Business Need / Problem Statement

The current Vulnerability Assessment is inadequate and requires a large number of customization and man-hours to produce any meaningful report data. Current system is lacking key features such as centralized management, role-based access control, limited data export formats and lacks the reports that management demands.

In addition to the lack of features and scalability concerns in the current toolset, there is no coordinated strategic effort to address vulnerabilities found on corporate computers. As a result of this, we keep seeing outbreaks of viruses and worms on our networks.

Project Objectives

This project is a sub-project of the larger Risk Management Phase so the objectives below cover just the Vulnerability Assessment Tool objectives

Deploy a tool that will

Allow for analysis of company security vulnerability and risk across all existing corporate sites, as well as future corporate sites obtained via M& A activities

Provide a tool that is easy to use and report from, so that owners of systems, applications and sites can perform their own analyses

Provide data points to be integrated with the Risk Management Dashboard

Revisit remediation strategy and processes in order to reduce the risks and improve the vulnerability management process at Corporate.

Scope Definition

Deployment

Initial tool deployment to 3 locations – site 1, site 2 , and site 3

Set-up infrastructure to support vulnerability assessment tool

Develop Processes & Procedures around use and deployment of vulnerability assessment tool

Develop and provide end user training for vulnerability assessment tool

Deployment to remaining satellite sites

Identify sites needing vulnerability assessment Tool deployment

Deploy vulnerability assessment tool to those key satellite sites

Institute vulnerability assessment scanning processes and procedures at those sites

Not in Scope

The following items are NOT in scope for this release but have been captured as requirements (and, in some cases, key requirements) for future Phases.

Once processes and policies are defined with this deployment, further projects will address deployment to the other regions

Physical risks and physical security of IT assets are outside the scope of this project.

Production of a Security “Dashboard” for real time reporting.

Actual remediation activities to address any threats identified by vulnerability assessment tool will not be addressed by this project.

Scope Control

The scope of the Project will be managed through the Project Schedule. Where there are changes impacting the scope defined in this document, the Project Team will document the proposed change and depending on the magnitude and potential schedule impact, either approve the proposal or obtain Steering Committee approval. There are no firm guidelines as to when Steering Committee approval is required; each case will be assessed on an individual basis.

Budget and Resource Management

Budget and resource management responsibility and control are with the PMO.

Project Schedule

The project schedule will be created using Microsoft Project. The IT Project Manager is responsible for the accuracy of the project schedule. The IT Project Manager will maintain the schedule.

The Project schedule will be updated on an on-going basis and be available for inquiry in the project repository at Vulnerability Assessment Tool Repository – Located under ‘Project Control and Reporting’ package

Status Meetings

The IT Core Team plus key members of the IT Extended Team will meet to review progress and issues on a weekly basis.

The IT Project Steering Committee will meet on an as needed basis.

The Executive Steering Committee will meet on a monthly basis or more frequently as needed.

Assumptions and Constraints

Risk

Proposed Project Structure

Milestones

Identify the initial milestones for the projects