Project Initiation Charter

Page | 1

Contents

Introduction

0.1Purpose

1.0Definition

1.1 Summary

1.2Project stakeholders

1.3In scope

1.4Out of scope

1.5Pre-requisites

1.6Assumptions

2.0 Project Deliverables

2.1Management Deliverables

Define Phase

Requirements Phase

Design Phase

Configure Phase

Verify Phase

2.2 Acceptance Criteria

3.0 Project Team

4.0 Milestones

4.1 Design

4.2 Implementation

4.3 Testing

4.4 Deployment

5.0 Project Cost

6.0 Quality Control

7. Risk Management Plan

7.1Approach

7.2Risk Log

8Project Controls

8.1Monitoring Progress and Reporting

8.2End Stage Reviews

8.3Exception Conditions

8.4Actions

8.5Time Recording

8.6Issue Management

8.7Change Control

8.8Project Closure

9.Communication Plan

10Configuration Management Plan

10.1Document Repository

10.2Document Control

10.3Document Standards

Introduction

0.1Purpose

This document is the Project Charter document for the Wireless Security Project implementation.

The purpose of this document is to define the following aspects of the project:

The scope of the project in terms of the businesses and users to be covered
The objectives of the project
The deliverables which will be produced by the project and the quality criteria which will support these deliverables
The roles and responsibilities of project staff
The reporting structure for the project, including the management structure which will be established
The project governance processes which will be followed
The outline time-scale and plan against which the project will be measured and managed

1.0Definition

1.1 Summary

Problem outline

The company has a wireless network in place for internal uses. We also have business guests and contractors who utilize our wireless network to check e-mails and log into the company’s network for various purposes. As we have never have a formal security model and policy for our wireless security, we do not know our level of exposure and we have little or no security measures in place.

Expected Outcome

We will assess all the risks our wireless networks are exposed to. We will design and implement adequate security measures on all 802.11 and 802.1x networks and devices in the company. Moreover, we will create new operating procedures, acceptable uses polices and provide trainings to project stakeholders to support this higher level of wireless security

1.2Project stakeholders

Financial sponsors
provide the necessary funding for the project

Legal Department

provide legal guidelines on compliance of local laws and regulations regarding wireless networking.
Provide legal guidelines on local privacy laws

Information Security Office –

Conduct the risk assessment
Devise a acceptable security model for the wireless network;
Evaluate and select the security products (hardware/software) necessary for the project;
New wireless network security testing and sign off

Information Technology Department

Implementation and testing of the new wireless network system
Prepare training for users; devise the roll out plans

All employees

Accommodate their business operations to new environment.
Must be compliant with the acceptable use policy.

Contractors and business guest –

must be agreed and compliant with the new acceptable use policy

1.3In scope

The following high-level activities, user types, systems and processes are understood to be within the scope of this project. The following in scope elements will be delivered

Project management
Conduct risk assessment on the company’s current 802.11/ 802.1X networks and devices
Design appropriate security model and policy to secure the wireless networks, without being in conflict with company’s business model
Coordinate with legal department to ensure compliance to local laws and regulations
Installation and configuration of the existing hardware and new hardware concerning wireless security
Perform system testing
Prepare operational and configuration documentations
Prepare new IT and users acceptance policy
Prepare tutorial for IT department and users on the new wireless security system
Devise communication plans to provide advance notifications on the implementation of new wireless network design to all stakeholders

1.4Out of scope

The following activities are considered out of scope for this:

Wireless devices that are not running 802.11 or 802.1X. For example, any Bluetooth devices, wireless input devices, RFID, black berries servers, wireless inter-comm etc
General network security such as security for servers, traffic encryption on wired network etc
Upgrading current wireless technology in use
Improve the performance of current wireless network
Provide long term technical support plan for new wireless security systems
Maintenance and updating of the wireless security systems

1.5Pre-requisites

The following must be in place before the project can commence:

Detailed and signed statement of work (SOW)
Agreed upon the acceptable outcome of the project
Agreed upon project milestones and deliverables
Agreed upon the acceptable level of impact on business operations
Assigned work area and workstations for the project team
Assigned financial resources for the project
Legal Guidelines are provided by the Legal department on the local laws and regulations concerning the project
All stakeholders, from management to all employees, are notified about the project and the inconsistencies it might bring to business operations

1.6Assumptions

The following assumptions are made:

Project initiation has been approved by the management
Project funding has been approved by the finance department
Teams has been assembled and resources are allocated for risk assessment
Security standards have been agreed upon
Legal Guidelines for the project has been provided
Financial resources are already allocated
Full upper management support
The acceptance period of Critical path deliverables will be incorporated into the project plan

2.0 Project Deliverables

This section is a high level view of the overall project. Each Deliverable is listed, together with a Work Breakdown Structure (WBS) reference and a statement as to whether formal acceptance is required for that Deliverable. If a payment milestone has been agreed, against acceptance of a Deliverable, then that is also shown.

Detailed descriptions for each project phase Deliverable defined are described below:

2.1Management Deliverables

Define Phase

The project team shall deliver the following items as a result of the activities for this Phase. Completion of these deliverables constitutes completion of this Phase. Deliverables shall be accepted according to mutually agreed acceptance criteria.

Document: Project Initiation Document that defines the scope and objectives of the project. It includes an outline of the timescale and plan and is used as a baseline for change control.
Document: Deliverable Acceptance Form that lists completed activities within the Define Phase.

Requirements Phase

Event: Risk assessment. Risk assessment is conducted on the company’s wireless networks

Document: Requirements Definition. This document includes all requirements for the projects, such as result of the risk assessment, acceptable level of wireless security, set limitation of the impact on business operation.

Document: Network Architecture Specification. This document identifies the best-fit architectural solution concept including descriptions of hardware, software, and network components.

Document: Project Plan. This document, which provides detailed tasks, milestones and schedule for this SOW is made the baseline for the project. Changes to this Project Plan after it is accepted shall follow the Change Control process described hereinafter.

Document: Deliverable Acceptance Form that lists completed activities.

Design Phase

Document: Design & Implementation Specifications that fully describes the design of the security model and the specification for the implementation of the new hardware/software security measures . This technical document contains sufficient detail to rebuild the current wireless network security.

Document: Revised Project Plan. This document, which was created during the Requirements activity, is updated to reflect any changes to the scope found in Design. Changes to this Project Plan after it is accepted shall follow the Change Control process described hereinafter.

Document: Deliverable Acceptance Form that lists completed activities.

Configure Phase

All deliverables in this activity shall be completed in the development and test environments only.

Installation: Installed new hardware and software for the new wireless security measures on the development and test environments

Configuration: Configure all hardware and software on the wireless network to compliant with the new wireless security specifications.

Guidance: Prepared necessary documentation for the IT department.

Document: Deliverable Acceptance Form that lists completed activities.

Verify Phase

Event: The wireless networks are tested to ensure they meet all specifications as described in the Requirements Definition and Design & Implementation Specifications.

Guidance: Documentations for IT department, including but not limited to the new wireless IT security policy, new specifications and configurations of hardware and software in the wireless network.

Configuration: Resolution for Acceptance Test problems in the implementation and configuration.

Guidance: Advice on Deployment Plan.

Document: Deliverable Acceptance Form that lists completed activities.

2.2 Acceptance Criteria

All project deliverables must be approved by project manager
User Acceptance Tests are successfully completed
Penetration test results have a rating of approximately secure to 80% of commonly known attacks. (100% being military grade security)
Project is at or under allotted project budget
Project has not exceeded the allotted time period for its implementation
Stakeholders and sponsors are pleased with the final deliverable of the project
Wireless security protocol has been implemented and tested
Two-factor authentication method has been implemented and tested

3.0 Project Team

The following outlines the implementation team roles and responsibilities.

3.1 Project Manager

Responsible for change control processes
Setup milestones
Oversee the successfulness of project

3.2 Information Security Officer / Technical Leader

Conduct risk assessment
Security police model
Lead test team

3.3 System Administrator

Review and update policies
Work with Information security officer
Purchase software
Purchase hardware

3.4 Testers / Trainers

Conduct test on network for security issues
Aid in the risk assessment
Train users and IT departments on new policies and the new network model

4.0 Milestones

Each milestone will beBoldedand will dictate a time at which the development team and the project team must undergo a quick-meeting to verify the contents and contributions of each member of the team and for the project manager to gauge the overall progress being made.

4.1 Design

Preliminary analysis of Risk on company’s 802.11/802.11x networks and nodes.
Co-ordinate with legal departments to draft acceptable company standards for new product
Determine boundaries of company systems
Establish Workshops and company training programs for remediation of security principles
Compare requirements to vendor software.
Design on Vendor application suite to use for company wide use.
Decision to define and adjust timeline, scope and funds required to deploy web encryption over existing applications
Team must plan maintenance window during a non-work period, to avoid interference with day to day operations.

4.2 Implementation

Acquire Wireless Security apparatus.
Acquire third-party wireless security products
Program and design basic wireless controls.
Deploy new wireless security software to a test network
Team must configure and update servers to operate in accordance with new software
Rule out dependencies and compatibility issues.
Deploy and configure to gateways and test servers, synchronize gateway whitelists with input from employee interfaces to ensure autonomous departments have full access to needed resources

4.3 Testing

Team must use multiple platforms and approaches to determine the possibility to breach the web filter
Team must review company policies and ensure that new software is in compliance
Team must review state/regulatory/federal laws and ensure that new software is in compliance
Team must ensure new software is not resource-intensive
Team must ensure that new software is compatible with all Operating systems employed in current network as well as server hardware as it is currently being run.
Operational analysis testing for all current 802.11/802.11x systems
System benchmark comparisons before and after to determine the impact on network bandwidth and performance
System benchmark comparison before and after to determine increase or decrease in rate of collisions or mishandling of packets
Form debugging and issues log for error tracking databases.

4.4 Deployment

Draft new policies regarding secure communications over intra-corporate systems
Send mass-workmail to inform al l users of the system of a future work maintenance window.
Create backups of the old image; verify the operation of the old images
Roll-out updated mages to users and servers
Check for complete compatibility and troubleshoot where necessary
Signoff project over to DAA and inform Chief Information Officer as well as applicable stakeholders of new changes
Lift maintenance window, return to full usability.

4.5 Work Break Down Structure

Task / Time Alotted / Slack Alotted / Persons Respoonsible
Preliminary analysis of Risk / 7 Days / 3 Days / Entire Team
Determine Scope and Boundaries / 1 Day / 0 Days / Lewis N.
Vendor Comparison / 1 Day / 0 Days / Entire Team
Redefine Scope As needed / 1 Day / 0 days / Rob F.
Acquire Resource / 2 Days / 1 Days / Richard L.
Design Controls / 2 Days / 1 Days / Lewis Ng.
Dependancies Control / 1 Days / 0 Days / Dave
Deploy To Test / 3 Days / 2 Days / Stephen Lepage
Testing Phases / 12 Days / 4 Days / Entire Team
Form Debugging and Tracking / 1 Days / 2 Days / Richard L.
New Policies Draft / 1 Day / 0 Days / Rob F.
Inform Stakeholders, Create backups / 2 Days / 0 Days / Rob F.
Rollout Images To Users / 1 Days / 0 Days / Lewis Ng.
Backup and Verify / 2 Days / 1 Day / Richard L.
Signoff / 1 Day / 0 Day / Entire Team
Lift Maintenance Window

5.0 Project Cost

The following outlines the costs and a cost benefit analysis for the entire project.

5.1Risk Assessment Cost

Item / Units / Cost / Extended Cost
Laptop / 1 / $900.00 / $900.00
WinSniffer / 1 / $45.00 / $45.00
L0phtCrack 6 Consulting / 1 / $1,195.00 / $1,195.00
AirMagnetWiFi Analyzer Pro / 1 / $3,000.00 / $3,000.00
AirMagnet 802.11 a/b/g/n Wireless PC card / 1 / $300.00 / $300.00
LanGuard / 1 / $320.00 / $320.00
Labour (team of 2 @ $40/hr) / 40 / $80.00 / $3,200.00
NetStumbler / 1 / $0.00 / $0.00
Kismet / 1 / $0.00 / $0.00
Ettercap / 1 / $0.00 / $0.00
LANBrowser / 1 / $0.00 / $0.00
Etheral / 1 / $0.00 / $0.00
TOTAL / $8,960.00

5.2Internal CostFor Security Implementation

Item / Units / Cost / Extended Cost
Training / 160 / $40.00 / $6,400.00
Compliance / Legal consultation / 1 / $2,000.00 / $2,000.00
Imeplementation and Design / 160 / $40.00 / $6,400.00
TOTAL / $14,800.00

5.3Cost Breakdown

Total Purchasing Costs: 7,760.00
Total Labour Costs: $16,000.00
Total Cost: $23,760.00

5.4Cost-Benefit Analysis

The greatest cost is the labour, however these intangible costs are already incurred in our payroll. The greatest benefit is the sense of reliability of our wireless network. A secure wireless network will improve our standings in the industry through industry standard compliance.

Benefits:

Improved relations with partners, contractors and clients
Safeguarding sensitive data and intellectual property
Resources to recover from an attack will consume more labour and costs
Most software to conduct a risk assessment is free
Network performance increase with less attacks

6.0 Quality Control

6.1Quality Criteria

Increase the level of security so only employees can access the wireless network
Increase confidentiality of data so packets cannot be read if intercepted.

6.2Testing

When the prerequisite decisions on architecture have been made, testing will begin.
Any hardware needed will be purchased on evaluation terms from the manufacturer
The goal of testing is to reduce the load of troubleshooting that occurs upon implementation
Testing period must not exceed the time allotted.

6.3Test Environment

Project Manager will give permission to deploy the test environment
Test environment will resemble final deliverable except in scale/scope
Test environment should be inaccessible to normal employees or outside users (no SSID broadcast.)
Test environment should be as physically isolated as possible to eliminate variables
IT security team will configure test environment according to the previous deliverable plans

6.4Penetration Testing

Penetration testing team will be contracted to audit the security of the wireless network
Reports should be created by the audit team regarding the physical security, wireless security protocol (WEP, WPA), and best security practices (Non default naming)
Changes according to the audit should be implemented and tested for bugs

6.5Authentication

Test different authentication methods, (swipe cards, tokens, one-time passwords)
Decide which best meets company’s needs
Must remain under the same budget as the rest of the project

7. Risk Management Plan

7.1Approach

Approach to managing risk is defined by the following steps

Identify the Risk.

The Project Manager will provide the most appropriate method for risk analysis.

Analyze the Risk.

Each risk identified shall be analyzed for its potential impact on the project

A Risk Assessment shall be completed for each risk entered directly into the Project Risk Log

Decide on the most appropriate mitigation strategies:

There are several courses of action that can be taken to mitigate Risks:

Prevent the Risk by assuming it will happen, and providing for the full impact in the project plan