Sheet1SLS Information Security First Draft WBSTask or SubtaskResourcesStart & End DatesEstimated Effort HoursEstimated Capital ExpenseEstimated Non-Capital ExpenseDependancies1Contact network engineering team to ensure hardware device is compatible with network infrastructureNetwork ArchitectS: 4/15E: 4/17

2$0$2002Purchase Web FilterNetwork Architect & Purchasing Group 2.1Order Web Filter thru purchasing groupNetwork ArchitectS: 4/18E: 4/18

1$0$012.2Order Web Filter from manufacturerPurchasing GroupS: 4/19 E: 4/192$18,000$02.12.3Web Filter deliveredPurchasing GroupE: 5/101$02.23Purchase Technical Support ContractPurchasing GroupS: 4/19E: 4/191$3,240$014Purchase additional software componentsPurchasing GroupS:4/19E:4/191$550$015Submit change request to implement hardwareChange control boardS: 5/10 E: 5/271$0$026Administrator attends training on new hardware deviceTraining department and administratorS:5/27 E:6/0140$0$037Installallation/configuration of hardware and software components.Contracted vendorsS:5/27 E:6/10150$0$21,0002,4

SLS Ongoing Support WBSTask or SubtaskResourcesStart & End DatesEstimated Effort HoursEstimated Capital ExpenseEstimated Non-Capital ExpenseDependancies1Ongoing Administrative FunctionsAdministratorOngoing4 per week$0$02Monthly subscriptionAdministrator and Purchasing GroupOngoing$250 per month$0

http://webfuse.cqu.edu.au/Courses/2008/T1/COIT13211/Study_Schedule/tute10.htmhttp://webfuse.cqu.edu.au/Courses/2008/T1/COIT13211/Study_Schedule/tute10.htm

Sheet2Certfied Information Systems Security ProfessionalSystems Security Certified Practioner CISSP Exam (10 domain areas)SSCP Exam (7 areas)1Access Control1Access Control2Application Security (changed to "Software Development Security")2Cryptography3Business Continuity and Disaster Recovery Planning3Malicious Code and Activity4Cryptography4Monitioring and Analysis5Information Security and Risk Management5Networks and Communication6Legal Regulations, Compliance, and Investigations6Risk, Response, and Recovery7Operations Security7Security Operations and Administration8Physical (Environment) Security9Security Architecture and Design10Telecommunications and Network Security

1. ACCESS CONTROLSnew1.B.1 Threat modelingnew1.B.2 Asset valuationnew1.B.3 Vulnerability analysisnew1.B.4 Access aggregationnew1.C.1 User entitlementnew1.C.2 Access review & auditnew1.D Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

2.TELECOMMUNICATIONS & NETWORK SECURITYreworded2.AUnderstand secure network architecture and design (e.g., IP & non-IP protocols, segmentation)new2.A.1OSI and TCP/IP modelsnew2.A.2IP networkingnew2.A.3Implications of multi-layer protocolsA.Control access by applying the following concepts/methodologies/techniques

Sheet3COIT 13211 Security and the Internet - Module 10Review Questions

1. True or False. It is good practice for an organization to install all information security components at once.

2. True or False. Planners do not need to estimate the expected non-capital expenses for the completion of the task, subtask, or action item.

3. Based on the feedback loop shown in the figure above, corrective action is required when ____.(a) the estimate was flawed AND performance has lagged (b) EITHER the estimate was flawed OR performance has lagged (c) only the estimate was flawed, BUT NOT when performance has lagged (d) performance has lagged, BUT NOT when the estimate was flawed(e) None of the above

4. The security systems development life cycle (SecSDLC) is made up of ____ phases.(a) four (b) five (c) six (d) seven(e) eight

5. The involvement step to reduce resistance in change means getting key representatives from user groups to serve as members of the SecSDLC development process. In systems development this is referred to as joint ____ development or JAD.(a) application (b) association (c) assistance (d) appreciation(e) available

6. What is the primary objective of the implementation phase of a project plan for information security?7. What is projectitis? How is it cured or its impact reduced?8. Are there concrete rules about what a capital expense is and what it is not? What is a general guideline?9. List and describe the four layers of the bulls-eye model for security project planning.10. Create a first draft of a WBS (Work Breakdown Structure) from the scenario below. Make assumptions as needed based on the section about project planning considerations and constraints in the chapter. In your WBS, describe the resources required for the tasks you have planned. ScenarioSequential Label and Supply is having a problem with employees surfing the Web to access material the company has deemed inappropriate for use in a professional environment. The technology exists to insert a filtering device in the company Internet connection that blocks certain Web locations and certain Web content. The vendor has provided you with some initial information about the filter. The hardware is an appliance that costs $18,000 and requires a total of 150 effort-hours to install and configure. Technical support on the appliance costs 18 percent of the purchase price and includes a training allowance for the year. A software component is needed for administering the appliance that runs on the administrators desktop computer and it costs $550. A monthly subscription provides the list of sites to be blocked and costs $250 per month. The administrator must spend an estimated four hours per week for ongoing administrative functions. Items you should consider: Your plan requires two sections, one for deployment and another for ongoing operation after implementation. The vendor offers a contracting service for installation at $140 per hour. Your change control process requires a 17-day lead time for change requests. The manufacturer has a 14-day order time and a 7-day delivery time for this device. Creating a WBS can be quiet challenging when you havent had practice at the task.Discussion QuestionWould outsourcing your security be always a good idea? Why or Why not?

Internet/Laboratory Exercises

1. Have a look at the short articles and papers on the pitfalls of and best practices for project management at http://www.projectsmart.co.uk/articles.html

2. There are many project management software tools available for fairly large software prices here are a few that you can have a look at which are reasonable priced or free. WBS Chart Pro at http://www.criticaltools.com/wbsmain.htm produces Work Breakdown Structures in conjunction with Microsoft Project or standalone. Sample usually installed in the Program Files/WBS Chart Pro directory.

Can-Plan freeware at http://can-plan.20m.com/ (Requires Microsoft Excel to run). The section on the on the Six Phases of a Project and Rewards for the Project Manager at the bottom of the DOC worksheet can be very true if project planning doesnt work out.

For a web browser based demo of Project Management software go to onProject, Incs http://www.onproject.com/con_Brands/onproject/cfm_HomePage/products/asp.cfmand click the demo link.

More links to project management software at http://www.startwright.com/project1.htm

3. Some brief articles on outsourcing security which could well help in the discussion above.

http://www.csoonline.com/read/050105/offshore.html

http://www.csoonline.com/read/030104/counsel.html

http://www.csoonline.com/read/070104/counsel.html

Articles from CSO Magazine (Resources for security executives) http://www.csoonline.com/

4. Some interesting articles on change management. Any large project needs to cater for the effects of change to an organization. Remember change management is about people.

http://itmanagement.earthweb.com/service/article.php/3512091

Series of articles here http://www.change-management.com/articles.htm Review Question Answers1. False2. False3. b4. c5. a6. The project plan delivers instructions to the individuals who are executing the implementation phase. These instructions focus on the security control changes needed to the hardware, software, procedures, data, and people that make up the organizations information systems. The major steps in executing the project plan are: planning the project, supervising tasks and actions steps, and wrapping up.

7. This is when the project manager spends more time documenting project tasks, collecting performance measurements, recording information, and updating information than they spend on accomplishing meaningful project work.This can be avoided by using simple tools to focus on organization and coordination.

8. There are no concrete rules for what is a capital expense. Most companies budget and expend capital according to its own established procedures. The general guidelines are usually separated by expenses for durable assets and expenses for other purposes. The most important thing is to know your established procedures.

9. The fundamental concept is that issues are addressed from the general to the specific and that the focus is on systematic solutions instead of individual problems.1. Policies: The foundation of all effective information security programs is sound information security and information technology policy.2. Networks: The threats from public networks meet the organizations networking infrastructure.3. Systems: This layer includes computers used as servers, desktop computers, and systems used for process control and manufacturing systems.4. Applications: This layer includes packaged applications, such as office automation and e-mail programs as well as high end enterprise resource planning (ERP) packages than span the organization.

10Draft Sample Implementation WBSItemTASKResourcesStart & End DatesEffort HoursCapital Non-Capital Dep.ExpenseExpense1Contact Network team to ensure hardware device will work with network infrastructureNetwork EngineersS: 11/25 E:11/272$0$1002Purchase Web FilterNetwork Engineer & Purchasing GroupS:11/28 E:12/191$18,000$013Purchase Technical Support ContractPurchasing GroupS:11/28 E:12/191$3,240$014Purchase additional software componentsPurchasing GroupS:11/28 E:12/191$800$015Submit change request to implement hardwareChange control boardS:12/19 E:01/061$0$026Send administrator to training on deviceTraining center and AdministratorS:01/06 E:01/1040$0$037Install hardware and software components.Outside vendorsS:01/06 E:01/20150$0$21,0002,4

Ongoing SupportItemTASKResourcesStart & End DatesEffort HoursCapital Non-Capital Dep.ExpenseExpense1Ongoing administration of deviceAdministratorOngoing4/WK$0$02Monthly subscriptionAdministrator/Purchasing GroupOngoing250/Month$0

Sheet4Draft Sample Implementation WBSItemTASKResourcesStart & End DatesEffort HoursCapitalNon-CapitalDep.ExpenseExpense1Contact Network team to ensure hardware device will work with network infrastructureNetwork EngineersS: 11/25 E:11/272$0$1002Purchase Web FilterNetwork Engineer & Purchasing GroupS:11/28 E:12/191$18,000$013Purchase Technical Support ContractPurchasing GroupS:11/28 E:12/191$3,240$014Purchase additional software componentsPurchasing GroupS:11/28 E:12/191$800$015Submit change request to implement hardwareChange control boardS:12/19 E:01/061$0$026Send administrator to training on deviceTraining center and AdministratorS:01/06 E:01/1040$0$037Install hardware and software components.Outside vendorsS:01/06 E:01/20150$0$21,0002,4

Sheet5Ongoing SupportItemTASKResourcesStart & End DatesEffort HoursCapitalNon-CapitalDep.ExpenseExpense1Ongoing administration of deviceAdministratorOngoing4/WK$0$02Monthly subscriptionAdministrator/Purchasing GroupOngoing250/Month$0

Sheet6IT Project ManagerDescription:Description/Comment:Typically responsible for mid to large sized projects. Impact is on the entire function or process. Defines and monitors project team resources. 10+ years of relevant experience or equivalent combination of education and work experience. Ability to lead mid- to large-sized project teams. Ability to communicate clearly and present at senior leadership levels. Ability to manage risk and project decisions. Proficient in negotiating and conflict management. Undergraduate degree and 6-8 years relevant experience or Graduate degree and 8-10 years relevant experience.Additional Job Details:Healthcare Financial Management workstream experience preferred. Healthcare Payer industry experience preferred Agile / SDLC experience preferred Financial Management workstream is defined as: Design and development of financial management (FM) capabilities, across all customer types (e.g., small businesses, brokers, subsidized and non-subsidized customers), including associated business requirements, deployment of relevant technology and definition of required recruiting, hiring and training of financial management staff IT Infrastructure Project ManagerAbout the Job

SUMMARY OF RESPONSIBILITIES

Plan, coordinate and oversee projects from inception, initiation, elaboration, construction, implementation and closeout phases. Utilize a variety of business processes and tasks in completing multiple projects and issues. Assemble project teams, assign responsibilities, identify resources, and develop schedules for timely completion of projects. Independently assess situations, research available options and work with other functional and business areas to realize solutions and guide successful completion.

ESSENTIAL JOB FUNCTIONS

Responsible for developing, implementing, and completing projects that require coordination of resources across multiple departments Prepare department budget and forecasts future departmental projects ensuring effective and efficient use of resources. Identify, negotiate for, and manage cross-functional project resources and manage their deliverables required to complete projects and coordinate execution of business applications projects/procedures with other departments Assist business area owners in the preparation of their project budget requirements ensuring effective and efficient use of resources. Facilitate, calculate, and complete Project Funding Requests (PFRs) for projects and implement within established guidelines and timelines. Recommend alternative technologies or approaches to projects. Compile, analyze, prepare, and present reports on project status Track progress of testing and identify solutions to correct deviations from required timelines, deliverables, or budget variances Compare current cost plan against actual to date, forecast to complete costs, approved or authorized costs, and budget costs Manage and reduce project risks Compliance with all processes, procedures, and standards applicable to the position including (but not limited to): SSAE16 (Statement on Standards for Attestation Engagements No. 16), CIP (Critical Infrastructure Protection), Change Management, Tariff (Open Access Transmission, Energy and Operating Reserve Markets Tariff), FERC (Federal Energy Regulatory Commission), NERC (North American Electric Reliability Corporation), U.S. Department of Homeland Security, and NAESB (North American Energy Standards Board).

QUALIFICATIONS

Education:

Bachelor's degree in Information Technology or related technical field required. PMP certification preferred.

Experience:

Five years managing IT infrastructure projects Five years project budgeting and cost management Experience managing and implementing projects within critical high-availability environments Utility industry background preferred

Knowledge:

Software development lifecycle Project management methodologies (Waterfall preferred) Change control processes Microsoft Office Suite Financial Planning Accounting Principles Contract administration Principles, methods and tools for developing, scheduling, coordinating, and managing projects and resources, includes monitoring costs, work, and contractor performance. Principles, practices, and administration of technical issues

Skills:

Commitment to customer service excellence Excellent communication and listening skills Utilize company policies appropriately Analytical and strategic thinking Foster teamwork and collaboration Negotiation Project Management

Abilities:

Apply and adapt practices and techniques to a variety of projects Establish and maintain effective relationships with employees and the general public Present facts and recommendations effectively in verbal and written form Develop long-term plans and programs and evaluate work accomplishments Manage multiple concurrent projects Drive timely completion of deliverables Manage customer expectations Handle multiple priorities and assignments within department or function