Kickoffsample
•
1 like•787 views
Kickoff deck for a large enterprise wide security vulnerability assessment. The presentation has been sanitized and is intended for demonstration purposes only. From August 2008
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Kickoffsample
Similar to Kickoffsample (20)
Recently uploaded
Recently uploaded (20)
Kickoffsample
- 1. 2008 Security Vulnerability Assessment (SVA) Project Kick-Off Meeting August 1, 2008 Presentation has been sanitized – Intended for demonstration purposes only
- 2. Meeting Agenda Project Team Introduction – Dan Wallace Project Approach – Mark O’Brien Project Execution – White Hats Project Phases Phase Timeline Target Selection Process Effort Allocation by Business Unit Key Project Milestones Findings Release Process Key Project Assumptions Documentation Administration Page 2 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 3. Project Team ITG Mark Gibaldi Executive Champion Dan Wallace Project Manager Mark O'Brien Lead Project Owner Dell Hartmann Project Owner Core White Hats Team Tony Buffomante Lead Engagement Partner Kyle Kappel Lead Engagement Manager Charlie Hosner QA Manager Daimon Geopfert Lead Testing Manager Hany Wassef Primary Staff Resource Adam Keagle Primary Staff Resource Page 3 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 4. Project Approach White Hats is the new SVA service supplier this year • Core White Hats team has extensive SVA experience • We are not auditors. White Hats SVA team will not discuss any part of this project with Internal or External Audit. We bring a different outlook and approach • Focal point is on improving critical systems and processes rather than individual technical issues Focus will be based on business risks and activities that add value • Vulnerability ratings will be based on all conditions, not just the rating a tool assigns Page 4 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 5. Project Approach You will notice a significant difference from last year Scope and Target selection process will be driven by high-risk applications & systems Executive Interviews will also help define the Scope & Targets Menu-driven approach for assessment activities • Sector Security Leads will help decide which security assessment activities White Hats will perform (webapp pentesting, wireless, social engineering ,etc.) • Final decisions made by Project Owners (ie - Global Security) Page 5 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 6. SVA Project Phases PHASE 3: PHASE 1: PHASE 2: Planning/Scoping Assessment/Execution Data Analysis/Reporting Page 6 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 7. Project Phase Timeline Activity Start Date End Date PHASE 1: Planning/Scoping Aug 4 Aug 29 Includes: Sector security lead interviews & scoping, Executive interviews, testing plan creation, CAB Approvals, etc. PHASE 2: Assessment/Execution (Fieldwork) Sept 2 Sept 26 Includes: All fieldwork activities, passive reviews, network vulnerability scanning, web application scanning, validation procedures, etc. PHASE 3: Data Analysis/Reporting Sept 29 Oct 24 Includes: Testing results analysis, acceptance of findings, report creation & socialization. Page 7 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 8. Target Selection Process Critical ITG Application: ABC App Prioritized, risk- based selection of Infrastructure Computing: ID locations, systems, Servers and Platforms and devices to assess. Network Environment: Router, switch, firewall Conducted to Location: Red Hills Data Center determine target population. ID Targets and Testing Steps Page 8 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 9. Effort Allocation by BU Estimated Task Hours Per Business Unit Task ResCap PL NAO IO CF MIC Global Project Management 32 32 32 32 16 16 Scoping Phase 48 48 48 48 24 24 Assessment/Execution 260 260 260 260 130 130 Analysis & Reporting 60 60 60 60 30 30 Totals: 400 400 400 400 200 200 If activities are requested which exceed the hours allocated above, a project change control process will be coordinated through Mark Gibaldi’s office. Page 9 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 10. Key Milestones Completion # Milestone Responsibility Date 1 Provide Preliminary Scope, Targets, Executive BU Leads Monday, Aug 11 Interview List 2 Schedule BU Executive Interviews Dan Wallace Tuesday, Aug 12 3 Complete BU Executive Interviews Execs, White Thurs, Aug 21 Hats 4 Final Scope & Target Approval for All BU’s D. Hartman Friday, Aug 22 M. Obrien 5 Obtain CAB Approval/Authorization for BU Leads Wed, Aug 27 Sept-2 Start Date 6 Testing Begins White Hats Tues, Sept 2 7 Testing Complete White Hats Friday, Sept 26 8 Preliminary Findings Released White Hats Friday, Oct 3 9 Findings Reviewed & Accepted by BU BU Leads & Wed, Oct 8 Leads and Performing Suppliers PS’ers 10 Draft Reports Released to ITG White Hats Thursday, Oct 16 11 Report Changes/Comments Provided to White ITG Monday, Oct 20 Hats 12 Final Reports Complete White Hats Friday, Oct 24 Page 10 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 11. Overview - Findings Release Process DIAGRAM REMOVED The full diagram outlining the findings release process will be provided. Understanding this process is a key component to the project. White Hats will not be responsible for coordinating or tracking remediation activities. This includes validating closed issues. (IBM IIM/OM) Page 11 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 12. Key Assumptions 1. Sector Security Leads and Performing Suppliers will identify a backup resource who can make decisions on their behalf in the event of unavailability, such as personal time off. 2. Sector Security Leads will be responsible for obtaining CAB approval for all in-scope testing activities. White Hats will not be involved in this process. 3. White Hats will leverage existing ITG Qualys installations for network vulnerability scanning. 4. Vulnerability scanning will be network-based, not host-based (ie – no admin credentials). 5. Once findings are accepted by ITG and the PS’ers, White Hats involvement is complete. White Hats will not be coordinating or tracking remediation efforts. 6. Global Security Operations and IBM IIM/OM will be responsible for tracking remediation outside the scope of this project. Page 12 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only
- 13. Documentation Administration “XClient eRoom is the system of record for this project https://xx13x.xcl1ent.XXXX.com/eRoom/ITG-SVA/2008 Secure online collaboration tool based on Documentum eRoom technology Hosted by White Hats in a secure datacenter All that is needed is a Web browser, access to the Internet and username/password Installing a browser plug-in is necessary for advanced features All project team members will be given individual access Must be used to exchange sensitive documents and information (no email) eRoom will also hold other relevant project information (project plans, calendar of events, status reports, contact lists, findings database, etc.) Page 13 15-Jul-09 Presentation has been sanitized – Intended for demonstration purposes only