Results 1 to 7 of 7

Thread: Formal Security proposal

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    220

    Arrow Formal Security proposal

    So Im doing a network security audit for my grad project, and I was wondering if anyone knows any templates or examples of a formal security proposal. Like what I plan to do and how and such. Or maybe contact info for someone who does? Any help would be appricated
    [gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    well what do you plan on proposing? what kind of security? physical? digital? both? social engineering attempts? is this a pen test? or just a "textbook" type audit where in theroy things should be right? are you doing only network equipment or the computers on the network? what type of place are you auditing? the type a business will determine greatly how you submit a proposal.

    reguardless you will need to state what you want to do, why you want to do it, and why it will benefit the person you are doing it for. include costs, downtime, risk analysis.

    templates for this type of thing are not that good becasue they go on such a case by case basis.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi


    I may be a bit too much business oriented, but my first thought after
    quick-reading your post was CobIT[1]. I realised it may be an "overkill"
    for your grad project, but at least it gives you a starting point. Here, I
    try to give you a list of keywords
    , with which you can continue. I'd
    be happy to learn more myself


    CobIT has been developed by ISACA (Guidelines[2]) as a "generally
    applicable and accepted standard for good Information Technology
    security and control practices that provides a reference framework
    for management, users, and IS audit, control and security practitioners."
    CobIT takes care of a huge variety of standards, including qualification
    criterions like NIST, ITSEC[3a], Common Criteria[3b], AS7799.2[4],
    SPICE (ISO 15504),...) and provides an integral framework for auditing.


    Furthermore, take a look at ISO/IEC 17799[5], which will provide you
    some kind of a checklist. It is a code of practice.
    ITIL[6] comes to mind. For the combination CobIT, ITIL and ISO 17799
    check this PWC-overview[7].


    /edit: In case I misunderstood your request: Have a look at SANS audit
    policy template[8]


    Cheers



    [1] http://www.isaca.org/Template.cfm?Se...ContentID=7981
    [2] http://www.isaca.org/Template.cfm?Se...ontentID=13742
    [3a] http://www.itsec.gov.uk
    [3b] http://csrc.nist.gov/cc
    [4] http://www.bridgepoint.com.au/Documents/7799paper.pdf
    [5] http://praxiom.com/iso-17799-audit.htm
    [6] http://www.ogc.gov.uk/index.asp?id=2261
    [7] http://www.itsmf.org.za/Presentation...d%20BS7799.pdf
    [8] http://www.sans.org/resources/policies/Audit_Policy.pdf
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by XTC46
    well what do you plan on proposing? what kind of security? physical? digital? both? social engineering attempts? is this a pen test? or just a "textbook" type audit where in theroy things should be right? are you doing only network equipment or the computers on the network? what type of place are you auditing? the type a business will determine greatly how you submit a proposal.

    reguardless you will need to state what you want to do, why you want to do it, and why it will benefit the person you are doing it for. include costs, downtime, risk analysis.

    templates for this type of thing are not that good becasue they go on such a case by case basis.
    XTC46 has asked all the right questions. I'll disagree with his last statement, but I think it may be a matter of semantics...

    You are asking for help with a template for the proposal, correct? Easily done. However, we do need the info he is asking about. In a business relationship, this proposal would be considered a formal proposal for services rendered, normally. It could be a contract, or simply the policy & procedure document that is referred to in the contract. Regardless, it should identify both parties, a statement of intent, a description (and link?) of any and all tools that may be used during any physical or digital assessments, and some guidelines on what will and will not be done (i.e. the boundaries...a good example of this is "...we will pursue and attempt to confirm any vulnerabilities up to but excluding actually exploiting the weakness.")

    Consider the following Table Of Contents from just such a proposal. I've scrubbed the info, and due to client confidentiality I can not disclose anything else from this document, but this might help you form up something for your project.

    1.0 GENERAL INFORMATION
    1.1 BACKGROUND & OBJECTIVES
    1.2 SERVICE OVERVIEW
    1.3 KEY BUSINESS AND TECHNICAL CONTACTS
    2.0 SERVICE DESCRIPTION
    2.1 SCOPE OF ACTIVITY
    2.2 COORDINATION, PLANNING, & PROJECT INITIATION MEETING
    2.3 SERVICE COMPONENT OR MAJOR ACTIVITY
    3.0 SCHEDULE
    3.1 PERIOD OF PERFORMANCE
    3.2 PROJECT CHANGE CONTROL
    4.0 SERVICE DELIVERABLES
    4.1 DESCRIPTION
    4.2 ACCEPTANCE OF DELIVERABLES
    5.0 ASSUMPTIONS
    6.0 COST
    6.1 FIRM FIXED PRICE COST FOR SERVICES
    6.2 TRAVEL AND EXPENSE REIMBURSEMENT
    7.0 SIGNATURES
    APPENDIX A PROJECT COMPLETION FORM
    APPENDIX B TERMS AND CONDITIONS

    Yikes. That is a lot...but I think it should help you decide what format and content you want in your project paper. Keep in mind that these proposals are what we laughingly refer to as the 'Get Out of Jail Free Pass'. This is the legal document that will Save Your Ass(C) if you are accused of malicious hacking. *IF* it's done right, and signed/documented by all parties. It goes without saying that this contract (we use this as a contract itself) goes through Legal before it's even presented to the client.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    It may also be of benifit for you to see the other side of the equation, what a potentual client may use to select an auditor?

    Note, it is a Word Document.
    From Here: http://www.foundstone.com/services/F...P_Template.doc
    Using this Request for Proposal Template

    Foundstone has developed this Request For Proposal (“RFP”) template to help organizations identify and select a quality security vendor to perform professional services work. It also lists questions organizations should consider asking potential vendors to ensure that a thorough and comprehensive approach to the project will be taken. This template should apply in a variety of security-related situations including:
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    220
    I plan on looking at both digital and physical security as well as a small amount of social engineering. I plan on doing pen-testing on a small ISP. Ill be doing this on both the computers in the office and the network equipment. Thanks for the help
    [gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    templates for this type of thing are not that good becasue they go on such a case by case basis.
    sorry, I meant taking somone elses template wouldnt be that great becasue what youre auditing may have nothing to do what they were auditing. not that creating a template is a bad idea. poor wording, sorry.


    and is this going to be just thr proposal for the work, or are you including the final contract as to what is going to be done, and the results. if so you need to take A LOT of things into consideration such as whats acceptable, what to do with found information. Durring pentesting you are no doubt going to come across some "sensitive" information. Make sure you have all the NDA's signed by you and your team. Also, check who is allowed to see the results of the test, who you report to, who should know you are doing the tests. things along these lines.

    Kevin Mitniks new books "the art of intrusion" actually goes into this type of stuff fairly well.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •