Stepped Security Methodology
June 25, 20121) Project Initiation – The project is setup in this phase. A project manager is assigned, the project scope is clearly identified, the project organization is established, and an initial project plan is drafted.
2) Discover – This is the most critical of all phases. During this phase, the business and technical requirements are identified. Because these requirements guide the other phases, care must be taken to identify and understand the impact of each. Additionally points of pain or concern are documented for increased scrutiny in the following phases.
3) Strategy – Based on the requirements gathered in the discovery phase, ‘Consultant’ begins the process of establishing the desired security state.
4) Penetration and Vulnerability Assessment – In this phase, a external security assessment and review of the technology and architecture with business and technical requirements is performed. Host and network configuration detail is captured; risks and system dependencies are also documented. All possible impacts to the customer’s environment are reviewed and documented for analysis.
5) Data Assimilation and Analysis – Technical brain storming session occurs with various subject matter experts. Security experts, using ‘Consultant’s methodology and a combination of in-house and industry tools, create a set of best business practice recommendation’s based on gathered data and facilitated discussions.
6) Document and Recommend – A formal document outlining the current state of the client’s environment is created. All detailed configuration information, which was gathered during this process, is included in this document with identified areas of concern and appropriate recommendations for remediation.
7) Baseline Presentation – This phase is a formal presentation of the current state of security. The delta to the desired state is defined and the remediation plan is presented.
8) Remediation – The corrective measures are implemented in this phase.
9) Management – This phase is the ongoing maintenance of the corporate assessments. It includes periodic assessments, server management, network device management as well as security monitoring of mission critical devices and networks.