Security Report: A Sample of the Planning Phase of a Security Report

The planning phase represents an important initial phase for laying the foundation for GlobalUBid's assessment and report. Here all of the necessary precursors are worked out, from the all important definition of scope to meeting with the client. GlobalUBid represents an organization with limited security knowledge and practices, important factors that need to be considered in the various phases of planning. Below is a more in-depth look at the planning steps and their results for this organization.

Based on information gathering and indications from executives, management, and IT personnel, the scope will be a comprehensive or general assessment of GlobalUBid's security. The evidence points to an organization unfamiliar with both creating effective security policy as well as implementing/maintaining it. The organization has clearly evident deficiencies ranging from physical security to technology to policy. The business hinges on the ability to function as a B2B e-commerce organization. Their primary revenue is generated from an online auction interface that brings businesses together for transactions. The bulk of the company's private data is managed by two database administrators and several web developers using Oracle. The departments involved will be virtually all-encompassing as each plays a role in security.

The comprehensive nature of this assessment will require expertise in a variety of security fields. The staffing requirements begin with a Certified Information Systems Security Professional (CISSP) to head the assessment team and provide high level guidance. The team will then consist of several security specialists that cover each of the elements of security. A specialist for physical security, network security, database security (possible multiples), and a policy specialist. Each of these lead specialists will be assigned junior-level analysts to help with information gathering and other tasks. The size and depth of vulnerability found will dictate more or less assigned help.

The kick-off meeting with GlobalUBid will serve to prepare all parties involved for the upcoming assessment. Here, all of the staff listed above will attend from the assessment side with the addition of the executives (CEO & VPs) from GlobalUBid, the security administration (Bill Jones), both Oracle DBAs, and any key stakeholders involved. The contents of the meeting will allow both parties to get acquainted and understand what exactly will be occurring in the upcoming assessment. It will define the roles each is expected to perform, discuss the defined scope, and organize logistics.

Each phase of the project will be dependant on the previous phase's completion. This will avoid conflicts in testing and technology use. It will increase assessment duration but also decrease staffing requirements. The weekly status meetings will serve to avoid scope creep as well as keeping the client informed.

To reiterate to GlobalUBid for clarity, the assessment will serve as a comprehensive look at all security. The assessment will be broken into testing phases of the different areas of security. There will be weekly status meetings for questions and concerns to be addressed. There will be documentation available at these meetings to provide exact specifics on what is being done at that time. The final deliverable will be documentation of this process and findings in a similar format to the following: Executive summary, scope, methodology, current state, and findings & recommendations.