Page | 1
Page | 1
Contents
Introduction
0.1Purpose
1.0Definition
1.1 Summary
1.2Project stakeholders
1.3In scope
1.4Out of scope
1.5Pre-requisites
1.6Assumptions
2.0 Project Deliverables
2.1Management Deliverables
Define Phase
Requirements Phase
Design Phase
Configure Phase
Verify Phase
2.2 Acceptance Criteria
3.0 Project Team
4.0 Milestones
4.1 Design
4.2 Implementation
4.3 Testing
4.4 Deployment
5.0 Project Cost
6.0 Quality Control
7. Risk Management Plan
7.1Approach
7.2Risk Log
8Project Controls
8.1Monitoring Progress and Reporting
8.2End Stage Reviews
8.3Exception Conditions
8.4Actions
8.5Time Recording
8.6Issue Management
8.7Change Control
8.8Project Closure
9.Communication Plan
10Configuration Management Plan
10.1Document Repository
10.2Document Control
10.3Document Standards
Introduction
0.1Purpose
This document is the Project Charter document for the Wireless Security Project implementation.
The purpose of this document is to define the following aspects of the project:
- The scope of the project in terms of the businesses and users to be covered
- The objectives of the project
- The deliverables which will be produced by the project and the quality criteria which will support these deliverables
- The roles and responsibilities of project staff
- The reporting structure for the project, including the management structure which will be established
- The project governance processes which will be followed
- The outline time-scale and plan against which the project will be measured and managed
1.0Definition
1.1 Summary
Problem outline
The company has a wireless network in place for internal uses. We also have business guests and contractors who utilize our wireless network to check e-mails and log into the company’s network for various purposes. As we have never have a formal security model and policy for our wireless security, we do not know our level of exposure and we have little or no security measures in place.
Expected Outcome
We will assess all the risks our wireless networks are exposed to. We will design and implement adequate security measures on all 802.11 and 802.1x networks and devices in the company. Moreover, we will create new operating procedures, acceptable uses polices and provide trainings to project stakeholders to support this higher level of wireless security
1.2Project stakeholders
- Financial sponsors
- provide the necessary funding for the project
- Legal Department
- provide legal guidelines on compliance of local laws and regulations regarding wireless networking.
- Provide legal guidelines on local privacy laws
- Information Security Office –
- Conduct the risk assessment
- Devise a acceptable security model for the wireless network;
- Evaluate and select the security products (hardware/software) necessary for the project;
- New wireless network security testing and sign off
- Information Technology Department
- Implementation and testing of the new wireless network system
- Prepare training for users; devise the roll out plans
- All employees
- Accommodate their business operations to new environment.
- Must be compliant with the acceptable use policy.
- Contractors and business guest –
- must be agreed and compliant with the new acceptable use policy
1.3In scope
The following high-level activities, user types, systems and processes are understood to be within the scope of this project. The following in scope elements will be delivered
- Project management
- Conduct risk assessment on the company’s current 802.11/ 802.1X networks and devices
- Design appropriate security model and policy to secure the wireless networks, without being in conflict with company’s business model
- Coordinate with legal department to ensure compliance to local laws and regulations
- Installation and configuration of the existing hardware and new hardware concerning wireless security
- Perform system testing
- Prepare operational and configuration documentations
- Prepare new IT and users acceptance policy
- Prepare tutorial for IT department and users on the new wireless security system
- Devise communication plans to provide advance notifications on the implementation of new wireless network design to all stakeholders
1.4Out of scope
The following activities are considered out of scope for this:
- Wireless devices that are not running 802.11 or 802.1X. For example, any Bluetooth devices, wireless input devices, RFID, black berries servers, wireless inter-comm etc
- General network security such as security for servers, traffic encryption on wired network etc
- Upgrading current wireless technology in use
- Improve the performance of current wireless network
- Provide long term technical support plan for new wireless security systems
- Maintenance and updating of the wireless security systems
1.5Pre-requisites
The following must be in place before the project can commence:
- Detailed and signed statement of work (SOW)
- Agreed upon the acceptable outcome of the project
- Agreed upon project milestones and deliverables
- Agreed upon the acceptable level of impact on business operations
- Assigned work area and workstations for the project team
- Assigned financial resources for the project
- Legal Guidelines are provided by the Legal department on the local laws and regulations concerning the project
- All stakeholders, from management to all employees, are notified about the project and the inconsistencies it might bring to business operations
1.6Assumptions
The following assumptions are made:
- Project initiation has been approved by the management
- Project funding has been approved by the finance department
- Teams has been assembled and resources are allocated for risk assessment
- Security standards have been agreed upon
- Legal Guidelines for the project has been provided
- Financial resources are already allocated
- Full upper management support
- The acceptance period of Critical path deliverables will be incorporated into the project plan
2.0 Project Deliverables
This section is a high level view of the overall project. Each Deliverable is listed, together with a Work Breakdown Structure (WBS) reference and a statement as to whether formal acceptance is required for that Deliverable. If a payment milestone has been agreed, against acceptance of a Deliverable, then that is also shown.
Detailed descriptions for each project phase Deliverable defined are described below:
2.1Management Deliverables
Define Phase
The project team shall deliver the following items as a result of the activities for this Phase. Completion of these deliverables constitutes completion of this Phase. Deliverables shall be accepted according to mutually agreed acceptance criteria.
- Document: Project Initiation Document that defines the scope and objectives of the project. It includes an outline of the timescale and plan and is used as a baseline for change control.
- Document: Deliverable Acceptance Form that lists completed activities within the Define Phase.
Requirements Phase
The project team shall deliver the following items as a result of the activities for this Phase. Completion of these deliverables constitutes completion of this Phase. Deliverables shall be accepted according to mutually agreed acceptance criteria.
Event: Risk assessment. Risk assessment is conducted on the company’s wireless networks
Document: Requirements Definition. This document includes all requirements for the projects, such as result of the risk assessment, acceptable level of wireless security, set limitation of the impact on business operation.
Document: Network Architecture Specification. This document identifies the best-fit architectural solution concept including descriptions of hardware, software, and network components.
Document: Project Plan. This document, which provides detailed tasks, milestones and schedule for this SOW is made the baseline for the project. Changes to this Project Plan after it is accepted shall follow the Change Control process described hereinafter.
Document: Deliverable Acceptance Form that lists completed activities.
Design Phase
The project team shall deliver the following items as a result of the activities for this Phase. Completion of these deliverables constitutes completion of this Phase. Deliverables shall be accepted according to mutually agreed acceptance criteria.
Document: Design & Implementation Specifications that fully describes the design of the security model and the specification for the implementation of the new hardware/software security measures . This technical document contains sufficient detail to rebuild the current wireless network security.
Document: Revised Project Plan. This document, which was created during the Requirements activity, is updated to reflect any changes to the scope found in Design. Changes to this Project Plan after it is accepted shall follow the Change Control process described hereinafter.
Document: Deliverable Acceptance Form that lists completed activities.
Configure Phase
The project team shall deliver the following items as a result of the activities for this Phase. Completion of these deliverables constitutes completion of this Phase. Deliverables shall be accepted according to mutually agreed acceptance criteria.
All deliverables in this activity shall be completed in the development and test environments only.
Installation: Installed new hardware and software for the new wireless security measures on the development and test environments
Configuration: Configure all hardware and software on the wireless network to compliant with the new wireless security specifications.
Guidance: Prepared necessary documentation for the IT department.
Document: Deliverable Acceptance Form that lists completed activities.
Verify Phase
The project team shall deliver the following items as a result of the activities for this Phase. Completion of these deliverables constitutes completion of this Phase. Deliverables shall be accepted according to mutually agreed acceptance criteria.
Event: The wireless networks are tested to ensure they meet all specifications as described in the Requirements Definition and Design & Implementation Specifications.
Guidance: Documentations for IT department, including but not limited to the new wireless IT security policy, new specifications and configurations of hardware and software in the wireless network.
Configuration: Resolution for Acceptance Test problems in the implementation and configuration.
Guidance: Advice on Deployment Plan.
Document: Deliverable Acceptance Form that lists completed activities.
2.2 Acceptance Criteria
- All project deliverables must be approved by project manager
- User Acceptance Tests are successfully completed
- Penetration test results have a rating of approximately secure to 80% of commonly known attacks. (100% being military grade security)
- Project is at or under allotted project budget
- Project has not exceeded the allotted time period for its implementation
- Stakeholders and sponsors are pleased with the final deliverable of the project
- Wireless security protocol has been implemented and tested
- Two-factor authentication method has been implemented and tested
3.0 Project Team
The following outlines the implementation team roles and responsibilities.
3.1 Project Manager
- Responsible for change control processes
- Setup milestones
- Oversee the successfulness of project
3.2 Information Security Officer / Technical Leader
- Conduct risk assessment
- Security police model
- Lead test team
3.3 System Administrator
- Review and update policies
- Work with Information security officer
- Purchase software
- Purchase hardware
3.4 Testers / Trainers
- Conduct test on network for security issues
- Aid in the risk assessment
- Train users and IT departments on new policies and the new network model
4.0 Milestones
Each milestone will beBoldedand will dictate a time at which the development team and the project team must undergo a quick-meeting to verify the contents and contributions of each member of the team and for the project manager to gauge the overall progress being made.
4.1 Design
- Preliminary analysis of Risk on company’s 802.11/802.11x networks and nodes.
- Co-ordinate with legal departments to draft acceptable company standards for new product
- Determine boundaries of company systems
- Establish Workshops and company training programs for remediation of security principles
- Compare requirements to vendor software.
- Design on Vendor application suite to use for company wide use.
- Decision to define and adjust timeline, scope and funds required to deploy web encryption over existing applications
- Team must plan maintenance window during a non-work period, to avoid interference with day to day operations.
4.2 Implementation
- Acquire Wireless Security apparatus.
- Acquire third-party wireless security products
- Program and design basic wireless controls.
- Deploy new wireless security software to a test network
- Team must configure and update servers to operate in accordance with new software
- Rule out dependencies and compatibility issues.
- Deploy and configure to gateways and test servers, synchronize gateway whitelists with input from employee interfaces to ensure autonomous departments have full access to needed resources
4.3 Testing
- Team must use multiple platforms and approaches to determine the possibility to breach the web filter
- Team must review company policies and ensure that new software is in compliance
- Team must review state/regulatory/federal laws and ensure that new software is in compliance
- Team must ensure new software is not resource-intensive
- Team must ensure that new software is compatible with all Operating systems employed in current network as well as server hardware as it is currently being run.
- Operational analysis testing for all current 802.11/802.11x systems
- System benchmark comparisons before and after to determine the impact on network bandwidth and performance
- System benchmark comparison before and after to determine increase or decrease in rate of collisions or mishandling of packets
- Form debugging and issues log for error tracking databases.
4.4 Deployment
- Draft new policies regarding secure communications over intra-corporate systems
- Send mass-workmail to inform al l users of the system of a future work maintenance window.
- Create backups of the old image; verify the operation of the old images
- Roll-out updated mages to users and servers
- Check for complete compatibility and troubleshoot where necessary
- Signoff project over to DAA and inform Chief Information Officer as well as applicable stakeholders of new changes
- Lift maintenance window, return to full usability.
4.5 Work Break Down Structure
Task / Time Alotted / Slack Alotted / Persons RespoonsiblePreliminary analysis of Risk / 7 Days / 3 Days / Entire Team
Determine Scope and Boundaries / 1 Day / 0 Days / Lewis N.
Vendor Comparison / 1 Day / 0 Days / Entire Team
Redefine Scope As needed / 1 Day / 0 days / Rob F.
Acquire Resource / 2 Days / 1 Days / Richard L.
Design Controls / 2 Days / 1 Days / Lewis Ng.
Dependancies Control / 1 Days / 0 Days / Dave
Deploy To Test / 3 Days / 2 Days / Stephen Lepage
Testing Phases / 12 Days / 4 Days / Entire Team
Form Debugging and Tracking / 1 Days / 2 Days / Richard L.
New Policies Draft / 1 Day / 0 Days / Rob F.
Inform Stakeholders, Create backups / 2 Days / 0 Days / Rob F.
Rollout Images To Users / 1 Days / 0 Days / Lewis Ng.
Backup and Verify / 2 Days / 1 Day / Richard L.
Signoff / 1 Day / 0 Day / Entire Team
Lift Maintenance Window
5.0 Project Cost
The following outlines the costs and a cost benefit analysis for the entire project.
5.1Risk Assessment Cost
Item / Units / Cost / Extended CostLaptop / 1 / $900.00 / $900.00
WinSniffer / 1 / $45.00 / $45.00
L0phtCrack 6 Consulting / 1 / $1,195.00 / $1,195.00
AirMagnetWiFi Analyzer Pro / 1 / $3,000.00 / $3,000.00
AirMagnet 802.11 a/b/g/n Wireless PC card / 1 / $300.00 / $300.00
LanGuard / 1 / $320.00 / $320.00
Labour (team of 2 @ $40/hr) / 40 / $80.00 / $3,200.00
NetStumbler / 1 / $0.00 / $0.00
Kismet / 1 / $0.00 / $0.00
Ettercap / 1 / $0.00 / $0.00
LANBrowser / 1 / $0.00 / $0.00
Etheral / 1 / $0.00 / $0.00
TOTAL / $8,960.00
5.2Internal CostFor Security Implementation
Item / Units / Cost / Extended CostTraining / 160 / $40.00 / $6,400.00
Compliance / Legal consultation / 1 / $2,000.00 / $2,000.00
Imeplementation and Design / 160 / $40.00 / $6,400.00
TOTAL / $14,800.00
5.3Cost Breakdown
- Total Purchasing Costs: 7,760.00
- Total Labour Costs: $16,000.00
- Total Cost: $23,760.00
5.4Cost-Benefit Analysis
The greatest cost is the labour, however these intangible costs are already incurred in our payroll. The greatest benefit is the sense of reliability of our wireless network. A secure wireless network will improve our standings in the industry through industry standard compliance.
Benefits:
- Improved relations with partners, contractors and clients
- Safeguarding sensitive data and intellectual property
- Resources to recover from an attack will consume more labour and costs
- Most software to conduct a risk assessment is free
- Network performance increase with less attacks
6.0 Quality Control
6.1Quality Criteria
- Increase the level of security so only employees can access the wireless network
- Increase confidentiality of data so packets cannot be read if intercepted.
6.2Testing
- When the prerequisite decisions on architecture have been made, testing will begin.
- Any hardware needed will be purchased on evaluation terms from the manufacturer
- The goal of testing is to reduce the load of troubleshooting that occurs upon implementation
- Testing period must not exceed the time allotted.
6.3Test Environment
- Project Manager will give permission to deploy the test environment
- Test environment will resemble final deliverable except in scale/scope
- Test environment should be inaccessible to normal employees or outside users (no SSID broadcast.)
- Test environment should be as physically isolated as possible to eliminate variables
- IT security team will configure test environment according to the previous deliverable plans
6.4Penetration Testing
- Penetration testing team will be contracted to audit the security of the wireless network
- Reports should be created by the audit team regarding the physical security, wireless security protocol (WEP, WPA), and best security practices (Non default naming)
- Changes according to the audit should be implemented and tested for bugs
6.5Authentication
- Test different authentication methods, (swipe cards, tokens, one-time passwords)
- Decide which best meets company’s needs
- Must remain under the same budget as the rest of the project
7. Risk Management Plan
7.1Approach
Approach to managing risk is defined by the following steps
- Identify the Risk.
The Project Manager will provide the most appropriate method for risk analysis.
- Analyze the Risk.
Each risk identified shall be analyzed for its potential impact on the project
A Risk Assessment shall be completed for each risk entered directly into the Project Risk Log
- Decide on the most appropriate mitigation strategies:
There are several courses of action that can be taken to mitigate Risks:
Prevent the Risk by assuming it will happen, and providing for the full impact in the project plan