Security

Scenario: Cybersecurity Audit- Project Intro

graphs of performance analytics on a laptop screen

Project title

Tekzor Inc. Cybersecurity Audit: Warren County R-III School District

Purpose

To plan and perform a complete cybersecurity audit of Warren County R-III School District’s networks, hardware, security settings and policies, and employee skill/education. With the assistance of Tekzor Inc., the school shall be notified of all existing vulnerabilities, as well as any recommended improvements, so that the school’s data and systems will have a high level of confidentiality, integrity, and availability. The cybersecurity audit of the Warren County R-III School District is authorized by Mr. Ron Greer of the Warren County R-III School District.

Signature                                                                                                          .                                                                                                                      

Description

Tekzor Inc., after having its proposal selected by the Warren County R-III School District, will plan for and perform an all-encompassing audit of the school’s cybersecurity measures and policies, as well as complete testing of the school’s IT infrastructure.

Scope statement

Through the use of internal/external penetration testing, firewall (hardware/software/network) testing, external IP address testing, wireless/wired device auditing, internal/external vulnerability testing, data governance policy review, phishing tests of staff members and students, physical security testing, internal control testing, and an analysis of staffing requirements, Tekzor Inc. will compile all information and create both a report for addressing all vulnerabilities, as well as providing clear instructions on how to fix all issues present in the report.

Objectives

  • A complete report of all found vulnerabilities, including what they are, what implications do they have, and their priority/risk level.
  • A complete report of all recommended improvements and changes to address all found vulnerabilities, including what they are, what they cost, what the benefits are, multiple options for each solution, as well as a prioritized list of what should be done first and what can wait (based on cost, time, and human resources).

Success criteria or expected benefits

            With Tekzor Inc.’s all-encompassing cybersecurity audit of the Warren County R-III School District, the district will reduce the chance of both internal and external threats such as hacking, DDoS attacks, malware, pharming, phishing, ransomware, botnets, spoofing, spyware, trojan horses, viruses, wi-fi eavesdropping, worms, and WPA2 handshake vulnerabilities. With the completed audit’s vulnerability report, a report of all recommended improvements and changes to address all found vulnerabilities will be provided; if these suggestions are utilized, Warren County R-III School District can potentially reduce the likelihood of sudden dangers such as data breaches and a company-ending event like a successful ransomware attack. The cost of applying the changes per the audit will be trivial when compared to the dangers of a successful attack on the organization’s IT infrastructure. Furthermore, the possibility of locating areas, policies, and devices that can be scaled back or changed can save the Warren County R-III School District money and personnel. For example, the use of automation can reduce the number of cybersecurity/IT employees.

To confirm the success of Tekzor Inc.’s cybersecurity audit, a secondary audit shall be offered to Warren County R-III School District (free of charge), if they decide to apply the recommendations uncovered by the first audit. In the secondary audit, a separate cybersecurity technician (not involved in the first audit) will conduct penetration testing of all sectors of the school district’s digital and physical security. Once completed, a second report shall be created and given to the Warren County R-III School District. Then, by cross-examining both audit reports, the school district will be able to see the dramatic improvement to their cybersecurity.

Major deliverables

  1. Internal/external penetration testing
  2. Plan
  3. Perform
  4. Report
  5. Firewall (hardware/software/network) testing
  • External IP address testing

a.       Plan

b.       Perform

c.        Report

  • Wireless/wired device auditing

a.       Plan

b.       Perform

c.        Report

  • Internal/external vulnerability testing

a.       Plan

b.       Perform

c.        Report

  • Data governance policy review

a.       Plan

b.       Perform

c.        Report

  • Phishing tests of staff members and students

a.       Plan

b.       Perform

c.        Report

  • Physical security testing

a.       Plan

b.       Perform

c.        Report

  • Internal control testing

a.       Plan

b.       Perform

c.        Report

  1.  Analysis of staffing requirements

a.       Plan

b.       Perform

c.        Report

  1.  Compile each abovementioned objective’s report of all found vulnerabilities into an all-in-one document containing the findings of the cybersecurity audit.
    1. Compile
    1. Review
    1. Deliver to client
  2.  Compile a complete report of all recommended improvements and changes to address all found vulnerabilities.

a.       Compile

b.       Review

c.        Deliver to client

  1.  Review the recommended improvements of the completed audit with the client to determine what they want to do, when they want to do it, and create a project schedule for applying the changes.
  2.  (If accepted by client) Apply the recommended improvements.
  3.  (If accepted by client) Perform second cybersecurity audit.
  4.  (Optional Second Audit) Internal/external penetration testing
  5. Plan
  6. Perform
  7. Report
  8.  (Optional Second Audit) Firewall (hardware/software/network) testing
  9. Plan
  10. Perform
  11. Report
  12.  (Optional Second Audit) External IP address testing

a.       Plan

b.       Perform

c.        Report

  1.  (Optional Second Audit) Wireless/wired device auditing

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Internal/external vulnerability testing

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Data governance policy review

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Phishing tests of staff members and students

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Physical security testing

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Internal control testing

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Analysis of staffing requirements

a.       Plan

b.       Perform

c.        Report

  •  (Optional Second Audit) Compile each abovementioned objective’s report of all found vulnerabilities into an all-in-one document containing the findings of the second cybersecurity audit.
    • Compile
    • Review
    • Deliver to client
  •  (Optional Second Audit) Compare the findings from the first cybersecurity audit to the findings of the second cybersecurity audit (after the recommended changes have been made).
  •  Project Wrap-Up
  • Compile and create documentation of all phases of the project (for both Tekzor Inc. and the client’s use).
  • Review all work completed with the client.
  • Determine the client’s satisfaction with all completed work.

Acceptance criteria

The completion and success of Tekzor Inc.’s cybersecurity audit of the Warren County R-III School District will only be satisfied by meeting the following conditions:

  • First Audit completion guaranteed by December 20, 2020
  • First Audit Report completion guaranteed by January 20, 2021
  • Recommended changes completion guaranteed by March 20, 2021
  • Second Audit completion guaranteed by April 20, 2021 (per client’s optional involvement in the second audit)
  • Second Audit Report completion guaranteed by May 20, 2021 (per client’s optional involvement in the second audit involvement )
  • Final comparison of all work completed, general satisfaction of client completion guaranteed by June 20, 2021 (per client’s optional involvement in the second audit)
  • Complete satisfaction of work completed by Tekzor Inc.

Milestone schedule

  • December 20, 2020: First Audit Completion

•           November 1, 2020: Internal/external penetration testing

•           November 2, 2020: Firewall (hardware/software/network) testing

           November 3, 2020: External IP address testing

•           November 4, 2020: Wireless/wired device auditing

•           November 10, 2020: internal/external vulnerability testing

•           November 15, 2020: Data governance policy review

•           November 25, 2020: Phishing tests of staff members and students

•           November 29, 2020: Physical security testing

•           November 29, 2020: Internal control testing

•           November 30, 2020: Analysis of staffing requirements

  • January 20, 2021: First Audit Report Completion
  • March 20, 2021: Recommended Changes Completion
  • April 20, 2021: Second Audit Completion (per client’s optional involvement in the second audit)

•           March 24th, 2021: Internal/external penetration testing

•           March 25, 2021: Firewall (hardware/software/network) testing

           March 26, 2021: External IP address testing

•           March 30, 2021: Wireless/wired device auditing

•           April 1, 2021: internal/external vulnerability testing

•           April 5, 2021:  Data governance policy review

•           April 8, 2021: Phishing tests of staff members and students

•           April 15, 2021: Physical security testing

•           April 17, 2021: Internal control testing

•           April 19, 2021: Analysis of staffing requirements

  • May 20, 2021: Second Audit Report Completion (per client’s optional involvement in the second audit involvement )
  • June 20, 2021: Final Comparison (of both audits) of All Work Completed, General Satisfaction of Client Completion (per client’s optional involvement in the second audit)

Key assumptions

At the time of this project charter’s creation, Tekzor Inc.’s knowledge of the specific attributes, composition, layout, devices, software, policies, and personnel involved in the Warren County R-III School District’s IT infrastructure and cybersecurity are largely unknown; due to this, much of this document’s material and schedules are based on typical data obtained from a standard school district’s setup (based on past customers of Tekzor Inc., as well as common industry standards).

Constraints

Tekzor Inc.’s knowledge of the specific attributes, composition, layout, devices, software, policies, and personnel involved in the Warren County R-III School District’s IT infrastructure and cybersecurity are largely unknown, due to this, the following constraints are evident:

  • Scope- The actual amount of work that is required to perform a full audit and recommend improvements can be drastically increased once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.
  • Schedule- Due to the scope constraint, the included schedule in this plan document can dramatically change once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.
  • Budget- Due to the scope constraint, the budgets provided and costs for work completed in this plan document can dramatically change once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.
  • Resources:

Tekzor Inc.’s knowledge of the specific attributes, composition, layout, devices, software, policies, and personnel involved in the Warren County R-III School District’s IT infrastructure and cybersecurity are largely unknown; due to this, estimated and available resources may alter dramatically once Tekzor Inc, obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.

To help determine the allocated resources of Warren County R-III School District for this project and the necessary resources from Tekzor Inc. to complete the project, a meeting before each major milestone of this project charter shall be held with both the client and Tekzor Inc.’s stakeholders.

  • Major risks
    • Unplanned scope creep due to lack of knowledge of the specific attributes, composition, layout, devices, software, policies, and personnel involved in the Warren County R-III School District’s IT infrastructure and cybersecurity.
    • Possibility of damaging/disrupting IT services, hardware, networks, etc. during penetration testing.
    • Possibility of damaging/disrupting IT services, hardware, networks, etc. during firewall testing.
    • Possibility of damaging/disrupting IT services, hardware, networks, etc. during external IP testing.
    • Possibility of damaging/disrupting IT services, hardware, networks, etc. during internal/external network vulnerability testing.
    • Possibility of obtaining confidential information during data policy review.
    • Possibility of obtaining confidential information during phishing tests.
    • Possibility of disrupting daily workflow during auditing.
    • Possibility of violence or police involvement if physical security testing is perceived in the wrong manner.

References

Fuller, M. A., Valacich, J. S., George, J. F., & Schneider, C. (2019). Information systems project management: A process Approach, Edition 2.0. Prospect Press, Inc.

Warren County R-III School District. (2018). Request for Proposals Cyber Security Audit. Retrieved June 18, 2020, from https://content.bellevue.edu/cst/cis/633/RFP_documents/RFP_Cyber_Security_Audit.pdf.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s