DELIVERABLES:1. SCOPE OF WORK- 1 page SOW report 2. WORK BREAKDOWN STRUCTURE- WBS 3. THREATS AND VULNERABILITES REPORT- 2 or 3page report 4. NETWORK ANALYSIS TOOLS REPORT- 1 OR 2 page report 5. VULNER

DELIVERABLES:

1. SCOPE OF WORK- 1 page SOW report

2. WORK BREAKDOWN STRUCTURE- WBS

3. THREATS AND VULNERABILITES REPORT- 2 or 3page report 

4. NETWORK ANALYSIS TOOLS REPORT- 1 OR 2 page report

5. VULNERABILITY ASSESSMENT- matrix

6. LESSONS LEARNED REPORT- 2 or 3 page report

7. FINAL VULNERABILITY ASSESSMENT REPORT-Your final document will be seven to 10 pages long, not including charts and graphics, and will include appendices, including a vulnerability assessment matrix. 

Vulnerabilities are security holes or flaws that can leave a system open to attack. These may be from an inherent weakness in the system itself, in procedures used, external sources, or anything that may leave information exposed.

It is important that organizations actively assess their vulnerabilities and ways to address them. In this project, you will perform a vulnerability assessment, which identifies, classifies, and ranks the vulnerabilities for your organization from a disaster-management perspective.

The assessment will be completed in a series of steps. You will classify and prioritize threats, assess vulnerabilities, and include a "lessons learned" section as part of the assessment. Your final document will be seven to 10 pages long, not including charts and graphics, and will include appendices, including a vulnerability assessment matrix. Throughout the process, you will be submitting portions of the document to your instructor for feedback so you can make adjustments before submitting the final assessment.

You will be assessed on the coherence, inclusiveness, and feasibility of your findings and recommendations on the vulnerabilities of an organization from a disaster-management perspective.

This is the first of four sequential projects in this course. There are 12 steps in this project. Now that you have an idea of the task ahead, review the scenario next to get started.

Vulnerability Assessment Management

Scene 1

You have just been promoted to the newly created role of chief information security officer, or CISO, at your organization, a midsize federal government contracting group.

Maria Sosa, the chief technology officer and your new boss, stops to talk. “Can you stop by my office? I’d like to talk to you about a new project.”

Scene 2

Maria gives you a friendly greeting as you enter. 

“As you know, your new role involves helping us stay ahead of cyber criminals, keeping up with compliance requirements for our contracts, and ensuring that our partners and employees engage in proper security practices.”

You nod.

“I’m concerned that the contractor we hired to develop our last vulnerability assessment  just didn’t understand the big picture of how our organization works. Instead of using an outside vendor, I’d like you [emphasis] to take the lead on the assessment this year.” 

“I realize this is a highly technical process, but as you are working, I’d like you to keep the “big picture” in mind. Look at people, processes, and technology across the entire organization and really tie vulnerabilities to possible business impacts.”

Scene 3

You head back to your office, excited about the prospect of tackling your first big assignment as CISO. You will have to combine technical and research abilities to come up with an assessment that ranks the vulnerabilities of the system from a disaster management perspective. As part of this assignment, you will present your prioritized list and supporting information to the executives in a professional manner.

Before beginning the vulnerability assessment, you must first create a preliminary classification of mission-critical aspects to be addressed in the assessment. Determine what "secure" means to the organization by reviewing the topic of cybersecurity vulnerability, evaluating existing business practices, and interviewing senior personnel.

Prepare an overview of the mission-critical aspects of the organization's current processes. Include personnel, physical security, network security, and cybersecurity in the overview. You will use this overview to prepare a scope of work in the following step.

In this step, you will perform a vulnerability assessment once again as the CISO. Since the previous contractor was an external consultant, you will be able to offer insights and consider the big picture of the organization when conducting the assessment. You will prepare for the assessment by creating a comprehensive list of security needs based on findings from the previous step. This list should identify threats, risks, and vulnerabilities to achieve a holistic view of the risk across the entity.

The SoW is the key element to any project and important to learn. It should be filed as supplementary documentation for purposes of evaluating execution and directional purposes of meeting milestones of a multiphase comprehensive project plan within the vulnerability assessment. The scope of work will be the first section of the final vulnerability assessment report.

Combine the overview from the previous step with the list of security needs into a one-page SoW report. Submit the report for feedback. In the next step, you will use what you have created to compile a comprehensive project plan.

Within the previous step, the SoW report conveyed a brief overview of the organization's critical aspects and a list of the organization's security needs. Now, you are ready to develop a comprehensive work breakdown structure (WBS). This breakdown provides more detail, so you will need to devise examples of procedures you might recommend to your organization. Some examples include a penetration test, baseline analysis, or system logging. Note the tools and techniques to use in conducting a vulnerability assessment to be used later in the project.

Using a spreadsheet, create the comprehensive work breakdown structure, including key elements that must be tested and analyzed. Organize the spreadsheet using the elements identified in the SoW from the previous steps and the following:

• internal threats: personnel, policies, procedures

• external threats: systems, connectivity, databases

• existing security measures: software, hardware, telecommunications, cloud resources

• compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain

• Note the security threats and vulnerabilities. This plan will serve as the second section of the final vulnerability assessment report.

• Submit the comprehensive work breakdown structure for feedback. In the next step, you will provide detailed explanations on those security threats and vulnerabilities.

In the previous step, you developed a comprehensive work breakdown structure. In this step, you will explain the security threats and vulnerabilities included in the plan. In the explanations, consider relevant concepts such as the threat modeling process and third-party outsourcing issues. Include system and application security threats and vulnerabilities.

Reference aspects that are not being included. Note that you would need to obtain management agreement with the initial analysis of mission-critical components to be included in the assessment. This phase includes management input into the prioritization process of all risks from internal and external sources. 

This information will be used in the following steps to develop the threats and vulnerabilities report, which will then be included in the Final Vulnerability Assessment Report.

Next, you will classify the risk of threats and vulnerabilities.

Throughout this project, you have developed a foundation for the vulnerability assessment by classifying critical organizational aspects, creating a scope of work, and explaining security threats and vulnerabilities. Now, you are ready to classify the organization's risk according to the relevant data determined in the project plan. 

Company demands, management input, compliance requirements, and industry probability of exploitation are all considerations when classifying the risk of threats and vulnerabilities. Based on these considerations for the midsize government contracting group, further clarify the vulnerabilities you have itemized. Explain why each is a vulnerability, as well as why that particular vulnerability is relevant to the overall assessment. Consider continuous monitoring issues as you work through the classification. Use the threat and vulnerability explanations from the previous step and risk classifications from this step to develop the threats and vulnerabilities report.

In the next step, you will prioritize the threats and vulnerabilities you have explained and classified.

Step 6: Prioritize Threats and Vulnerabilities

Now that you have explained and classified the threats and vulnerabilities, you will prioritize them using a reasonable approach as explained in the project plan. As you prioritize the identified threats and vulnerabilities, you will need to:

• include both internal and external sources

• consider assessment of exposure to outages

• consider information resource valuation

• indicate which approach you are using and justify your choice

Use this information, along with the threat vulnerabilities explanations and risk classifications from the previous steps, to develop the threats and vulnerabilities report. 

Compose a two- to three-page report regarding specific threats and vulnerabilities of the technical aspects of the environment. This report will be used in the final vulnerability assessment report. 

Submit the threats and vulnerabilities report for feedback. Next, you will take a closer look at network analysis tools.

Now that you have finished the threats and vulnerabilities report, you will analyze how network analysis tools are employed to identify vulnerabilities. Earlier in the project, as you developed the comprehensive project plan, you should have read about tools and techniques available for vulnerability assessment activities. Research the tools relevant to the project plan and provide a cogent analysis of which tool or tools to recommend for this project. Consider threat remediation and make special note of tools used to identify software communications vulnerabilities.

Include the findings in a one- to two-page report, including a justification of your decision based on peer-reviewed reference materials cited in APA format. This report will be used in the final vulnerability assessment report.

Submit the network analysis tools report for feedback. In the next step, you will assess vulnerabilities.

So far, you have considered the scope of work to complete a vulnerability assessment for the organization, created a comprehensive work breakdown structure, explained, classified, and prioritized threats and vulnerabilities, and have chosen the network analysis tools to be used. It is finally time to assess vulnerabilities. 

Using the Vulnerability Assessment Matrix template, complete the vulnerability assessment for your organization. This matrix will serve as Appendix B of the final vulnerability assessment report. 

Submit the matrix for feedback. Next, you will record "lessons learned" as a conclusion to be used in the final report.

After completing the vulnerability assessment in the previous step, you should now take time to review and consider your findings. Review the work you have completed and the feedback that you have received. Record any lessons that you have learned that may be beneficial in the future.

Issues that may be addressed include whether nontechnical factors should be considered during the vulnerability assessment, the point at which the assessment is complete, next steps, and any other issues that you noticed throughout. Record your notes thoroughly, as they will be the basis for the "lessons learned" report completed in the next step.

Based on the work done and research accomplished, consider what you have learned so far. Build upon the findings recorded in the previous step to write a lessons learned report. 

Is a vulnerability assessment a technical undertaking only, or should it consider other factors? When is the assessment complete? What are the "next steps" based on your assessment? These are some examples of issues that should be addressed. This report will serve as the conclusion of the final report. 

Submit a two- to three-page report of lessons learned for feedback. Once this reflection is complete, you will be ready to compile the overall vulnerability assessment report. In the next step, you will revise your findings as necessary.

Now that you have completed all the major sections of the vulnerability assessment, it is time to prepare the individual sections of the final report. Review the feedback from the SoW, Work Breakdown Structure, Threats and Vulnerabilities Report, Network Analysis Tools Report, Vulnerability Assessment, and Lessons Learned Report. Make any appropriate revisions to incorporate the received feedback. Compile the findings in preparation to submit the final report.

Once the revisions are complete, the final report is ready to submit in the last step.

You have reached the final step. Use the Final Vulnerability Assessment Report template in preparing the final report. In APA style, write an overview and compile all the sections prepared throughout the project into a report according to the template. Since this report will be delivered to Maria and other top executives, tailor your writing to the appropriate audience. Be sure that coherent paragraphs or points are developed so that each is internally unified, functioning as part of the whole document.

When you are finished, submit the final report.