Security

Scenario: Cybersecurity Audit- Quality Management

person holding iPhone

As this project involves a full security audit of the Warren County R-III School District, there is a significant number of potential changes that can occur due to scheduling conflicts, budget requirements, personnel availability and skill level, as well as possible changes made by stakeholders, such as Ron Greer of the Warren County R-III School District. To ensure that we adapt to changes, rather than react to them, the project management process will be quite rigorous, from the beginning of the project to the project’s conclusion. Multiple meetings will be held with all team members, as well as with the client, to ensure that every phase is appropriately planned and managed.

Weekly meetings will be held regarding the following week’s progress, any significant changes, as well as address the next week’s activities. After each phase of the project, another more extended meeting will be held covering any modifications made to the project’s expected completion date, estimated budget, and overall success of the phase’s results. To ensure all changes are both made and documented by the proper team members (project manager, research lead, programming lead, cybersecurity lead, physical security lead, HR lead, and financial lead), any proposed changes to any part of the project’s work, schedule, budget, or scope needs to go through the proper channels (the team member’s team lead), as well as be approved and signed-off by the project manager (me) and documented with the date, time, and description of the proposed change. Once the change has been approved, the client shall be informed (if necessary).

            Due to this project’s sophistication and multiple phases, a series of checks and balances must be created and implemented to ensure that the hardware, software, processes, and social engineering tactics are not only updated to the current industry standard but also fit our individual’s (and our client’s) needs. As Tekzor Inc. has conducted several security audits in its twelve years of operation, we are confident in our abilities at choosing the right tool for the job. As always, Tekzor Inc. takes pride in the little things, such as providing abundant documentation on how it accomplished its tasks, recommendations and current standards from our competitors, as well as strive to ensure our clients always feel that they are a part of our operation by providing clear and constant communication throughout the project. As mentioned in previous assignments, we perform a second free audit if our client allows us to make our recommended changes to their security measures; this provides us the opportunity to make further adjustments to the quality of our work and will enable us to learn more about the information technologies we selected and will use in future projects.

            As mentioned before, we will ensure that our technology works properly by continuously reviewing our completed work, as well as having team leads review all completed work. While it will be time-consuming to double-check our completed work continually, I have made sure to add in extra buffer time to the first audit to ensure if any delays occur, we will have ample time to meet our expected project’s completion date. If the client decides to use us for implementing changes to their security due to our first audit’s results, we will ensure our changes meet the client’s needs by offering a second audit for free, allowing us to guarantee our changes have, in fact, been successful. For example, performing a second round of phishing tests will determine if our training of the client’s employees was successful.

During this project, testing is critical in our overall task of finding security gaps and making the necessary changes (if the client agrees to them). In each phase, we have planning, performing, and reporting stages; this will ensure each step will be managed appropriately and that the team leads thoroughly test all work. As with any technology-related project, work can be quickly tested as the technology that we use in an audit, typically security scans, can be run over and over. Also, with the assistance from the client, we can ensure we meet their expectations by our numerous penetration tests of their security systems, offering us the ability to gauge how each protective layer holds up in the first audit and the second one (after we make the changes if our client agrees to it). By testing, we will also be able to track and resolve defects, using both our first and second audits as a reference point. If there are found defects, the second audit will catch them, thus allowing us to fix them.

            For metrics that we will use to gauge quality, we will be using some of the obvious ones, such as completed on time, completed under/at budget, and the client’s approval of our work, but also expand to situation-specific metrics. For the internal/external penetration testing, our quality metrics will be successful and unsuccessful penetration tests, time to penetrate, method of successful and unsuccessful penetration, hardware used for successful and unsuccessful penetration, software used for successful and unsuccessful penetration, overall time of successful and unsuccessful penetration, and what we were able to access upon a successful penetration.

For the firewall (hardware/software/network) testing, our quality metrics will be successful and unsuccessful firewall test/penetration, time to penetrate firewall, method of successful and unsuccessful firewall test/penetration, hardware used for successful and unsuccessful firewall test/penetration, software used for successful and unsuccessful firewall test/penetration, overall time of successful and unsuccessful firewall test/penetration, and what we were able to access upon a successful firewall test/penetration.

For the external IP address testing, our quality metrics will be successful and unsuccessful external IP address testing, time to penetrate external IP addresses, method of successful and unsuccessful external IP address testing, hardware used for successful and unsuccessful external IP address testing, software used for successful and unsuccessful external IP address testing, overall time of successful and unsuccessful external IP address testing, and what we were able to access upon a successful external IP address penetration.

For the wireless/wired device auditing, our quality metrics will be successful and unsuccessful wireless/wired device penetration, time to penetrate wireless/wired devices, method of successful and unsuccessful wireless/wired device penetration, hardware used for successful and unsuccessful wireless/wired device penetration, software used for successful and unsuccessful wireless/wired device penetration, overall time of successful and unsuccessful wireless/wired device penetration, and what we were able to access upon a successful wireless/wired device penetration. We will also use standard wireless/wired device settings, software, and policies to compare the Warren County R-III School District’s wireless/wired devices to look for gaps in security, improper configurations, poor cabling, and wrong uses of encryption.

For the internal/external vulnerability testing, our quality metrics will be successful and unsuccessful internal/external penetration, time to penetrate internal/external vulnerabilities, method of successful and unsuccessful internal/external penetration, hardware used for successful and unsuccessful internal/external penetration, software used for successful and unsuccessful internal/external penetration, overall time of successful and unsuccessful internal/external penetration, and what we were able to access upon a successful internal/external penetration.

For the data governance policy review phase, we will be using metrics such as number of up-to-date policies, number of non-up-to-date policies, policies that need/don’t need to be reviewed, estimated time to update policy, estimated cost to update policy, as well as personnel required to update policies.

For the phishing test phase, our quality metrics will be successful and unsuccessful phishing attacks, time to complete phishing attacks, method of successful and unsuccessful phishing attacks, hardware used for successful and unsuccessful phishing attacks, software used for successful and unsuccessful phishing attacks, overall time of successful and unsuccessful phishing attacks, and what we were able to access upon a successful phishing attack.

For the internal control testing and analysis of staffing requirements phases, we will use many of the same metrics mentioned before, but add in comparisons of their competitors and industry standards involving internal controls and staffing. For our comparison of the first audit and the second, we will use the same metrics from each in a report form, comparing the effectiveness of the Warren County R-III School District’s security measures, before and after our improvements.

References

Fuller, M. A., Valacich, J. S., George, J. F., & Schneider, C. (2019). Information systems project management: A process Approach, Edition 2.0. Prospect Press, Inc.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s