Security

Scenario: Cybersecurity Audit Scope Statement

Introduction

Name of Project
Tekzor Inc. Cybersecurity Audit: Warren County R-III School District
Contact  Email/Cell
Sponsor:  Ron Greer of the Warren County R-III School District
Stakeholder:  Tekzor Inc. Management: Norman Gates (CEO) Pierre Santiago (CTO) Johnathan Thomas (Financial Lead) Warren County R-III School District Management: John Hamon (President) Mark Roberts (Security Lead) Gabe Rudolph (IT Lead) Ryan Crest (Finance Lead)
Project Manager:  William Donaldson (PM, CSO)
Team Member:  William Donaldson (PM, CSO) Jason Hamill (Research Lead) Chris Smith (Programming Lead) Steve McGuinness (Cybersecurity Lead) Matt Johnson (Physical Security Lead) Eric Stevens (HR Lead) Johnathan Thomas (Financial Lead) Tim Toler (Cybersecurity Team Member) Mort Pierre (Cybersecurity Team Member)
Contractor/Vendor:  Tekzor Inc.
Background
Through the use of internal/external penetration testing, firewall (hardware/software/network) testing, external IP address testing, wireless/wired device auditing, internal/external vulnerability testing, data governance policy review, phishing tests of staff members and students, physical security testing, internal control testing, and an analysis of staffing requirements, Tekzor Inc. will compile all information and create both a report for addressing all vulnerabilities, as well l as providing clear instructions on how to fix all issues present in the report.
Purpose
To plan and perform a complete cybersecurity audit of Warren County R-III School District’s networks, hardware, security settings and policies, and employee skill/education. With the assistance of Tekzor Inc., the school shall be notified of all existing vulnerabilities, as well as any recommended improvements, so that the school’s data and systems will have a high level of confidentiality, integrity, and availability.

Scope of Work

To Be Done  Resources NeededOutcomeTime InvolvedGeneral Steps
Internal/external penetration testingCoordinate with on-site staff for testing window, prepare penetration hardware/software, allocate resources/manpowerCompile results of internal/external penetration testing into a report1-Nov-20  Perform internal/external penetration testing- attempt to access locked or unauthorized locations, determine visibility of unauthorized material
Firewall (hardware/software/network) testingCoordinate with on-site staff for testing window, prepare firewall penetration hardware/software, allocate resources/manpowerCompile results of firewall (hardware/software/network) testing into a report2-Nov-20  Perform firewall (hardware/software/network) testing- attempt to penetrate and edit firewall, test for effectiveness  
External IP address testingCoordinate with on-site staff for testing window, prepare external IP address penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of IP addresses, access to server information/logsCompile results of firewall (hardware/software/network) testing into a report3-Nov-20  Perform external IP address testing- attempt to bypass, alter, delete external IP addresses, audit existing external IPs
Wireless/wired device auditingCoordinate with on-site staff for testing window, prepare wireless/wired device penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logsCompile results of wireless/wired device auditing into a report4-Nov-20 > 11-Nov-20  Perform wireless/wired device auditing-rogue access points, unused devices, network settings, etc.
Internal/external vulnerability testingCoordinate with on-site staff for testing window, prepare internal/external vulnerability penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logsCompile results of internal/external vulnerability testing into a report11-Nov-20 > 15-Nov-20  Perform internal/external vulnerability testing- attempt to attack internal/external resources
Data governance policy reviewCoordinate with on-site staff for testing window, obtain documentation regarding current policies, protocols, and regulations, allocate resources/manpowerCompile results of data governance policy review into a report15-Nov-20 > 24-Nov-20  Perform data governance policy review- review current policies, protocols, regulations
Phishing tests of staff members and studentsCoordinate with on-site staff for testing window, prepare hardware/software, emails, malicious USBs, phone call scripts, allocate resources/manpowerCompile results of phishing tests of staff members and students into a report26-Nov-20 > 29-Nov-20  Perform phishing tests of staff members and students using hardware/software, emails, malicious USBs, phone calls, etc.
Physical security testingCoordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpowerCompile results of physical security testing into a report29-Nov-20  Perform physical security testing- unauthorized entry into each door, find gaps in video surveillance, test social engineering attacks, etc.
Internal control testingCoordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpowerCompile results of internal control testing into a report29-Nov-20  Perform internal control testing- testing/evaluation of the management, operational, and technical security controls of the organization
Analysis of staffing requirementsCoordinate with on-site staff for testing window, obtain personnel list, user lists, organization structure documentationCompile results of analysis of staffing requirements into a report30-Nov-20 > 20-Dec-20 (Time Buffer)  Perform analysis of staffing requirements- using data from all previous tests and comparing to security standards
First Audit CompletionData from previous tests compiled, allocate resources/manpowerReview all data obtained from the audit, find errors, make any improvements to the audit’s results21-Dec-20 > 20-Jan-21  Data from previous tests reviewed/compiled
First Audit Report CompletionData from previous tests compiled, allocate resources/manpowerCompile results of the audit into a report22-Jan-21 > 20-Mar-21    Data from previous tests compiled and made into a report
Recommended Changes CompletionGather recommended changes using audit’s data, gather different vendors, prices, and establish timeframesDeliver recommended cybersecurity changes to client21-Mar-21 > 24-Mar-21  Gather list of cybersecurity recommendations using multiple vendors, prices, and options
(Optional Second Audit) Internal/external penetration testingCoordinate with on-site staff for testing window, prepare penetration hardware/software, allocate resources/manpowerCompile results of internal/external penetration testing into a report25-Mar-21Perform internal/external penetration testing- attempt to access locked or unauthorized locations, determine visibility of unauthorized material
(Optional Second Audit) Firewall (hardware/software/network) testingCoordinate with on-site staff for testing window, prepare firewall penetration hardware/software, allocate resources/manpowerCompile results of firewall (hardware/software/network) testing into a report26-Mar-21Perform firewall (hardware/software/network) testing- attempt to penetrate and edit firewall, test for effectiveness  
(Optional Second Audit) External IP address testingCoordinate with on-site staff for testing window, prepare external IP address penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of IP addresses, access to server information/logsCompile results of firewall (hardware/software/network) testing into a report26-Mar-21 > 29-Mar-21Perform external IP address testing- attempt to bypass, alter, delete external IP addresses, audit existing external IPs
(Optional Second Audit) Wireless/wired device auditingCoordinate with on-site staff for testing window, prepare wireless/wired device penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logsCompile results of wireless/wired device auditing into a report30-Mar-21 > 1-Apr-21  Perform wireless/wired device auditing-rogue access points, unused devices, network settings, etc.
(Optional Second Audit) Internal/external vulnerability testingCoordinate with on-site staff for testing window, prepare internal/external vulnerability penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logsCompile results of internal/external vulnerability testing into a report1-Apr-21 > 4-Apr-21    Perform internal/external vulnerability testing- attempt to attack internal/external resources
(Optional Second Audit) Data governance policy reviewCoordinate with on-site staff for testing window, obtain documentation regarding current policies, protocols, and regulations, allocate resources/manpowerCompile results of data governance policy review into a report6-Apr-21 > 8-Apr-21  Perform data governance policy review- review current policies, protocols, regulations
(Optional Second Audit) Phishing tests of staff members and studentsCoordinate with on-site staff for testing window, prepare hardware/software, emails, malicious USBs, phone call scripts, allocate resources/manpowerCompile results of phishing tests of staff members and students into a report9-Apr-21 > 15-Apr-21Perform phishing tests of staff members and students using hardware/software, emails, malicious USBs, phone calls, etc.
(Optional Second Audit) Physical security testingCoordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpowerCompile results of physical security testing into a report16-Apr-21 > 17-Apr-21Perform physical security testing- unauthorized entry into each door, find gaps in video surveillance, test social engineering attacks, etc.
(Optional Second Audit) Internal control testingCoordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpowerCompile results of internal control testing into a report18-Apr-21 > 19-Apr-21Perform internal control testing- testing/evaluation of the management, operational, and technical security controls of the organization
(Optional Second Audit) Analysis of staffing requirementsCoordinate with on-site staff for testing window, obtain personnel list, user lists, organization structure documentationCompile results of analysis of staffing requirements into a report20-Apr-21 > 19-May-21Perform analysis of staffing requirements- using data from all previous tests and comparing to security standards
Second Audit CompletionData from previous tests compiled, allocate resources/manpowerReview all data obtained from the audit, find errors, make any improvements to the audit’s results21-May-21 > 19-Jun-21Data from previous tests reviewed/compiled
Second Audit Report Completion (per client’s optional involvement in the second audit involvement)Data from previous tests compiled, allocate resources/manpowerCompile results of the audit into a report20-Jun-21 > 19-Jul-21Data from previous tests compiled and made into a report
Final Comparison (of both audits) of All Work Completed. General Satisfaction of Client Completion (per client’s optional involvement in the second audit)Data from both audits, financial planning, vendor accessClient reviews the comparison of both audits, viewing the dramatic security improvement20-Jul-21Review audit 1 and 2, compare effectiveness of changes, obtain satisfaction from client

 

Location

SiteDuration  
Office  Warren County R-III School District
Remote Location  Tekzor Inc. Headquarters

Schedule

Phases  StartFinish
Phase #1  1-Nov-20  1-Nov-20  
Phase #2  2-Nov-20  2-Nov-20  
Phase #3  3-Nov-20  3-Nov-20  
Phase #4  4-Nov-20  11-Nov-20
Phase #5  11-Nov-20  15-Nov-20
Phase #6  15-Nov-2024-Nov-20
Phase #7  26-Nov-20  29-Nov-20
Phase #8  29-Nov-20  29-Nov-20  
Phase #9  29-Nov-20  29-Nov-20  
Phase #10  30-Nov-2020-Dec-20 (Time Buffer)  
Phase #11  21-Dec-20  20-Jan-21
Phase #12  22-Jan-21    20-Mar-21
Phase #13  21-Mar-21  24-Mar-21
Phase #14  25-Mar-2125-Mar-21
Phase #15  26-Mar-2126-Mar-21
Phase #16  26-Mar-2129-Mar-21
Phase #17  30-Mar-21  1-Apr-21
Phase #18  1-Apr-21    4-Apr-21
Phase #19  6-Apr-21  8-Apr-21
Phase #20  9-Apr-2115-Apr-21
Phase #21  16-Apr-2117-Apr-21
Phase #22  18-Apr-2119-Apr-21
Phase #23  20-Apr-2119-May-21
Phase #24  21-May-2119-Jun-21
Phase #25  20-Jun-2119-Jul-21
Phase #26  20-Jul-2120-Jul-21

 

Deliverables

DeliverableObjectiveDue Date  
Deliverable #1  First Audit Report Completion/Delivered  20-Jan-21  
Deliverable #2  Recommended Changes Completion/Delivered  20-Mar-21  
Deliverable #3  Second Audit Report Completion/Delivered20-Jun-21  
Deliverable #4  Final Comparison (of both audits) of All Work Completed. General Satisfaction of Client Completion20-Jul-21  

Milestones

MilestonesStart DateFinish Date  
Milestone #1 First Audit Completion    21-Dec-20  20-Jan-21  
Milestone #2 First Audit Report Completion    22-Jan-2120-Mar-21  
Milestone #3 Recommended Changes Completion    21-Mar-2124-Mar-21  
Milestone #4 Second Audit Completion    21-May-2119-Jun-21  
Milestone #5 Second Audit Report Completion (per client’s optional involvement in the second audit involvement)    20-Jun-21    19-Jul-21  
Milestone #6 Final Comparison (of both audits) of All Work Completed. General Satisfaction of Client Completion (per client’s optional involvement in the second audit)    20-Jul-21  20-Jul-21  

Tasks

Activity  Team Member
Phase 1-10, 14-23  William Donaldson (PM, CSO) Jason Hamill (Research Lead) Chris Smith (Programming Lead) Steve McGuinness (Cybersecurity Lead) Matt Johnson (Physical Security Lead) Tim Toler (Cybersecurity Team Member) Mort Pierre (Cybersecurity Team Member)  
Phase 11-13, 24-26  William Donaldson (PM, CSO) Jason Hamill (Research Lead) Chris Smith (Programming Lead) Steve McGuinness (Cybersecurity Lead) Matt Johnson (Physical Security Lead) Eric Stevens (HR Lead) Johnathan Thomas (Financial Lead)  

 

Reporting and Communications  
Phase 11-13, 24-26’s documentation and reports will be delivered to Ron Greer of the Warren County R-III School District in both digital and paper form.

Define Success

A successful project will be deemed from the client; however, for Tekzor Inc. to declare the project a success, the Warren County R-III School District’s managerial staff, including Ron Green, shall find the results of the cybersecurity audit satisfactory, providing a complete analysis of all layers of the digital and physical security system, processes, rules, and regulations of the Warren County R-III School District.

 

Closure

Document  Signed Off (William Donaldson)Signed Off (Ron Green)
Scope Statement    
Work Breakdown Structure (WBS)    
Financial Form    

What problem or opportunity does the project address?

Tekzor Inc.’s knowledge of the specific attributes, composition, layout, devices, software, policies, and personnel involved in the Warren County R-III School District’s IT infrastructure and cybersecurity are largely unknown, due to this, the following constraints are evident:

•           Scope- The actual amount of work that is required to perform a full audit and recommend improvements can be drastically increased once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.

•           Schedule- Due to the scope constraint, the included schedule in this plan document can dramatically change once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.

•           Budget- Due to the scope constraint, the budgets provided and costs for work completed in this plan document can dramatically change once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.

What quantifiable results are to be achieved?

For quantifiable results, the data obtained from the first audit shall be required to provide a complete analysis of all known gaps in security, pending the approval of the Warren County R-III School District. Then, the data from the second study (after the optional proposed changes are made to the Warren County R-III School District’s security) will show how Tekzor Inc. improved both cyber and physical security. A report comprised of statistics of their defenses compared to other school districts will be provided, data from our attempts to penetrate each layer of protection, as well as the likelihood of any future data loss, breach, hack, or other malicious attacks will be provided.

What needs to be done?

As previously mentioned, internal/external penetration testing, firewall (hardware/software/network) testing, external IP address testing, wireless/wired device auditing, internal/external vulnerability testing, data governance policy review, phishing tests of staff members and students, physical security testing, internal control testing, and an analysis of staffing requirements, will all need to be performed. Furthermore, detailed reports and analytics shall be comprised of all of the abovementioned data, providing Warren County R-III School District with a clear and all-encompassing view of their physical and cybersecurity measures. Then, a list of recommended changes will be provided; if the Warren County R-III School District allows Tekzor Inc. to make the changes, a second audit will be performed, with its data compared to the first audit.

How will success be measured?

The completion and success of Tekzor Inc.’s cybersecurity audit of the Warren County R-III School District will only be satisfied by meeting the following conditions:

  • First Audit completion guaranteed by December 20, 2020
  • First Audit Report completion guaranteed by January 20, 2021
  • Recommended changes completion guaranteed by March 20, 2021
  • Second Audit completion guaranteed by April 20, 2021 (per client’s optional involvement in the second audit)
  • Second Audit Report completion guaranteed by May 20, 2021 (per client’s optional involvement in the second audit involvement )
  • Final comparison of all work completed, general satisfaction of client completion guaranteed by June 20, 2021 (per client’s optional involvement in the second audit)
  • Warren County R-III School District’s complete satisfaction of work completed by Tekzor Inc.

How will we know when we are finished?

We will only be finished when all phases of the project are complete (pending the optional second audit’s inclusion), Warren County R-III School District provides their review of all work completed, and most importantly, when Tekzor Inc. feels that the Warren County R-III School District is in a far better position to defend themselves against the rising threats from cybercrime, data loss, and disasters.

References

Fuller, M. A., Valacich, J. S., George, J. F., & Schneider, C. (2019). Information systems project management: A process Approach, Edition 2.0. Prospect Press, Inc.

Westland, J. (2020, February 06). Statement of Work Template (SOW). Retrieved June 25, 2020, from https://www.projectmanager.com/templates/statement-of-work-template?a=downloadGateUnlock.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s