Introduction
| Name of Project |
| Tekzor Inc. Cybersecurity Audit: Warren County R-III School District |
| Contact | Email/Cell |
| Sponsor: | Ron Greer of the Warren County R-III School District |
| Stakeholder: | Tekzor Inc. Management: Norman Gates (CEO) Pierre Santiago (CTO) Johnathan Thomas (Financial Lead) Warren County R-III School District Management: John Hamon (President) Mark Roberts (Security Lead) Gabe Rudolph (IT Lead) Ryan Crest (Finance Lead) |
| Project Manager: | William Donaldson (PM, CSO) |
| Team Member: | William Donaldson (PM, CSO) Jason Hamill (Research Lead) Chris Smith (Programming Lead) Steve McGuinness (Cybersecurity Lead) Matt Johnson (Physical Security Lead) Eric Stevens (HR Lead) Johnathan Thomas (Financial Lead) Tim Toler (Cybersecurity Team Member) Mort Pierre (Cybersecurity Team Member) |
| Contractor/Vendor: | Tekzor Inc. |
| Background |
| Through the use of internal/external penetration testing, firewall (hardware/software/network) testing, external IP address testing, wireless/wired device auditing, internal/external vulnerability testing, data governance policy review, phishing tests of staff members and students, physical security testing, internal control testing, and an analysis of staffing requirements, Tekzor Inc. will compile all information and create both a report for addressing all vulnerabilities, as well l as providing clear instructions on how to fix all issues present in the report. |
| Purpose |
| To plan and perform a complete cybersecurity audit of Warren County R-III School District’s networks, hardware, security settings and policies, and employee skill/education. With the assistance of Tekzor Inc., the school shall be notified of all existing vulnerabilities, as well as any recommended improvements, so that the school’s data and systems will have a high level of confidentiality, integrity, and availability. |
Scope of Work
| To Be Done | Resources Needed | Outcome | Time Involved | General Steps |
| Internal/external penetration testing | Coordinate with on-site staff for testing window, prepare penetration hardware/software, allocate resources/manpower | Compile results of internal/external penetration testing into a report | 1-Nov-20 | Perform internal/external penetration testing- attempt to access locked or unauthorized locations, determine visibility of unauthorized material |
| Firewall (hardware/software/network) testing | Coordinate with on-site staff for testing window, prepare firewall penetration hardware/software, allocate resources/manpower | Compile results of firewall (hardware/software/network) testing into a report | 2-Nov-20 | Perform firewall (hardware/software/network) testing- attempt to penetrate and edit firewall, test for effectiveness |
| External IP address testing | Coordinate with on-site staff for testing window, prepare external IP address penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of IP addresses, access to server information/logs | Compile results of firewall (hardware/software/network) testing into a report | 3-Nov-20 | Perform external IP address testing- attempt to bypass, alter, delete external IP addresses, audit existing external IPs |
| Wireless/wired device auditing | Coordinate with on-site staff for testing window, prepare wireless/wired device penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logs | Compile results of wireless/wired device auditing into a report | 4-Nov-20 > 11-Nov-20 | Perform wireless/wired device auditing-rogue access points, unused devices, network settings, etc. |
| Internal/external vulnerability testing | Coordinate with on-site staff for testing window, prepare internal/external vulnerability penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logs | Compile results of internal/external vulnerability testing into a report | 11-Nov-20 > 15-Nov-20 | Perform internal/external vulnerability testing- attempt to attack internal/external resources |
| Data governance policy review | Coordinate with on-site staff for testing window, obtain documentation regarding current policies, protocols, and regulations, allocate resources/manpower | Compile results of data governance policy review into a report | 15-Nov-20 > 24-Nov-20 | Perform data governance policy review- review current policies, protocols, regulations |
| Phishing tests of staff members and students | Coordinate with on-site staff for testing window, prepare hardware/software, emails, malicious USBs, phone call scripts, allocate resources/manpower | Compile results of phishing tests of staff members and students into a report | 26-Nov-20 > 29-Nov-20 | Perform phishing tests of staff members and students using hardware/software, emails, malicious USBs, phone calls, etc. |
| Physical security testing | Coordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpower | Compile results of physical security testing into a report | 29-Nov-20 | Perform physical security testing- unauthorized entry into each door, find gaps in video surveillance, test social engineering attacks, etc. |
| Internal control testing | Coordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpower | Compile results of internal control testing into a report | 29-Nov-20 | Perform internal control testing- testing/evaluation of the management, operational, and technical security controls of the organization |
| Analysis of staffing requirements | Coordinate with on-site staff for testing window, obtain personnel list, user lists, organization structure documentation | Compile results of analysis of staffing requirements into a report | 30-Nov-20 > 20-Dec-20 (Time Buffer) | Perform analysis of staffing requirements- using data from all previous tests and comparing to security standards |
| First Audit Completion | Data from previous tests compiled, allocate resources/manpower | Review all data obtained from the audit, find errors, make any improvements to the audit’s results | 21-Dec-20 > 20-Jan-21 | Data from previous tests reviewed/compiled |
| First Audit Report Completion | Data from previous tests compiled, allocate resources/manpower | Compile results of the audit into a report | 22-Jan-21 > 20-Mar-21 | Data from previous tests compiled and made into a report |
| Recommended Changes Completion | Gather recommended changes using audit’s data, gather different vendors, prices, and establish timeframes | Deliver recommended cybersecurity changes to client | 21-Mar-21 > 24-Mar-21 | Gather list of cybersecurity recommendations using multiple vendors, prices, and options |
| (Optional Second Audit) Internal/external penetration testing | Coordinate with on-site staff for testing window, prepare penetration hardware/software, allocate resources/manpower | Compile results of internal/external penetration testing into a report | 25-Mar-21 | Perform internal/external penetration testing- attempt to access locked or unauthorized locations, determine visibility of unauthorized material |
| (Optional Second Audit) Firewall (hardware/software/network) testing | Coordinate with on-site staff for testing window, prepare firewall penetration hardware/software, allocate resources/manpower | Compile results of firewall (hardware/software/network) testing into a report | 26-Mar-21 | Perform firewall (hardware/software/network) testing- attempt to penetrate and edit firewall, test for effectiveness |
| (Optional Second Audit) External IP address testing | Coordinate with on-site staff for testing window, prepare external IP address penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of IP addresses, access to server information/logs | Compile results of firewall (hardware/software/network) testing into a report | 26-Mar-21 > 29-Mar-21 | Perform external IP address testing- attempt to bypass, alter, delete external IP addresses, audit existing external IPs |
| (Optional Second Audit) Wireless/wired device auditing | Coordinate with on-site staff for testing window, prepare wireless/wired device penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logs | Compile results of wireless/wired device auditing into a report | 30-Mar-21 > 1-Apr-21 | Perform wireless/wired device auditing-rogue access points, unused devices, network settings, etc. |
| (Optional Second Audit) Internal/external vulnerability testing | Coordinate with on-site staff for testing window, prepare internal/external vulnerability penetration hardware/software, allocate resources/manpower, obtain documentation from school regarding the list of devices used, access to server information/logs | Compile results of internal/external vulnerability testing into a report | 1-Apr-21 > 4-Apr-21 | Perform internal/external vulnerability testing- attempt to attack internal/external resources |
| (Optional Second Audit) Data governance policy review | Coordinate with on-site staff for testing window, obtain documentation regarding current policies, protocols, and regulations, allocate resources/manpower | Compile results of data governance policy review into a report | 6-Apr-21 > 8-Apr-21 | Perform data governance policy review- review current policies, protocols, regulations |
| (Optional Second Audit) Phishing tests of staff members and students | Coordinate with on-site staff for testing window, prepare hardware/software, emails, malicious USBs, phone call scripts, allocate resources/manpower | Compile results of phishing tests of staff members and students into a report | 9-Apr-21 > 15-Apr-21 | Perform phishing tests of staff members and students using hardware/software, emails, malicious USBs, phone calls, etc. |
| (Optional Second Audit) Physical security testing | Coordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpower | Compile results of physical security testing into a report | 16-Apr-21 > 17-Apr-21 | Perform physical security testing- unauthorized entry into each door, find gaps in video surveillance, test social engineering attacks, etc. |
| (Optional Second Audit) Internal control testing | Coordinate with on-site staff for testing window, obtain video surveillance access, create fake ID cards, allocate resources/manpower | Compile results of internal control testing into a report | 18-Apr-21 > 19-Apr-21 | Perform internal control testing- testing/evaluation of the management, operational, and technical security controls of the organization |
| (Optional Second Audit) Analysis of staffing requirements | Coordinate with on-site staff for testing window, obtain personnel list, user lists, organization structure documentation | Compile results of analysis of staffing requirements into a report | 20-Apr-21 > 19-May-21 | Perform analysis of staffing requirements- using data from all previous tests and comparing to security standards |
| Second Audit Completion | Data from previous tests compiled, allocate resources/manpower | Review all data obtained from the audit, find errors, make any improvements to the audit’s results | 21-May-21 > 19-Jun-21 | Data from previous tests reviewed/compiled |
| Second Audit Report Completion (per client’s optional involvement in the second audit involvement) | Data from previous tests compiled, allocate resources/manpower | Compile results of the audit into a report | 20-Jun-21 > 19-Jul-21 | Data from previous tests compiled and made into a report |
| Final Comparison (of both audits) of All Work Completed. General Satisfaction of Client Completion (per client’s optional involvement in the second audit) | Data from both audits, financial planning, vendor access | Client reviews the comparison of both audits, viewing the dramatic security improvement | 20-Jul-21 | Review audit 1 and 2, compare effectiveness of changes, obtain satisfaction from client |
Location
| Site | Duration |
| Office | Warren County R-III School District |
| Remote Location | Tekzor Inc. Headquarters |
Schedule
| Phases | Start | Finish |
| Phase #1 | 1-Nov-20 | 1-Nov-20 |
| Phase #2 | 2-Nov-20 | 2-Nov-20 |
| Phase #3 | 3-Nov-20 | 3-Nov-20 |
| Phase #4 | 4-Nov-20 | 11-Nov-20 |
| Phase #5 | 11-Nov-20 | 15-Nov-20 |
| Phase #6 | 15-Nov-20 | 24-Nov-20 |
| Phase #7 | 26-Nov-20 | 29-Nov-20 |
| Phase #8 | 29-Nov-20 | 29-Nov-20 |
| Phase #9 | 29-Nov-20 | 29-Nov-20 |
| Phase #10 | 30-Nov-20 | 20-Dec-20 (Time Buffer) |
| Phase #11 | 21-Dec-20 | 20-Jan-21 |
| Phase #12 | 22-Jan-21 | 20-Mar-21 |
| Phase #13 | 21-Mar-21 | 24-Mar-21 |
| Phase #14 | 25-Mar-21 | 25-Mar-21 |
| Phase #15 | 26-Mar-21 | 26-Mar-21 |
| Phase #16 | 26-Mar-21 | 29-Mar-21 |
| Phase #17 | 30-Mar-21 | 1-Apr-21 |
| Phase #18 | 1-Apr-21 | 4-Apr-21 |
| Phase #19 | 6-Apr-21 | 8-Apr-21 |
| Phase #20 | 9-Apr-21 | 15-Apr-21 |
| Phase #21 | 16-Apr-21 | 17-Apr-21 |
| Phase #22 | 18-Apr-21 | 19-Apr-21 |
| Phase #23 | 20-Apr-21 | 19-May-21 |
| Phase #24 | 21-May-21 | 19-Jun-21 |
| Phase #25 | 20-Jun-21 | 19-Jul-21 |
| Phase #26 | 20-Jul-21 | 20-Jul-21 |
Deliverables
| Deliverable | Objective | Due Date |
| Deliverable #1 | First Audit Report Completion/Delivered | 20-Jan-21 |
| Deliverable #2 | Recommended Changes Completion/Delivered | 20-Mar-21 |
| Deliverable #3 | Second Audit Report Completion/Delivered | 20-Jun-21 |
| Deliverable #4 | Final Comparison (of both audits) of All Work Completed. General Satisfaction of Client Completion | 20-Jul-21 |
Milestones
| Milestones | Start Date | Finish Date |
| Milestone #1 First Audit Completion | 21-Dec-20 | 20-Jan-21 |
| Milestone #2 First Audit Report Completion | 22-Jan-21 | 20-Mar-21 |
| Milestone #3 Recommended Changes Completion | 21-Mar-21 | 24-Mar-21 |
| Milestone #4 Second Audit Completion | 21-May-21 | 19-Jun-21 |
| Milestone #5 Second Audit Report Completion (per client’s optional involvement in the second audit involvement) | 20-Jun-21 | 19-Jul-21 |
| Milestone #6 Final Comparison (of both audits) of All Work Completed. General Satisfaction of Client Completion (per client’s optional involvement in the second audit) | 20-Jul-21 | 20-Jul-21 |
Tasks
| Activity | Team Member |
| Phase 1-10, 14-23 | William Donaldson (PM, CSO) Jason Hamill (Research Lead) Chris Smith (Programming Lead) Steve McGuinness (Cybersecurity Lead) Matt Johnson (Physical Security Lead) Tim Toler (Cybersecurity Team Member) Mort Pierre (Cybersecurity Team Member) |
| Phase 11-13, 24-26 | William Donaldson (PM, CSO) Jason Hamill (Research Lead) Chris Smith (Programming Lead) Steve McGuinness (Cybersecurity Lead) Matt Johnson (Physical Security Lead) Eric Stevens (HR Lead) Johnathan Thomas (Financial Lead) |
| Reporting and Communications |
| Phase 11-13, 24-26’s documentation and reports will be delivered to Ron Greer of the Warren County R-III School District in both digital and paper form. |
Define Success
Closure
| Document | Signed Off (William Donaldson) | Signed Off (Ron Green) |
| Scope Statement | ||
| Work Breakdown Structure (WBS) | ||
| Financial Form |
What problem or opportunity does the project address?
Tekzor Inc.’s knowledge of the specific attributes, composition, layout, devices, software, policies, and personnel involved in the Warren County R-III School District’s IT infrastructure and cybersecurity are largely unknown, due to this, the following constraints are evident:
• Scope- The actual amount of work that is required to perform a full audit and recommend improvements can be drastically increased once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.
• Schedule- Due to the scope constraint, the included schedule in this plan document can dramatically change once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.
• Budget- Due to the scope constraint, the budgets provided and costs for work completed in this plan document can dramatically change once Tekzor Inc. obtains detailed specifics of Warren County R-III School District’s IT infrastructure and cybersecurity.
What quantifiable results are to be achieved?
For quantifiable results, the data obtained from the first audit shall be required to provide a complete analysis of all known gaps in security, pending the approval of the Warren County R-III School District. Then, the data from the second study (after the optional proposed changes are made to the Warren County R-III School District’s security) will show how Tekzor Inc. improved both cyber and physical security. A report comprised of statistics of their defenses compared to other school districts will be provided, data from our attempts to penetrate each layer of protection, as well as the likelihood of any future data loss, breach, hack, or other malicious attacks will be provided.
What needs to be done?
As previously mentioned, internal/external penetration testing, firewall (hardware/software/network) testing, external IP address testing, wireless/wired device auditing, internal/external vulnerability testing, data governance policy review, phishing tests of staff members and students, physical security testing, internal control testing, and an analysis of staffing requirements, will all need to be performed. Furthermore, detailed reports and analytics shall be comprised of all of the abovementioned data, providing Warren County R-III School District with a clear and all-encompassing view of their physical and cybersecurity measures. Then, a list of recommended changes will be provided; if the Warren County R-III School District allows Tekzor Inc. to make the changes, a second audit will be performed, with its data compared to the first audit.
How will success be measured?
The completion and success of Tekzor Inc.’s cybersecurity audit of the Warren County R-III School District will only be satisfied by meeting the following conditions:
- First Audit completion guaranteed by December 20, 2020
- First Audit Report completion guaranteed by January 20, 2021
- Recommended changes completion guaranteed by March 20, 2021
- Second Audit completion guaranteed by April 20, 2021 (per client’s optional involvement in the second audit)
- Second Audit Report completion guaranteed by May 20, 2021 (per client’s optional involvement in the second audit involvement )
- Final comparison of all work completed, general satisfaction of client completion guaranteed by June 20, 2021 (per client’s optional involvement in the second audit)
- Warren County R-III School District’s complete satisfaction of work completed by Tekzor Inc.
How will we know when we are finished?
We will only be finished when all phases of the project are complete (pending the optional second audit’s inclusion), Warren County R-III School District provides their review of all work completed, and most importantly, when Tekzor Inc. feels that the Warren County R-III School District is in a far better position to defend themselves against the rising threats from cybercrime, data loss, and disasters.
References
Fuller, M. A., Valacich, J. S., George, J. F., & Schneider, C. (2019). Information systems project management: A process Approach, Edition 2.0. Prospect Press, Inc.
Westland, J. (2020, February 06). Statement of Work Template (SOW). Retrieved June 25, 2020, from https://www.projectmanager.com/templates/statement-of-work-template?a=downloadGateUnlock.
Categories: Security
Securing The Universe 