. The administrator must spend an estima

trator must spend an estimated four hours per week for ongoing administrative functions.

Draft Sample Implementation WBS

Item TASK Resources Start & End Dates

Contact Network team to ensure hardware device Network Engineers will work with network infrastructure

S: 11/25 E:11/27

Purchase Web Filter

Network Engineer & Purchasing Group

S:11/28 E:12/19

Purchase Technical Support Contract

Purchasing Group

S:11/28 E:12/19

Purchase additional software components

Purchasing Group

S:11/28 E:12/19

Submit change request to implement hardware

Change control board

S:12/19 E:01/06

Send administrator to training on device Install hardware and software components.

Training center and Administrator

S:01/06 E:01/10

Outside vendors

S:01/06 E:01/20

Effort Hours

Capital Expense

Non-Capital Expense

Dep.

$0

$100

$18,000

$0

$3,240

$0

$800

$0

$0

$0

40

$0

$0

150

$0

$21,000

2,4

Ongoing Support
Item TASK Resource s Start & End Dates Effort Hours Capital Expense $0 NonCapital Expense $0 Dep.

Ongoing administra Administra Ongoing tion of tor device Administra Monthly tor/Purcha subscriptio Ongoing sing n Group

4/WK

250/Month

$0

IT Project Manager Description: Description/Comment:Typically responsible for mid to large sized projects. Impact is on the entire function or process. Defines and monitors project team resources. 10+ years of relevant experience or equivalent combination of education and work experience. Ability to lead mid- to large-sized project teams. Ability to communicate clearly and present at senior leadership levels. Ability to manage risk and project decisions. Proficient in negotiating and conflict management. Undergraduate degree and 68 years relevant experience or Graduate degree and 8-10 years relevant experience. Additional Job Details:Healthcare Financial Management workstream experience preferred. Healthcare Payer industry experience preferred Agile / SDLC experience preferred Financial Management workstream is defined as: Design and development of financial management (FM) capabilities, across all customer types (e.g., small businesses, brokers, subsidized and non-subsidized customers), including associated business requirements, deployment of relevant technology and definition of required recruiting, hiring and training of financial management staff

IT Infrastructure Project Manager About the Job SUMMARY OF RESPONSIBILITIES Plan, coordinate and oversee projects from inception, initiation, elaboration, construction, implementation and closeout phases. Utilize a variety of business processes and tasks in completing multiple projects and issues. Assemble project teams, assign responsibilities, identify resources, and develop schedules for timely completion of projects. Independently assess situations, research available options and work with other functional and business areas to realize solutions and guide successful completion. ESSENTIAL JOB FUNCTIONS Responsible for developing, implementing, and completing projects that require coordination of resources across multiple departments Prepare department budget and forecasts future departmental projects ensuring effective and efficient use of resources. Identify, negotiate for, and manage cross-functional project resources and manage their deliverables required to complete projects and coordinate execution of business applications projects/procedures with other departments Assist business area owners in the preparation of their project budget requirements ensuring effective and efficient use of resources. Facilitate, calculate, and complete Project Funding Requests (PFRs) for projects and implement within established guidelines and timelines. Recommend alternative technologies or approaches to projects. Compile, analyze, prepare, and present reports on project status Track progress of testing and identify solutions to correct deviations from required timelines,