TABLE OF CONTENTS In this chapter, we provide the framework for creating a general Information Technology (IT) security project as part of your overall corporate IT security project plan strategy. As with all of the individual security area projects (ISAPs) discussed in this book, this is intended to be a template to use as a starting point. You might be wondering what a general IT security project plan consists of. In this chapter, we ll discuss the security assessment and auditing function in great detail. Most corporate IT security plans start with a thorough assessment so that the problem statement can be developed. As discussed in Chapter 9, you might perform your assessment as one of the major objectives of your corporate project, or you might implement the assessment as a separate project whose results feed into your corporate IT security project plan. Either way, your planning begins with an assessment, which is covered in detail here. We also look at access control, authentication, and attacks, and how to build a project plan that addresses these core areas.
For the purposes of this chapter, let s define assessment as the act of testing network security to determine the strength of current security measures. Furthermore, let s define auditing as the act of examining, recording, and evaluating security configurations. Clearly these two activities should work in tandem. If all you do is run some tests against your network, you ve performed an assessment that might yield important information. However, if your test...
