Version 0.

0
Date

RISK ASSESSMENT AND PEN TESTING

PROJECT CHARTER
FOR
WAS REMOVED

Document Control
Document Publication History
Document Prepared By

(SARA-IT)

Document Reviewed By

Iyad Abou Hawili (SARA-IT)

Document Approved By

<To be approved> ----------------- Was removed

Effective Date

Was Removed

Document Revision History

Ver.
Date
Name
1.0

Was
Removed

Iyad
Hawili

Abou

Role

Summary of Changes

Consultant

Initial draft

Document Distribution List

#
Name
1.
Iyad Abou Hawili
2.

Department/Organization
SARA-IT

Purpose
Review & Approval

Was removed

Review & Approval

3.
Document Approval History
Ver.
Date
Name
1.0

Role

Comments

SARA-IT
Was removed

Authorized Signatory (Printed Version)

Name
Date

Signature

For Was removed:

For SARA-IT:
Iyad Abou Hawili

Confidential Document
Not to be circulated or reproduced without appropriate authorization

Abbreviation
IT

Information Technology

ISST

Information Systems Security Testing

IS

Information Security

RA

Risk Assessment

VA

Vulnerability Assessment

PT

Penetration Testing

SOW

Statement of Work

WAN

Wide Area Network

LAN

Local Area Network

WAS
REMOVED
WAS
REMOVED

Was removed
Was Removed

Confidential Document
Not to be circulated or reproduced without appropriate authorization

TABLE OF CONTENTS

ABBREVIATION .................................................................................................................................................. 3
1.

INTRODUCTION .......................................................................................................................................... 5

2.

PROJECT SCOPE, GOAL & OBJECTIVES ............................................................................................... 6

2.1.

PROJECT SCOPE.................................................................................................................................................. 6

2.2.

PROJECT GOAL .................................................................................................................................................... 6

2.3.

PROJECT OBJECTIVES ........................................................................................................................................ 6

3.

CRITICAL SUCCESS FACTORS ................................................................................................................ 6

4.

STATEMENT OF WORK ............................................................................................................................. 7

4.1.

PHASE 1: PROJECT INITIATION & SYSTEM STUDY .......................................................................................... 7

4.2.

PHASE 2: RISK ASSESSMENT ............................................................................................................................. 7

4.3.

PHASE 3: IS SECURITY TESTING ........................................................................................................................ 8

5.

PROJECT MILESTONES & INVOICING POINTS ...................................................................................... 9

6.

PROJECT COMMUNICATIONS ................................................................................................................ 10

7.

ASSUMPTIONS.......................................................................................................................................... 11

8.

PROJECT TEAM ........................................................................................................................................ 12

8.1.

PROJECT ORGANIZATION STRUCTURE .......................................................................................................... 12

8.2.

PROJECT TEAM ROLES & RESPONSIBILITIES ................................................................................................ 12

9.

PROJECT PLAN SIGN OFF ...................................................................................................................... 15

10.

PROJECT CHANGES ............................................................................................................................ 16

11.

PROJECT CLOSURE SIGN OFF........................................................................................................... 17

Confidential Document
Not to be circulated or reproduced without appropriate authorization

1. Introduction
(Was removed) creates, designs, supervises and manages projects that have the potential to better
society. We build on our proven multidisciplinary expertise and offer regional urban planning and
comprehensive architectural and engineering consulting services. WAS REMOVED focuses on
delivering innovative solutions that meet clients' real needs.
With a history of success and a network of subsidiaries and sister companies, WAS REMOVED provide
our clients with an integrated approach to reliable project delivery in the evolving globalized world.
Proactive rather than reactive, WAS REMOVED are at the forefront of new specialties and
advantageous alliances.
WAS REMOVEDs services are all in-house, covering a broad spectrum of disciplines from architecture
to urban, transportation, energy, water, Geospatial Systems Integration, and oil & gas projects. We
enhance infrastructure, create new buildings, develop neighborhoods, and reshape entire cities.
Was Removed Integration, a Division of Was Removed, has requested from SARA-IT develop Risk
Assessment and Information Systems Security Testing to one of its clients in the gulf as part of a
solution provided by Was Removed.
To complete this project and meet Information Security goals and objectives, Was Removed has
engaged SARA-IT as a subcontractor to perform Risk Assessment and Information Systems Security
Testing (ISST) to the solution built by Was Removed to its client. This Risk Assessment and IS Security
Testing shall meet Was Removed Security Management Process and Information Security Policies.

Confidential Document

2. Project Scope, Goal & Objectives

2.1. Project Scope
Was Removed has decided to engage SARA-IT in performing Risk Assessment and IS Security Testing
to the solution built by Was Removed to one of its clients in Abu Dhabi in the staging environment. This
is part of a complete solution provided by Was Removed

2.2. Project Goal

1. Perform Risk Assessment for a specific Solution (Hardware and Software) located in their
client Data Center in Abu Dhabi.
2. Perform Information Systems Security Testing for the same Solution.

2.3. Project Objectives

SARA-IT has set the following objectives to achieve the above defined project goals:
1. Define and establish The Scope of the project.
2. Identify supporting assets that belong to the Scope defined above that is compliant with Was
Removed IS Standards.
3. Assess Impact on defined Assets,
4. Identify Threats and Vulnerabilities, then identify Risks.
5. Perform Vulnerability Assessment then Penetration Testing after Defining Rules of
Engagement.

3. Critical Success Factors

The Critical Success Factors to achieve the above objectives of the project:
1. Support from Was Removed Division Head.
2. Support from Was Removed member staff by providing requested information within the time frame
and in the specified format and/or Template to SARA-IT consultant/s.
3. Active participation & support from Was Removed Project Team.
4. Active participation from Was Removed Clients staff.
5. Timely collection of all existing documents relevant to this project from Was Removed and their
client.

Confidential Document

6. Timely Sign-off for the project deliverable.

4. Statement of Work
4.1. Phase 1: Project Initiation & System Study
Objectives

Deliverables

Develop Project Management and tracking

process for the project

Project Charter, Project Plan and Project

Tracking Process Documents

Systems Study

Asset Register

o Understand
the
key
business
processes and underlying Solution
infrastructure (Solution processes,
systems, network, applications &
Solution team).

Asset classification guidelines

o Study of current security structure,

security architecture & processes,
roles, skills set, and security culture
o Identify & document all information
assets and identify their criticality &
sensitivity to Solution operations, and
develop classification mechanisms
o Develop The Scope Document

Identify & document all information assets,

their criticality & sensitivity to business
operations, and develop classification
mechanisms.

4.2. Phase 2: Risk Assessment

Objectives

Conduct
Comprehensive
Risk
Assessment for the Solution infrastructure
(information systems, & applications) that
constitute the Solution provided by WAS
REMOVED to their Client. This would
include:

Deliverables

Risk Management Methodology Document

Comprehensive Risk Assessment Report

o Threat & Vulnerability Assessment and

Risk Analysis for all assets

Confidential Document

Risk Profiling & Prioritization based on

their severity & criticality rating and based
on Risk Assessment results.

4.3. Phase 3: IS Security Testing

Objectives

Perform Information Systems Security

assessment (Vulnerability Assessment
and Penetration testing). This will include:

Deliverables

Vulnerability Assessment Report

Penetration Testing report

o Information
Systems
security
assessment
(Vulnerability
and
Penetration Testing) of sample IT
systems as a separate work stream
(applications and servers).

Confidential Document

5. Project Milestones & Invoicing Points

Task
Phase 1 - Project Initiation & System Study
Project Management
Project Kickoff Meeting

Start Date
Was
Removed

End Date
Was
Removed

Was
Removed

Develop Project Management and tracking process for the project

System Study
Information Collection: Procedures, etc.
Systems Study: Interview with respective team
Scope
Analysis of Inclusions and Exclusions for scoping
Scope Diagram & Scope Document preparation
Preparing Scope and Assets Documents

Was
Removed

Invoice Point I: At completion of Phase 1: US$

Phase 2 - Risk Assessment
Risk Assessment
Asset Identification
Risk Assessment Methodology & set Baseline Acceptable Risk Value
Asset Register Preparation
Evaluate Threats, Vulnerabilities and Existing Controls

Was
Removed
Was
Removed

Invoice Point II: At completion of Phase 2: US$

Was
Phase 3 - IS Security Testing (Vulnerability and Penetration
Testing)
Removed
Security Testing
Conduct Vulnerability Assessments
Was
Removed
Conduct Penetration Testing

Was
Removed

Was
Removed
Was
Removed

Was
Removed

Invoice Point III: At completion of Phase 3: US$

Toal Amount of the Project: US$
Note: Dates are in DD-MON-YY format.
Total cost DOES NOT include cost of Travel, Accommodation, visa, etcto the Client
premises, if needed. These costs will be paid after 7 days of submitting the invoice
by the consultant.
N.B.
Other Additional works requested by Was Removed or his client that is not part of the
Statement Of Work - SOW - described above will be invoiced separately.

Confidential Document

6. Project Communications
During the course of the project, it will be important to communicate the schedule, progress and other
issues related to this project to key stakeholders. The following platforms & parameters shall be
considered for the same:
Process

Agenda

Weekly Project

1. Project Update to the Project

Progress

Involvement

Sponsor & Project Manager

2. Update

on

weekly

project

progress

1. SARA-IT

Frequency

Medium

Weekly

Email

Monthly

Email

Consultant
2. WAS
REMOVED

3. Any delays, issues & risks

Project Sponsor
3. WAS
REMOVED
Project Manager

Project Review

1. Project

update

to

Project

Sponsor, Project Manager and

WAS REMOVED client.
2. Overall project progress in 1
month
3. Discussion on any issues & risks
4. Any other expectations from the
project

1. SARA-IT
Consultant
2. WAS
REMOVED
Project Sponsor
1. WAS
REMOVED
Project Manager
2. WAS
REMOVED
Client

10

Confidential Document

7. Assumptions
1. Was Removed will assign a single point of contact for all project related deliverables and activities.
2. Was Removed will provide SARA-IT with all required information and access to relevant personnel
related to this project on a timely basis. Making all the documents, drawings, reports, facilities, WAS
REMOVED personnel and other resources needed, available for the development work is the
Responsibility of WAS REMOVED
3. Was Removed Project Team will coordinate actively with their client representative/s, wherever
required, during the course of the project.
4. Was Removed will be able to provide logistic support to SARA-IT while conducting discussions,
meetings, etc., that are relevant to this project.
5. Was Removed Client Representative/s appointed for this project should be well informed about the
Solution developed by Was Removed.
6. Was Removed would be able to manage request for meetings, presentations, documents, etc., in
the earliest possible manner. Any other support that will be needed for the satisfactory completion
of the work such as provision of printing, photocopying, meeting rooms, and other needs, etc. is
Was Removed responsibility.
7. Was Removed will provide review comments for all the deliverables within 5 working days after the
date of submission. Deliverable without the review feedback shall be treated as final after 5 days of
submission.
8. Members identified from Was Removed or their client to work on this project or activities related to
this project do accept the additional responsibilities assigned to them.
9. Necessary approvals such as conducting Risk Assessment, access to systems for data collection
for Vulnerability Assessment or Penetration Testing and others as deemed necessary are obtained
by Was Removed from their client and government agencies if needed.
10. SARA-IT will not be responsible for configuring or testing IT systems and other equipment procured
and implemented as a part of this project.
11. All deliverables submitted by SARA-IT will be developed and presented in English only.

11

Confidential Document

8. Project Team
8.1. Project Organization Structure
A formal structure of the project team is necessary to effectively coordinate and perform project related
activities. Thus, a project organization structure that supports seamless communication and ensures
tasks are completed as per timeline is defined as below:

Project Sponsor WAS

REMOVED
Project Manager WAS
REMOVED

WAS REMOVED Project Management

SARA-IT Consultant

SARA-IT Technical
Assistant

8.2. Project Team Roles & Responsibilities

The key roles and responsibilities for the Was Removed RA and ISST project are outlined below:
Was Removed - Project Sponsor, Was Removed
1. Ultimate authority of the project
2. Provide required funding for the project

12

Confidential Document

3. Provide management support during the project.

4. Provide leadership in support of the project.
5. Removes obstacles that prevent the project from moving forward
6. Build trust among all stakeholders of the project Champion the overall project
activities
7. Take ownership of the project execution from Was Removed side.
8. Take key decisions during the project
9. Provide sign off on the project deliverables to SARA-IT
10. Provide sign off on the project closure to SARA-IT
11. Approves/Reject/Recommend changes to the project scope, as may be required.

Was Removed - Project Manager, Mr. ______________

1. Set functional/technical expectations on project deliverables
2. Manage the project planning and control with SARA-IT Consultant which may
include:
a. Ensuring project deliverables are in line with the project plan.
b. Managing project resources from WAS REMOVED side and their client
c.

Managing project scope, change control and escalation of issues wherever

necessary.

d. Recording and managing project issues and escalations.

3. Monitor closely project progress and its overall effectiveness
4. Review all project deliverables and provide suggestion for improvements
5. Ensure project meets the expectations of management
6. Review recommendations to the changes in project scope, if any.

SARA-IT Consultant, Mr. Iyad Abou Hawili

1. Act as subject matter expert for the project.
2. Accountable for the overall success of the project from SARA-IT side
3. Track project progress on a weekly basis with SARA-IT Technical Assistant
4. Address any project escalations and concerns
5. Ensure quality standards are maintained in all deliverables

13

Confidential Document

6. Responsible for the overall success of the project from SARA-IT side.
7. Manage all expectations of Was Removed
8. Create Project Plan and track it on an ongoing basis.
9. Manage project deliverables in line with the project plan.
10. Ensure all project time lines are met
11. Ensure all deliverables meet the expectations of Was Removed
12. Provide project status updates to Was Removed management on a periodic basis
13. Ensure all assigned activities are completed on a timely basis
14. Maintains appropriate records of work in progress
15. Escalates all issues to project manager on a timely basis

14

Confidential Document

9. Project Plan Sign Off

Questions

Your Response

Do you agree with the overall project plan?

Do you have any special expectation that you

would like to highlight?

Was Removed

15

SARA-IT

Name:

Name: Iyad Abou Hawili

Role:

Role: Consultant/Owner

Signature:

Signature:

Date:

Date:

Confidential Document

10. Project Changes

Change
Description

16

Requestor

Impact

Date of
Approval

Approver

Confidential Document

11. Project Closure Sign Off

Questions

Your Response

Do you consider the project as completed?

Has any of the project deliverables not

provided by us?

Has any of your expectations not met by us?

Was Removed

17

SARA-IT

Name:

Name: Iyad Abou Hawili

Role:

Role: Consultant/Owner

Signature:

Signature:

Date:

Date:

Confidential Document