RISK ASSESSMENT AND PEN TESTING PROJECT CHARTER
description
Transcript of RISK ASSESSMENT AND PEN TESTING PROJECT CHARTER
-
Version 0.0
Date
RISK ASSESSMENT AND PEN TESTING PROJECT CHARTER
FOR WAS REMOVED
-
Confidential Document
Not to be circulated or reproduced without appropriate authorization
2
Document Control
Document Publication History
Document Prepared By (SARA-IT)
Document Reviewed By Iyad Abou Hawili (SARA-IT)
Document Approved By ----------------- Was removed
Effective Date Was Removed
Document Revision History
Ver. Date Name Role Summary of Changes
1.0 Was Removed
Iyad Abou Hawili
Consultant Initial draft
Document Distribution List
# Name Department/Organization Purpose
1. Iyad Abou Hawili SARA-IT Review & Approval
2. Was removed Review & Approval
3.
Document Approval History
Ver. Date Name Role Comments
1.0 SARA-IT
Was removed
Authorized Signatory (Printed Version)
Name Date Signature
For Was removed:
For SARA-IT: Iyad Abou Hawili
-
Confidential Document
Not to be circulated or reproduced without appropriate authorization
3
Abbreviation
IT Information Technology
ISST Information Systems Security Testing
IS Information Security
RA Risk Assessment
VA Vulnerability Assessment
PT Penetration Testing
SOW Statement of Work
WAN Wide Area Network
LAN Local Area Network
WAS REMOVED Was removed
WAS REMOVED Was Removed
-
Confidential Document
Not to be circulated or reproduced without appropriate authorization
4
TABLE OF CONTENTS
ABBREVIATION .................................................................................................................................................. 3
1. INTRODUCTION .......................................................................................................................................... 5
2. PROJECT SCOPE, GOAL & OBJECTIVES ............................................................................................... 6
2.1. PROJECT SCOPE.................................................................................................................................................. 6
2.2. PROJECT GOAL .................................................................................................................................................... 6
2.3. PROJECT OBJECTIVES ........................................................................................................................................ 6
3. CRITICAL SUCCESS FACTORS ................................................................................................................ 6
4. STATEMENT OF WORK ............................................................................................................................. 7
4.1. PHASE 1: PROJECT INITIATION & SYSTEM STUDY .......................................................................................... 7
4.2. PHASE 2: RISK ASSESSMENT ............................................................................................................................. 7
4.3. PHASE 3: IS SECURITY TESTING ........................................................................................................................ 8
5. PROJECT MILESTONES & INVOICING POINTS ...................................................................................... 9
6. PROJECT COMMUNICATIONS ................................................................................................................ 10
7. ASSUMPTIONS .......................................................................................................................................... 11
8. PROJECT TEAM ........................................................................................................................................ 12
8.1. PROJECT ORGANIZATION STRUCTURE .......................................................................................................... 12
8.2. PROJECT TEAM ROLES & RESPONSIBILITIES ................................................................................................ 12
9. PROJECT PLAN SIGN OFF ...................................................................................................................... 15
10. PROJECT CHANGES ............................................................................................................................ 16
11. PROJECT CLOSURE SIGN OFF........................................................................................................... 17
-
Confidential Document 5
1. Introduction
(Was removed) creates, designs, supervises and manages projects that have the potential to better
society. We build on our proven multidisciplinary expertise and offer regional urban planning and
comprehensive architectural and engineering consulting services. WAS REMOVED focuses on
delivering innovative solutions that meet clients' real needs.
With a history of success and a network of subsidiaries and sister companies, WAS REMOVED provide
our clients with an integrated approach to reliable project delivery in the evolving globalized world.
Proactive rather than reactive, WAS REMOVED are at the forefront of new specialties and
advantageous alliances.
WAS REMOVEDs services are all in-house, covering a broad spectrum of disciplines from architecture
to urban, transportation, energy, water, Geospatial Systems Integration, and oil & gas projects. We
enhance infrastructure, create new buildings, develop neighborhoods, and reshape entire cities.
Was Removed Integration, a Division of Was Removed, has requested from SARA-IT develop Risk
Assessment and Information Systems Security Testing to one of its clients in the gulf as part of a
solution provided by Was Removed.
To complete this project and meet Information Security goals and objectives, Was Removed has
engaged SARA-IT as a subcontractor to perform Risk Assessment and Information Systems Security
Testing (ISST) to the solution built by Was Removed to its client. This Risk Assessment and IS Security
Testing shall meet Was Removed Security Management Process and Information Security Policies.
-
Confidential Document 6
2. Project Scope, Goal & Objectives
2.1. Project Scope
Was Removed has decided to engage SARA-IT in performing Risk Assessment and IS Security Testing
to the solution built by Was Removed to one of its clients in Abu Dhabi in the staging environment. This
is part of a complete solution provided by Was Removed
2.2. Project Goal
1. Perform Risk Assessment for a specific Solution (Hardware and Software) located in their
client Data Center in Abu Dhabi.
2. Perform Information Systems Security Testing for the same Solution.
2.3. Project Objectives
SARA-IT has set the following objectives to achieve the above defined project goals:
1. Define and establish The Scope of the project.
2. Identify supporting assets that belong to the Scope defined above that is compliant with Was Removed IS Standards.
3. Assess Impact on defined Assets,
4. Identify Threats and Vulnerabilities, then identify Risks.
5. Perform Vulnerability Assessment then Penetration Testing after Defining Rules of Engagement.
3. Critical Success Factors
The Critical Success Factors to achieve the above objectives of the project:
1. Support from Was Removed Division Head.
2. Support from Was Removed member staff by providing requested information within the time frame
and in the specified format and/or Template to SARA-IT consultant/s.
3. Active participation & support from Was Removed Project Team.
4. Active participation from Was Removed Clients staff.
5. Timely collection of all existing documents relevant to this project from Was Removed and their
client.
-
Confidential Document 7
6. Timely Sign-off for the project deliverable.
4. Statement of Work
4.1. Phase 1: Project Initiation & System Study
Objectives Deliverables
Develop Project Management and tracking process for the project
Systems Study
o Understand the key business processes and underlying Solution infrastructure (Solution processes, systems, network, applications & Solution team).
o Study of current security structure, security architecture & processes, roles, skills set, and security culture
o Identify & document all information assets and identify their criticality & sensitivity to Solution operations, and develop classification mechanisms
o Develop The Scope Document
Identify & document all information assets, their criticality & sensitivity to business operations, and develop classification mechanisms.
Project Charter, Project Plan and Project Tracking Process Documents
Asset Register
Asset classification guidelines
4.2. Phase 2: Risk Assessment
Objectives Deliverables
Conduct Comprehensive Risk Assessment for the Solution infrastructure (information systems, & applications) that constitute the Solution provided by WAS REMOVED to their Client. This would include:
o Threat & Vulnerability Assessment and Risk Analysis for all assets
Risk Management Methodology Document
Comprehensive Risk Assessment Report
-
Confidential Document 8
Risk Profiling & Prioritization based on their severity & criticality rating and based on Risk Assessment results.
4.3. Phase 3: IS Security Testing
Objectives Deliverables
Perform Information Systems Security assessment (Vulnerability Assessment and Penetration testing). This will include:
o Information Systems security assessment (Vulnerability and Penetration Testing) of sample IT systems as a separate work stream (applications and servers).
Vulnerability Assessment Report
Penetration Testing report
-
Confidential Document 9
5. Project Milestones & Invoicing Points
Task Start Date End Date
Phase 1 - Project Initiation & System Study Was
Removed
Was
Removed
Project Management
Project Kickoff Meeting Was
Removed
Develop Project Management and tracking process for the project
System Study
Information Collection: Procedures, etc.
Systems Study: Interview with respective team
Scope Analysis of Inclusions and Exclusions for scoping
Scope Diagram & Scope Document preparation
Preparing Scope and Assets Documents
Was
Removed
Invoice Point I: At completion of Phase 1: US$
Phase 2 - Risk Assessment
Was
Removed
Was
Removed
Risk Assessment
Was
Removed
Asset Identification
Risk Assessment Methodology & set Baseline Acceptable Risk Value
Asset Register Preparation
Evaluate Threats, Vulnerabilities and Existing Controls
Was
Removed
Invoice Point II: At completion of Phase 2: US$
Phase 3 - IS Security Testing (Vulnerability and Penetration Testing)
Was
Removed
Was
Removed
Security Testing
Conduct Vulnerability Assessments Was
Removed
Conduct Penetration Testing
Was
Removed
Invoice Point III: At completion of Phase 3: US$
Toal Amount of the Project: US$
Note: Dates are in DD-MON-YY format.
Total cost DOES NOT include cost of Travel, Accommodation, visa, etcto the Client premises, if needed. These costs will be paid after 7 days of submitting the invoice
by the consultant.
N.B.
Other Additional works requested by Was Removed or his client that is not part of the
Statement Of Work - SOW - described above will be invoiced separately.
-
Confidential Document 10
6. Project Communications
During the course of the project, it will be important to communicate the schedule, progress and other
issues related to this project to key stakeholders. The following platforms & parameters shall be
considered for the same:
Process Agenda Involvement Frequency Medium
Weekly Project
Progress
1. Project Update to the Project
Sponsor & Project Manager
2. Update on weekly project
progress
3. Any delays, issues & risks
1. SARA-IT
Consultant
2. WAS
REMOVED
Project Sponsor
3. WAS
REMOVED
Project Manager
Weekly Email
Project Review 1. Project update to Project
Sponsor, Project Manager and
WAS REMOVED client.
2. Overall project progress in 1
month
3. Discussion on any issues & risks
4. Any other expectations from the
project
1. SARA-IT
Consultant
2. WAS
REMOVED
Project Sponsor
1. WAS
REMOVED
Project Manager
2. WAS
REMOVED
Client
Monthly Email
-
Confidential Document 11
7. Assumptions
1. Was Removed will assign a single point of contact for all project related deliverables and activities.
2. Was Removed will provide SARA-IT with all required information and access to relevant personnel related to this project on a timely basis. Making all the documents, drawings, reports, facilities, WAS REMOVED personnel and other resources needed, available for the development work is the Responsibility of WAS REMOVED
3. Was Removed Project Team will coordinate actively with their client representative/s, wherever required, during the course of the project.
4. Was Removed will be able to provide logistic support to SARA-IT while conducting discussions, meetings, etc., that are relevant to this project.
5. Was Removed Client Representative/s appointed for this project should be well informed about the
Solution developed by Was Removed.
6. Was Removed would be able to manage request for meetings, presentations, documents, etc., in the earliest possible manner. Any other support that will be needed for the satisfactory completion of the work such as provision of printing, photocopying, meeting rooms, and other needs, etc. is
Was Removed responsibility.
7. Was Removed will provide review comments for all the deliverables within 5 working days after the date of submission. Deliverable without the review feedback shall be treated as final after 5 days of submission.
8. Members identified from Was Removed or their client to work on this project or activities related to this project do accept the additional responsibilities assigned to them.
9. Necessary approvals such as conducting Risk Assessment, access to systems for data collection for Vulnerability Assessment or Penetration Testing and others as deemed necessary are obtained
by Was Removed from their client and government agencies if needed.
10. SARA-IT will not be responsible for configuring or testing IT systems and other equipment procured and implemented as a part of this project.
11. All deliverables submitted by SARA-IT will be developed and presented in English only.
-
Confidential Document 12
8. Project Team
8.1. Project Organization Structure
A formal structure of the project team is necessary to effectively coordinate and perform project related
activities. Thus, a project organization structure that supports seamless communication and ensures
tasks are completed as per timeline is defined as below:
8.2. Project Team Roles & Responsibilities
The key roles and responsibilities for the Was Removed RA and ISST project are outlined below:
Was Removed - Project Sponsor, Was Removed
1. Ultimate authority of the project
2. Provide required funding for the project
Project Sponsor WAS REMOVED
Project Manager WAS REMOVED
WAS REMOVED Project Management
SARA-IT Consultant
SARA-IT Technical Assistant
-
Confidential Document 13
3. Provide management support during the project.
4. Provide leadership in support of the project.
5. Removes obstacles that prevent the project from moving forward
6. Build trust among all stakeholders of the project Champion the overall project
activities
7. Take ownership of the project execution from Was Removed side.
8. Take key decisions during the project
9. Provide sign off on the project deliverables to SARA-IT
10. Provide sign off on the project closure to SARA-IT
11. Approves/Reject/Recommend changes to the project scope, as may be required.
Was Removed - Project Manager, Mr. ______________
1. Set functional/technical expectations on project deliverables
2. Manage the project planning and control with SARA-IT Consultant which may
include:
a. Ensuring project deliverables are in line with the project plan.
b. Managing project resources from WAS REMOVED side and their client
c. Managing project scope, change control and escalation of issues wherever
necessary.
d. Recording and managing project issues and escalations.
3. Monitor closely project progress and its overall effectiveness
4. Review all project deliverables and provide suggestion for improvements
5. Ensure project meets the expectations of management
6. Review recommendations to the changes in project scope, if any.
SARA-IT Consultant, Mr. Iyad Abou Hawili
1. Act as subject matter expert for the project.
2. Accountable for the overall success of the project from SARA-IT side
3. Track project progress on a weekly basis with SARA-IT Technical Assistant
4. Address any project escalations and concerns
5. Ensure quality standards are maintained in all deliverables
-
Confidential Document 14
6. Responsible for the overall success of the project from SARA-IT side.
7. Manage all expectations of Was Removed
8. Create Project Plan and track it on an ongoing basis.
9. Manage project deliverables in line with the project plan.
10. Ensure all project time lines are met
11. Ensure all deliverables meet the expectations of Was Removed
12. Provide project status updates to Was Removed management on a periodic basis
13. Ensure all assigned activities are completed on a timely basis
14. Maintains appropriate records of work in progress
15. Escalates all issues to project manager on a timely basis
-
Confidential Document 15
9. Project Plan Sign Off
Questions Your Response
Do you agree with the overall project plan?
Do you have any special expectation that you would like to highlight?
Was Removed SARA-IT
Name: Role:
Name: Iyad Abou Hawili Role: Consultant/Owner
Signature: Date:
Signature: Date:
-
Confidential Document 16
10. Project Changes
Change
Description Requestor Impact
Date of
Approval Approver
-
Confidential Document 17
11. Project Closure Sign Off
Questions Your Response
Do you consider the project as completed?
Has any of the project deliverables not provided by us?
Has any of your expectations not met by us?
Was Removed SARA-IT
Name: Role:
Name: Iyad Abou Hawili Role: Consultant/Owner
Signature: Date:
Signature: Date: