Step 3: Develop a Comprehensive Work Breakdown Structure (WBS)
Within the previous step, the SoW report conveyed a brief overview of the organization’s critical aspects and a list of the organization’s security needs. Now, you are ready to develop a comprehensive work breakdown structure (WBS).
This breakdown provides more detail, so you will need to devise examples of procedures you might recommend to your organization. Some examples include a penetration test, baseline analysis, or system logging. Note the tools and techniques to use in conducting a vulnerability assessment to be used later in the project.
Using a spreadsheet, create the comprehensive work breakdown structure, including key elements that must be tested and analyzed. Organize the spreadsheet using the elements identified in the SoW from the previous steps and the following:
- internal threats: personnel, policies, procedures
- external threats: systems, connectivity, databases
- existing security measures: software, hardware, telecommunications, cloud resources
- compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain
Note the security threats and vulnerabilities. This plan will serve as the second section of the final vulnerability assessment report.
Submit the comprehensive work breakdown structure for feedback.
Step 4: Explain Security Threats and Vulnerabilities
In the previous step, you developed a comprehensive work breakdown structure. In this step, you will explain the security threats and vulnerabilities included in the plan. In the explanations, consider relevant concepts such as the threat modeling process and third-party outsourcing issues. Include system and application security threats and vulnerabilities.
Reference aspects that are not being included. Note that you would need to obtain management agreement with the initial analysis of mission-critical components to be included in the assessment. This phase includes management input into the prioritization process of all risks from internal and external sources.
This information will be used in the following steps to develop the threats and vulnerabilities report, which will then be included in the Final Vulnerability Assessment Report.
Next, you will classify the risk of threats and vulnerabilities.
Step 5: Classify the Risk of Threats and Vulnerabilities
Throughout this project, you have developed a foundation for the vulnerability and threat assessment by classifying critical organizational aspects, creating a scope of work, and explaining security threats and vulnerabilities. Now, you are ready to classify the organization’s risk according to the relevant data determined in the project plan.
Company demands, management input, compliance requirements, and industry probability of exploitation are all considerations when classifying the risk of threats and vulnerabilities. Based on these considerations for the midsize government contracting group, further clarify the vulnerabilities and threats you have itemized. Explain why each is a vulnerability or threat, as well as why it is relevant to the overall assessment.
Consider continuous monitoring issues as you work through the classification. Use the threat and vulnerability explanations from the previous step and risk classifications from this step to develop the threats and vulnerabilities report.
In the next step, you will prioritize the threats and vulnerabilities you have explained and classified.
Step 6: Prioritize Threats and Vulnerabilities
Now that you have explained and classified the threats and vulnerabilities, you will prioritize them using a reasonable approach as explained in the project plan. As you prioritize the identified threats and vulnerabilities, you will need to:
- include both internal and external sources of threats
- consider assessment of exposure to outages
- consider information resource valuation
- indicate which approach you are using and justify your choice
Use this information, along with the threat and vulnerability explanations and risk classifications from the previous steps, to develop the threats and vulnerabilities report.
Compose a two- to three-page report regarding specific threats and vulnerabilities of the technical aspects of the environment. This report will be used in the final vulnerability and threat assessment report.
Submit the threats and vulnerabilities report for feedback.
This should be two separate files. One for step 3 and one for step 6 (follow steps 4-6 in order to complete step 6). Each file should have a tile page and a reference page. For the spreadsheet, you can use Word to create it.