General discussion


Managing Information Security Assessment Projects for Success

By mbbay21 ·
Author: Michael Bernstein, PMP, CCIE Security #16395, CEH, CISSP, SANS

Managing Information Security Assessment Projects for Success


Information Security Assessments are carried out periodically and consistently in both public and private sectors. They are primarily driven by industry specific and government regulations, and secondly, for an unbiased evaluation of security. In Federal Government, FISMA is mandated as well as NIST Special Publications (SP) are also followed as requirements instructions to the assessor or groups of assessors. Federal institutions have almost no wiggle room when it comes to meeting compliance mandates. Private sectors, depending upon the nature of the business, whether it be a financial institution or a hospital, each have their own industry specific regulations. Financial service providers may likely interface using e-Business stratagem to offer services to larger banks or financial firms. Since currency or money is stored in electronic formats, and exchanged in these formats (e.g. EDI), regulations are set to ensure the safety of not only systems that store and transmit sensitive data (i.e. wire transfers / ACHs), but also the privacy of human rights. This type of information, generalized as Personal Identifiable Information (PII), any electronic record that may include a persons name, residencies, phone numbers, as well as social security numbers (SSNs) must be protected. For hospitals, patient data is heavily electronic (e.g. X-rays), and specific patient information is stored in multi-user databases. Hospitals follow the HIPAA directive, and any companies that process card holder information (e.g. credit cards) must meet PCI-DSS assessments and audits. Information security constitutes not only IT systems, but more specifically the safety and security of information, usually to comply with regulations, or to protect the privacy rights of people, and also to protect sensitive data, and systems that perform financial transactions.

CIOs, CSOs, CISOs, Directors of Information Security, etc., are the impetus for Security Assessments and seek out third party assistance. In many organizations, it is mandated that a third party carry out the assessment. In some jurisdictions, it is mandated that the group that performs the assessment cannot be the same consultation organization that provides the means to implement safeguards based on the assessment findings. Typically, a security assessment is a much more in-depth practice as compared to an audit. For example, an audit of a wireless infrastructure may only check for the existence or nonexistence of secured configurations, which an assessment may tie a wireless assessment back into a wired network security assessment, in order to see if perhaps the wireless network may provide a vulnerability or leak back into the wired network. Or, a wireless security assessment may look into the nature of information that needs to be secured, and actually test to see whether data leakage is possible by testing the infrastructure and user knowledge of security, as people are commonly considered the weakest link in security.

Information Security Assessment vs Security Audit

An Information Security Assessment addresses the bigger picture, usually the security of a company or organization or sub-organization. Please see the diagram below.

As can be seen, Information Security (InfoSec) encompasses a larger circle that encapsulates much smaller circles such as network security, data center security, voice over IP security, physical security, etc. Each of these is all part of IT Security. InfoSec reaches all of these tangible areas as well as non-tangible areas such as business security. For example, it begs some of the following high-level questions:

? What types of information do you have?

? What types of information needs to be secured?

? What are the sensitivity levels of the information that needs to be secured?

? How is information currently being secured at its correct sensitivity levels?

? Are there areas that need improvement?

A security audit does not address these high level questions and take them into account. A security audit is a fixed deliverable made up of work packages. A security assessment is always custom tailored as a mutual understanding of testing to be performed between the customer and professional services provider. Many customers have a growing need to constantly change the scope of work from each incremental 3 year period, as their concerns, their personnel, their infrastructures, and trends, are ever evolving. Especially, within 3 years, technology moves fast. In many cases companies get burned once by a poor assessment. Once a company finds a good competent 3rd party, they typically will stay with this 3rd party. Project management is complicated already not just by the customer, the engineers, the politics, etc., but also the complex nature of the work. This paper is geared towards technical project managers in the business of security services, which is a multi-billion dollar a year industry. This paper is written by a technical project manager in the field of security services, and this paper serves as an informative guide to help other project managers within the field of technology driven security services.

SOW Creation, Scope Development and Management

The adage "the way it begins is the way it ends" holds true. Project Managers need to have a level of understanding of what capabilities their organizations can offer, and need to well understand customers needs in order to develop the Scope of Work properly, and either contribute, or be a part of the Statement of Work (SOW) creation, if this is possible. However, if the Project Manager is completely removed from the SOW Creation process that includes a defined Scope of Work, the Project Manager needs to ensure, since they will ultimately be responsible for the successful execution of the project, that everything written in the SOW and the Scope of Work can not only be executed, but also take into consideration resources (assessors/engineers), as well as whether all the customer objectives can be met within the contractual agreement and time frame to avoid setbacks or project failures. All human resources and technical teams need to be accounted for, and the project manager should hold a meeting before the project initiating phase to discuss the Scope of Work with the technical teams, as well as the time lines written into the SOW. A successful project manager will create the WBS by interviewing the technical teams and individual members, and understand which individual(s) will be performing which tasks and delivering specific work packages. Additionally, the project manager and technical team members need to have an upfront understanding of the work, and it is the job of a successful project manager to ensure that the technical team has the necessary skills to carry out the work in the time allotted in the SOW. If the project manager can understand the work better, and identify problems early, perhaps the time agreed to carry out the work may not seem likely, and it is the project manager's duty to bring these issues up with the PMO as soon as possible.

SOW Pitfalls and Ethics

The project manager may or may not be involved in the SOW creation. This depends on the type or size of the organization, and level of authority and responsibilities of the project manager. In either case, there are aspects of creating an Information Security Assessment SOW that need to be captured here, in order to avoid serious conflicts and problems that may arise. The project manager is an expert at project management, but needs a little more information into the nature of this work in order to be very successful. Let's take a step back and look at what services are being rendered, and what objectives are trying to be accomplished both from the customer perspective as well as the services provider perspective. Both have some objectives that are not actually congruent, and actually differ very much. The services provider is hired to perform an evaluation of security using personnel and tools to rate the security posture of the customers testing postulates. If the services provider after all work has been done and deliverables have been made, and the customer receives a high score in all areas, there is a dichotomy with this outcome. First, understand that the customer wants to receive a high rating on all the tests performed by the assessors because this report will be sent up the flagpole typically to auditors or senior management, and this reflects directly on the main POC's management, and staff as well. If the customer receives a high score in all evaluations, they are very content with what will be sent up the flagpole to senior management, and more importantly auditors. However, they may also be discontent that perhaps the services rendered did not do a good job because they did not find any weaknesses or vulnerabilities. This makes for an impossible situation on part of the services rendered in this outcome. The goals and objectives are to clearly evaluate the security posture per customers objectives. The goal of the assessment from a service providers perspective, and the value that it brings, is closely aligned with assessment reports that uncover problems and vulnerabilities in the customers infrastructures and processes. Through structured and monitored testing, there is a lot of value add to the actual assessment and work rendered, if the assessment report finds vulnerabilities and weaknesses that need fixing. This shows true value and is the ultimate goal of the services providers, which is result driven. However, if the assessment team assigns a customer a low rating, the customer will in almost all cases argue for a higher rating, and try an establish a higher rating, since this report is in all cases sent up the flagpole, and they want to make themselves look good. In most assessments, what is just described above is expected, as ironic it is, but in this business their is a mutual understanding of these outcomes between the customer and services provider, unless it is a customer's first Security Assessment.

This is the "gotcha". If the customer asks for Social Engineering, or even does not, it is of the utmost importance that there is a "Rules and Regulations" clause in the SOW that states the boundaries of the testing.

Here are some rules and regulations guidelines, provided specifically for ethical purposes for the customer's benefit. If they see this, they will have more respect and treat this SOW more seriously than SOWs that do not cover such details.

? If Social Engineering is specified, include a Rules & Regulations section specifically for this work package to include "boundaries". If boundaries are not included, an assessor can skip the hard work and install "hardware keystroke loggers" that cannot be detected by anti-virus, and this allows an assessor to capture passwords, circumventing the real work that typically requires days or weeks, to exploit the entire enterprise. This method is considered totally unethical, and the results should be void, because it is considered a way of cheating.

Other general notes for the "Rules & Regulations section:

? Do not try and allude the customer. Inform the customer of known risks (e.g. an exploit that may be used to compromise a device has a propensity to crash the device or system).

? Decide whether hardware keystroke loggers will be allowed (in most cases they will "never be allowed", but as long as the primary POC is aware that this may be tried, they may authorize it).

? Define this section by stating only what is allowed (don't leave it open ended allowing loopholes)

? Include a clause (even if in repeat) that the customer can halt any activity at any given time without reason. The primary customer POC should feel as though he/she is in charge of this project and has complete authority, and won't be blindsided by anything. For instance, certain security testing may slow down the networks or systems, essentially interfering with user productivity by saturating bandwidth. That is a good reason for the customer POC to halt an activity, or reschedule it after-hours.

? Work with the customer to determine whether hacker tools may be installed on machines. If they are allowed, in many circumstances they should be, ensure in writing that at the end of the assessment, all tools will be removed. If the customer won't allow tools to be installed, such as sniffers, that over time can sniff out users passwords, there needs to be a verdict to be reached here. If tools cannot be installed, this is called a "touchless" assessment. However, if penetration testing, or specifically ethical hacking is a required deliverable, the installation and post-assessment removal of the tools has very good reason to be implemented, since the assessor needs to masquerade as if they were a black hat, or insider threat, to truly test security amongst networks and systems.


In Information Security Assessments, the term may be generalized as just a Security Assessment. Additionally, sometimes the name Risk Assessment is used instead of Security Assessment. The name used does not matter. What matters is what the work deliverables are that the customer is asking for. Also, sometimes customers want parts of the assessments, wireless in particular, to be just audited. The differentiating feature between an assessment versus an audit is testing. In an audit, almost very limited or no security testing is ever performed. In assessments, testing is always a necessity. Here is a list of terms to be familiar with.

? Vulnerability Assessment

? Black Box Penetration Testing

? Gray Box Penetration Testing

? White Box Assessment

? Ethical Hacking

? White Hat Hacking

? Perimeter Security Assessment

? Internal Security Audit

? Web Application Penetration Testing

? Wireless Penetration Testing

? Wireless Security Audit

? War Driving & GPS Map Plotting

? Social Engineering

? Risk Assessment (Quantitative)

? Risk Assessment (Qualitative)

? Gap Analysis

? STIG (Secure Technical Implementation Guide)

? IAVA (Information Assurance Vulnerability Alert)

? Category 1, 2, 3 vulnerabilities

The names above are standard nomenclature for Security Assessment type work activities. The only name that should raise a red flag is when an organization talks about "Black Hat". Even though there is a legitimate security conference in Las Vegas and D.C. called "Black Hat", a Black Hat generally refers to a malicious skillful hacker that has committed cyber crime, fraud, and broken laws. The names "Ethical Hacker" or "White Hat Hacker" better yet denote individuals that perform offensive security tactics for legitimate reasons. If you are ever in a position to develop an RFQ, or SOW, please do not use the term "Black Hat". Any upstanding security professional will know instantly that a customer is completely unknowledgeable about this type of work, or it could be construed as a solicitation for illegal services. There a plenty of cyber thieves, hacker gangs, etc., that perform black hat hacking for illegal purposes and profit.

Project Risk Management

A project manager that already has experience managing Information or IT Security Assessments is going to already know from lessons learned on past projects about the pitfalls that need to be avoided. Below are project risks that the are essential for project managers to mitigate against.

? Technical team members (assessors) are not qualified to perform the work prescribed

In this bullet, the project manager is not expected to be a technical expert, but if this principle is well understood, the project manager can mitigate this risk early on. There will always be unforeseen issues that arise within any project. In order for the project manager to avoid this, the best method is to obtain a statement in writing or email from the technical team members manager that states that the engineers can and will carry out the execution of the work in the time allocated. Most management will not like to put their name in writing, but the project manager needs to be protected from the failure of others, because if the project fails due to a lack of technical knowledge/experience, and project deliverables are delayed, this causes drift to other deliverables, and the project manager will be held accountable before anyone else will be. In large multi-tiered projects, project manager's understand people well, and when they see someone with skill, they sometimes have decision making authority or ability to recruit talent for the project, depending on the size of the project, and the project manager's authority. With the project manager having a statement in writing that the engineers or technical teams have the skills necessary, and have allocated the time correctly, the project manager can avoid being responsible for a project that would ultimately become prolonged due to a lack of technical expertise. Also, since scope creep is so often found in almost all projects, due to the customers lack of expertise in what is being delivered, these are by far the first and foremost of concern to the project manager. The project manager, whether said or not said, usually carries a level of responsibility for the assembly of a successful team. The reason is that when projects are delayed, there may be multiple contracting agencies and subcontractors, and a delayed project either ends in two ways. The better outcome is that the project is delayed, and it costs both the customer and consulting service provider(s) undo additional monetary expenses. The worst case scenario of a project is that the project cannot be extended past its late finish date, or has had too many extensions, and the benefit of being able to successfully complete the project outweighs the cost of the additional expenses to complete it. Resources very likely become unavailable due to other obligations, in which they are the only ones with the knowledge to complete a critical path element. This essentially means project failure. Planning way in advance, and allocating very much time to the planning phase for project managers, increases the likelihood of success. Micro-managing a project undergoing multiple extensions does not make it go any faster, no matter how many added resources are added, if the problems extend into political issues. These types of projects are doomed to failure, if there are political issues, in which cannot be controlled. Planning in advance for delays, adding slack time are all essential risk mitigation methods implemented by experienced project managers.

The project manager may only have so much authority or decision making power, but the more the project manager can get involved in the early parts of the scope development and SOW creation, the project manager can better control the project before it even begins. However, in many cases the negotiations between the prime (provider) and the customer are outside the purview of the project manager, and the project manager must carefully review the SOW, understand all work packages, milestones, delivery dates, customer POCs, as well as technical resources and which work packages they map to. If the project manager can get on a first name basis with the technical resources carrying out the work, the project manager should do this as early on in the project as possible. Get to know the people performing the work. This is not only establish rapport, but also build morale, and knowing the people carrying out the work will be more responsive to status checks during project execution if they are already in communication with the project manager. If the project manager fails to get to know the people carrying out the project, it will be harder to gain their support if and when things don't go as planned. A supportive project manager is very important for the technical teams on the ground interfacing with the customer on a day to day basis, and this is very important to the success of these projects. Additionally, the project manager should be a first name basis with the lead customer POC(s), and if possible as many customer POCs as possible. It is likely that the lead customer POC, who will likely hold a position such as Director of InfoSec, or IT Security Manager will be a gatekeeper, and only allow communication from the project manager to him/herself, or not at all, as some projects can be an assembly of 20 or more people, on both the customer and provider ends. Just as essential as it is for the project management to be on a first name basis with the assessors/engineers, it is just as important, and even more important for the project manager to know the customer and have very good rapport with the customer, as soon as possible. People skills are so essential here in this type of work. Following these practices, project managers will have the keys to making project after project a success.

Monitoring & Controlling aspects

The project manager should be informed that Security Assessments that involve penetration testing, and ethical hacking work packages are extremely sensitive to time delays. For instance, an assessor/engineer may have gathered data that needs to be processed offsite for results. For example, lets use password cracking as an example. The security assessor gained the handshake, and it is completely unknown whether the password can be broken in 1 day, 1 week, 2 weeks, 1 year, or tens of years, or even thousands, if the password is this strong. This type of situation and "unknown" is specific to Security Assessment work. However, this piece of data can be left processing and the security assessor can move on to perform other work in parallel. They understand how this works. This way, their time is maximized. However, just as the project manager can manage multiple tasks in parallel, and yet must still adhere to a critical path, the assessors usually have many options, and depending upon their skill and experience level, need to make the best decisions. One of these decisions is knowing when to stop. For example, if the password is too hard to crack, an engineer may try a top 1000 password list. However, if they decide they want to "go for it" and extend out the work package, and sometimes without informing the project manager, they should make the project manager aware of this. The project manager should ask all assessors and engineers on the project if they will be dealing with password cracking. If a team member(s) answers yes to this question, the project manager needs to step in and ensure that password cracking is performed as a parallel task, as the project manager cannot have a resource or resources tied up trying to break a password that the computing resources tell it that it will take 1 year to break. Security assessors have a propensity to "not want to stop" and will try and carry out tasks and extend their work for "luck" that they might get the "keys to the kingdom". This is all based on probabilities, and no assurances. Sometimes assessors do get very lucky, and other times, this turns into wasted efforts. It's important for project managers to step in and control the workers, so that they don't get tied up in an activity that has a one out of a thousand chance of happening. This is a serious problem for delays and extensions on Security Assessment projects for project managers to be aware of. A way to monitor this is to conduct 2 weekly or 1 weekly meetings and ask for status checks on all tasks. Ask the question, "is there anything that I've missed?". If assessor X task E is running too long, the project manager needs to step in and say stop and move on. Sometimes assessors need to be told this. Projects have a finite time limit, and sometimes assessors forget this fact. In a best case scenario, ensure that a top 1000, or top 1 million password list was used, note it to be written to in the report, and ensure that the assessor moves on to complete the succeeding work packages. This is the controlling aspect at work here for you.

Report Writing

The project manager should have distributed at the initiating phase of the project a GANTT chart. Report writing, in past experience, whether it is multiple team members, or just managing a single senior assessor/engineer, it is best that they have a report template ahead of time. The report template should contain an Executive Summary page, and then a deep dive section of the report detailing the findings, both good and bad, and remediation recommendations. For the purpose of maximizing resources during the project, it is likely best practice to have the security assessors/engineers writing the report in tandem as they complete work packages, and leverage Word with revision control on, and track changes as necessary. All assessors/engineers should have a 45 minute - 1 hour period at the end of each day to collaborate amongst themselves with their findings, and copy all related findings onto a shared mobile Ethernet hard drive that they can all connect to at the end of each work day. This is a way of maximizing time and resources. The project manager should furnish one of these shared drives and institute these daily wrap-ups that the assessors/engineers can have the time to themselves to discuss strategies, as the findings dictate the best strategies and tasks to continue with.

Because Security Assessments yield so much data, both useless, and also very useful, it becomes very hard to keep track of what happened, what was tested, and when. Just like a project management timeline, in a Security Assessment, timelines must be kept, as to what test was performed at each interval, especially because compromising enterprises takes so many incremental steps, some of which include multiple steps performed within single days, and others performed over the course of days, or weeks. It is good to take notes, however, this is not good enough, and as a project manager with several assessment/engineering personnel, each with their own set of skills, tests, and results, the need to incorporate them all together, and constantly restrategize their efforts to be successful, is essentially important. If all notes are taken, and then the period of assessment comes to and end, and it is time to begin to write the report, days of time will be lost, as well as potentially pertinent details. That is why it is strongly recommended that assessment personnel begin writing the report as they go along. Then when all tests are complete, they can focus on tuning the final deliverable reports for the customer.


Information Security Assessments are a complex task carried out by security professionals each with a mind of their own. Success is based on a team effort, and the project manager can do a lot to influence the success, and potentially help the assessors/engineers into providing methodologies as described above to help the project succeed, and meaningful results found. In security services offerings, information security assessment are one of the most difficult types of projects to manage. A seasoned project manager can really help a group of assessment/engineers to be even more successful by managing and controlling the project, as well as proper planning right from the get go. Many project managers are kept in the dark, especially when it comes to technical projects that have a lot of inbuilt complexity, in which this type of project management does. The more fortitude a project manager can display, and better understand the nature of this work, the better successful they can be, not only for themselves, but for the entire team. In any project of significance, there is a reason why there is a project manager to begin with. Understand the terminologies, and understand the people, both under your management, as well as the customers. Learn as much as you can about the services being delivered to the customer, and it is for certain that these projects succeed, and you will have repeat customers. This type of project management is not architecture, such as building blocks. There is a lot of unknown factors. The technical teams have a lot on their shoulders to succeed in these projects. As a final note, enable them, and disable them if they need to be. This is very difficult service to carry out, and certainly a difficult service delivering to manage.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums