The 2008 Security Vulnerability Assessment (SVA) project kick-off meeting introduced team members and outlined the project approach, focusing on critical systems and risk-based target selection. The project phases include planning/scoping, assessment/execution, and data analysis/reporting, with key milestones scheduled throughout August and October 2008. The project relies on the White Hats team for assessments and emphasizes collaboration while excluding them from remediation tracking.

1. 2008 Security Vulnerability Assessment (SVA)
Project Kick-Off Meeting
August 1, 2008
Presentation has been sanitized – Intended for demonstration purposes only

2. Meeting Agenda
Project Team Introduction – Dan Wallace
Project Approach – Mark O’Brien
Project Execution – White Hats
Project Phases
Phase Timeline
Target Selection Process
Effort Allocation by Business Unit
Key Project Milestones
Findings Release Process
Key Project Assumptions
Documentation Administration
Page 2 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

3. Project Team
ITG
Mark Gibaldi Executive Champion
Dan Wallace Project Manager
Mark O'Brien Lead Project Owner
Dell Hartmann Project Owner
Core White Hats Team
Tony Buffomante Lead Engagement Partner
Kyle Kappel Lead Engagement Manager
Charlie Hosner QA Manager
Daimon Geopfert Lead Testing Manager
Hany Wassef Primary Staff Resource
Adam Keagle Primary Staff Resource
Page 3 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

4. Project Approach
White Hats is the new SVA service supplier this
year
• Core White Hats team has extensive SVA experience
• We are not auditors. White Hats SVA team will not
discuss any part of this project with Internal or
External Audit.
We bring a different outlook and approach
• Focal point is on improving critical systems and
processes rather than individual technical issues
Focus will be based on business risks and activities
that add value
• Vulnerability ratings will be based on all conditions,
not just the rating a tool assigns
Page 4 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

5. Project Approach
You will notice a significant difference from last
year
Scope and Target selection process will be driven
by high-risk applications & systems
Executive Interviews will also help define the
Scope & Targets
Menu-driven approach for assessment activities
• Sector Security Leads will help decide which security
assessment activities White Hats will perform
(webapp pentesting, wireless, social engineering
,etc.)
• Final decisions made by Project Owners (ie - Global
Security)
Page 5 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

6. SVA Project Phases
PHASE 3:
PHASE 1: PHASE 2:
Planning/Scoping Assessment/Execution Data
Analysis/Reporting
Page 6 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

7. Project Phase Timeline
Activity Start Date End Date
PHASE 1: Planning/Scoping Aug 4 Aug 29
Includes: Sector security lead interviews & scoping, Executive interviews, testing
plan creation, CAB Approvals, etc.
PHASE 2: Assessment/Execution
(Fieldwork)
Sept 2 Sept 26
Includes: All fieldwork activities, passive reviews, network vulnerability
scanning, web application scanning, validation procedures, etc.
PHASE 3: Data Analysis/Reporting Sept 29 Oct 24
Includes: Testing results analysis, acceptance of findings, report creation &
socialization.
Page 7 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

8. Target Selection Process
Critical ITG Application: ABC App
Prioritized, risk-
based selection of Infrastructure Computing: ID
locations, systems, Servers and Platforms
and devices to
assess.
Network Environment: Router,
switch, firewall
Conducted to
Location: Red Hills Data Center
determine target
population.
ID Targets and Testing Steps
Page 8 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

9. Effort Allocation by BU
Estimated Task Hours Per Business
Unit
Task ResCap PL NAO IO CF MIC
Global Project Management 32 32 32 32 16 16
Scoping Phase 48 48 48 48 24 24
Assessment/Execution 260 260 260 260 130 130
Analysis & Reporting 60 60 60 60 30 30
Totals: 400 400 400 400 200 200
If activities are requested which exceed the hours allocated above,
a project change control process will be coordinated through Mark
Gibaldi’s office.
Page 9 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

10. Key Milestones
Completion
# Milestone Responsibility Date
1 Provide Preliminary Scope, Targets, Executive BU Leads Monday, Aug 11
Interview List
2 Schedule BU Executive Interviews Dan Wallace Tuesday, Aug 12
3 Complete BU Executive Interviews Execs, White Thurs, Aug 21
Hats
4 Final Scope & Target Approval for All BU’s D. Hartman Friday, Aug 22
M. Obrien
5 Obtain CAB Approval/Authorization for BU Leads Wed, Aug 27
Sept-2 Start Date
6 Testing Begins White Hats Tues, Sept 2
7 Testing Complete White Hats Friday, Sept 26
8 Preliminary Findings Released White Hats Friday, Oct 3
9 Findings Reviewed & Accepted by BU BU Leads & Wed, Oct 8
Leads and Performing Suppliers PS’ers
10 Draft Reports Released to ITG White Hats Thursday, Oct 16
11 Report Changes/Comments Provided to White ITG Monday, Oct 20
Hats
12 Final Reports Complete White Hats Friday, Oct 24
Page 10 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

11. Overview - Findings Release Process
DIAGRAM REMOVED
The full diagram outlining the findings release process will be provided.
Understanding this process is a key component to the project.
White Hats will not be responsible for coordinating or tracking
remediation activities. This includes validating closed issues. (IBM
IIM/OM)
Page 11 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

12. Key Assumptions
1. Sector Security Leads and Performing Suppliers will identify a backup
resource who can make decisions on their behalf in the event of
unavailability, such as personal time off.
2. Sector Security Leads will be responsible for obtaining CAB approval
for all in-scope testing activities. White Hats will not be involved in
this process.
3. White Hats will leverage existing ITG Qualys installations for network
vulnerability scanning.
4. Vulnerability scanning will be network-based, not host-based (ie – no
admin credentials).
5. Once findings are accepted by ITG and the PS’ers, White Hats
involvement is complete. White Hats will not be coordinating or
tracking remediation efforts.
6. Global Security Operations and IBM IIM/OM will be responsible for
tracking remediation outside the scope of this project.
Page 12 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only

13. Documentation Administration
“XClient eRoom is the system of record for this project
https://xx13x.xcl1ent.XXXX.com/eRoom/ITG-SVA/2008
Secure online collaboration tool based on Documentum eRoom
technology
Hosted by White Hats in a secure datacenter
All that is needed is a Web browser, access to the Internet
and username/password
Installing a browser plug-in is necessary for advanced features
All project team members will be given individual access
Must be used to exchange sensitive documents and
information (no email)
eRoom will also hold other relevant project information
(project plans, calendar of events, status reports, contact
lists, findings database, etc.)
Page 13 15-Jul-09
Presentation has been sanitized – Intended for demonstration purposes only