Sample – Security Engineering Security Posture Assessment Proposal
February 4, 2012Statement of Work
Executive Summary
‘Client’ submits this proposal to perform a Security Posture Assessment for:
The comprehensive security effort by ‘Client’ personnel from various locations and ‘Client’ Managed Security Solutions (MSS) Alliance Partner will provide:
- A preliminary assessment of the current security posture of the Sample-1 web site and network. The Preliminary Security Posture Assessment identifies the technical security controls present in the web site and associated networks and their observed/tested effectiveness. This assessment will be from an external aspect only. Findings will be compared to the established policies furnished from Sample-1 Corporation. Results and findings of the assessment will be passed to the ‘Client’ Advanced Network Solutions (ANS) for incorporation of appropriate countermeasures.
We propose a three phased methodology for the preliminary security assessment. Each of the phases is described in greater detail in subsequent paragraphs. The phases are:
1) Phase 1 – Remote Data Gathering and Testing
2) Phase 2 – Data Assembly and Analysis
3) Phase 3 – Report Generation
4) Phase 4 – Management Out-briefing (optional)
Description of Proposed Services
The following sections detail our approach to this engagement including the anticipated completion time, our methods and tools, and a top level description of the contents of each deliverable product.
Phase 1 – Remote Data Gathering and Testing (one week)
Phase 1 is the kick-off for the engagement. Because of the compressed time allowed to complete the preliminary assessment, many of the normal tasks associated with starting a security posture assessment must be assumed and/or back-filled when possible. To establish the scope of the Preliminary Security Posture Assessment activity and its boundaries, telephone interviews for initial information collection must be used. As scope and boundary determinations are set, systems and technologies within the boundary will be identified.
Following the identification of systems and technologies, personnel with the skills and expertise to identify and assess the effectiveness of in-place security controls will be assigned their respective tasks.
Based on preliminary information, the “team” will consist of MSS personnel and MSS Alliance Partners. MSS and Sample-1 personnel (or personnel attached to the Team) are responsible for the identification and assessment of in-place security controls using automated security and management tools.
‘Client’ is responsible for ensuring the rigor and output of the automated testing is sufficient for assessing the security posture, verifying that the testing procedures are appropriate, consolidating the information obtained from Sample-1 sources, gathering data independent from Sample-1 personnel, performing an all-source security analysis, and generating the deliverable products. It is important to note that for the purposes of this activity, Sample-1 employees assigned to the Team are “trusted agents” who are expected to objectively report the findings of their investigations without organizational bias.
If something works, they will report that it works. If something doesn’t work, they will report that it doesn’t work. Non-retribution ground rules apply.
The agenda of this phase should include the following:
- A Team orientation of the Sample-1 operations. (not available due to time constraints)
- An opportunity to observe operations in progress. (not available due to time constraints)
- An opportunity for the Team to meet as a separate group to establish Team milestones, standardize reporting criteria, and review responsibilities. (not available due to time constraints)
- An opportunity to meet and interview key decision-makers, system administrators, and security administrators/staff. (available through telephone interview only)
- Copies of policy, guidance, and other security-relevant documentation governing the Sample-1 operation.
- A point of contact (POC) list of all Team members and information sources at Winston-Salem.
- Penetration testing of external web site access and other associated network assets.
Significant resources required for the initiation of this project include:
1) Copies of policy, guidance, and other security relevant guidance governing Sample-1 operation.
2) Identification of resources to be evaluated during the preliminary assessment. This will include IP addresses and domain names to be assessed.
3) Network diagrams showing the Internet connectivity architecture.
4) Formal, non-reputable permission to conduct penetration testing against identified Sample-1 resources.
Additional resources needed for the process include:
1) Identification of Points of Contact at the Sample-1 facility, to include management and system personnel.
2) Description of the data flow process to be protected.
Phase 2 – Data Assembly and Analysis (one week)
During this phase, data is received from all sources and analysis begins. The focus of the analysis will be in differences between the actual requirements and the effectiveness of the controls implemented to meet the requirements as indicated by the success of penetration attempts.
Phase 3 – Report Generation (two weeks)
A report is generated during this phase.
- The report is the Preliminary Security Posture Assessment. This report identifies the technical security controls that are in-place and comprise the current security baseline of the Sample-1 web site and associated networks. Each attempted penetration is discussed and the control assigned a numeric effectiveness value.
Phase 4 — Management Out-Briefing (two days) [optional]
The Management Out-Briefing summarizes the activity with emphasis on the report. The briefing provides a management-oriented view of the apparent effectiveness of current security controls, which ones are not, security implications, and corrective recommendations for consideration.
Although the desktop briefing normally lasts an hour or less, two days are scheduled to allow for further management consultation if desired and out-briefing of report contributors.
Follow-on Phases
If Sample-1 selects to continue security assessments of their web servers and networks after the initial assessment, the Phase 4 Management Out-brief option could be combined with additional personnel traveling to initiate a more detailed, in-depth information security assessment of the Sample-1 facilities. The continuation would focus on a re-look at the external penetration assessment and an internal assessment to check the “inside-out” vulnerabilities.
Performance Timeframe and Resource Requirements
‘Client’ are able to begin this task upon receipt of a purchase order. We estimate the period of performance to be four (4) weeks. The period of performance is dependent upon Sample-1 schedules and other factors, but will be established to the agreement of all parties.
In order to fulfill the tasking, ‘Client’ will require permission to penetrate and explore potential exploitations of Sample-1 web sites, routers, servers, and associated networks.
Throughout the effort, we will require access to managers, systems administration personnel, and security representatives. Our contact with these people will be during meetings, conference calls, or e-mail exchanges that are structured to make efficient use of their time. The bulk of our analysis and research work will be accomplished in our facilities so as not to interfere with on-going Sample-1 operations.
We would not anticipate a need for office space, telephones, or other administrative support during this engagement.
Deliverables
The products to be delivered to Sample-1 at the conclusion of this task:
- Preliminary Security Posture Assessment
- Final Security Posture Assessment / recommended remediations
- Management Out-Brief (optional)
Backlink: