risk assessment and pen testing project charter

Version 0.0

Date

RISK ASSESSMENT AND PEN TESTING PROJECT CHARTER

FOR WAS REMOVED

Confidential Document

Not to be circulated or reproduced without appropriate authorization

2

Document Control

Document Publication History

Document Prepared By (SARA-IT)

Document Reviewed By Iyad Abou Hawili (SARA-IT)

Document Approved By ----------------- Was removed

Effective Date Was Removed

Document Revision History

Ver. Date Name Role Summary of Changes

1.0 Was Removed

Iyad Abou Hawili

Consultant Initial draft

Document Distribution List

# Name Department/Organization Purpose

1. Iyad Abou Hawili SARA-IT Review & Approval

2. Was removed Review & Approval

3.

Document Approval History

Ver. Date Name Role Comments

1.0 SARA-IT

Was removed

Authorized Signatory (Printed Version)

Name Date Signature

For Was removed:

For SARA-IT: Iyad Abou Hawili



3

Abbreviation

IT Information Technology

ISST Information Systems Security Testing

IS Information Security

RA Risk Assessment

VA Vulnerability Assessment

PT Penetration Testing

SOW Statement of Work

WAN Wide Area Network

LAN Local Area Network

WAS REMOVED Was removed

WAS REMOVED Was Removed



4

TABLE OF CONTENTS

ABBREVIATION .................................................................................................................................................. 3

1. INTRODUCTION .......................................................................................................................................... 5

2. PROJECT SCOPE, GOAL & OBJECTIVES ............................................................................................... 6

2.1. PROJECT SCOPE.................................................................................................................................................. 6

2.2. PROJECT GOAL .................................................................................................................................................... 6

2.3. PROJECT OBJECTIVES ........................................................................................................................................ 6

3. CRITICAL SUCCESS FACTORS ................................................................................................................ 6

4. STATEMENT OF WORK ............................................................................................................................. 7

4.1. PHASE 1: PROJECT INITIATION & SYSTEM STUDY .......................................................................................... 7

4.2. PHASE 2: RISK ASSESSMENT ............................................................................................................................. 7

4.3. PHASE 3: IS SECURITY TESTING ........................................................................................................................ 8

5. PROJECT MILESTONES & INVOICING POINTS ...................................................................................... 9

6. PROJECT COMMUNICATIONS ................................................................................................................ 10

7. ASSUMPTIONS .......................................................................................................................................... 11

8. PROJECT TEAM ........................................................................................................................................ 12

8.1. PROJECT ORGANIZATION STRUCTURE .......................................................................................................... 12

8.2. PROJECT TEAM ROLES & RESPONSIBILITIES ................................................................................................ 12

9. PROJECT PLAN SIGN OFF ...................................................................................................................... 15

10. PROJECT CHANGES ............................................................................................................................ 16

11. PROJECT CLOSURE SIGN OFF........................................................................................................... 17

Confidential Document 5

1. Introduction

(Was removed) creates, designs, supervises and manages projects that have the potential to better

society. We build on our proven multidisciplinary expertise and offer regional urban planning and

comprehensive architectural and engineering consulting services. WAS REMOVED focuses on

delivering innovative solutions that meet clients' real needs.

With a history of success and a network of subsidiaries and sister companies, WAS REMOVED provide

our clients with an integrated approach to reliable project delivery in the evolving globalized world.

Proactive rather than reactive, WAS REMOVED are at the forefront of new specialties and

advantageous alliances.

WAS REMOVEDs services are all in-house, covering a broad spectrum of disciplines from architecture

to urban, transportation, energy, water, Geospatial Systems Integration, and oil & gas projects. We

enhance infrastructure, create new buildings, develop neighborhoods, and reshape entire cities.

Was Removed Integration, a Division of Was Removed, has requested from SARA-IT develop Risk

Assessment and Information Systems Security Testing to one of its clients in the gulf as part of a

solution provided by Was Removed.

To complete this project and meet Information Security goals and objectives, Was Removed has

engaged SARA-IT as a subcontractor to perform Risk Assessment and Information Systems Security

Testing (ISST) to the solution built by Was Removed to its client. This Risk Assessment and IS Security

Testing shall meet Was Removed Security Management Process and Information Security Policies.


2. Project Scope, Goal & Objectives

2.1. Project Scope

Was Removed has decided to engage SARA-IT in performing Risk Assessment and IS Security Testing

to the solution built by Was Removed to one of its clients in Abu Dhabi in the staging environment. This

is part of a complete solution provided by Was Removed

2.2. Project Goal

1. Perform Risk Assessment for a specific Solution (Hardware and Software) located in their

client Data Center in Abu Dhabi.

2. Perform Information Systems Security Testing for the same Solution.

2.3. Project Objectives

SARA-IT has set the following objectives to achieve the above defined project goals:

1. Define and establish The Scope of the project.

2. Identify supporting assets that belong to the Scope defined above that is compliant with Was Removed IS Standards.

3. Assess Impact on defined Assets,

4. Identify Threats and Vulnerabilities, then identify Risks.

5. Perform Vulnerability Assessment then Penetration Testing after Defining Rules of Engagement.

3. Critical Success Factors

The Critical Success Factors to achieve the above objectives of the project:

1. Support from Was Removed Division Head.

2. Support from Was Removed member staff by providing requested information within the time frame

and in the specified format and/or Template to SARA-IT consultant/s.

3. Active participation & support from Was Removed Project Team.

4. Active participation from Was Removed Clients staff.

5. Timely collection of all existing documents relevant to this project from Was Removed and their

client.


6. Timely Sign-off for the project deliverable.

4. Statement of Work

4.1. Phase 1: Project Initiation & System Study

Objectives Deliverables

Develop Project Management and tracking process for the project

Systems Study

o Understand the key business processes and underlying Solution infrastructure (Solution processes, systems, network, applications & Solution team).

o Study of current security structure, security architecture & processes, roles, skills set, and security culture

o Identify & document all information assets and identify their criticality & sensitivity to Solution operations, and develop classification mechanisms

o Develop The Scope Document

Identify & document all information assets, their criticality & sensitivity to business operations, and develop classification mechanisms.

Project Charter, Project Plan and Project Tracking Process Documents

Asset Register

Asset classification guidelines

4.2. Phase 2: Risk Assessment


Conduct Comprehensive Risk Assessment for the Solution infrastructure (information systems, & applications) that constitute the Solution provided by WAS REMOVED to their Client. This would include:

o Threat & Vulnerability Assessment and Risk Analysis for all assets

Risk Management Methodology Document

Comprehensive Risk Assessment Report


Risk Profiling & Prioritization based on their severity & criticality rating and based on Risk Assessment results.

4.3. Phase 3: IS Security Testing


Perform Information Systems Security assessment (Vulnerability Assessment and Penetration testing). This will include:

o Information Systems security assessment (Vulnerability and Penetration Testing) of sample IT systems as a separate work stream (applications and servers).

Vulnerability Assessment Report

Penetration Testing report


5. Project Milestones & Invoicing Points

Task Start Date End Date

Phase 1 - Project Initiation & System Study Was

Removed

Was

Removed

Project Management

Project Kickoff Meeting Was

Removed

Develop Project Management and tracking process for the project

System Study

Information Collection: Procedures, etc.

Systems Study: Interview with respective team

Scope Analysis of Inclusions and Exclusions for scoping

Scope Diagram & Scope Document preparation

Preparing Scope and Assets Documents

Was

Removed

Invoice Point I: At completion of Phase 1: US$

Phase 2 - Risk Assessment

Was

Removed

Was

Removed

Risk Assessment

Was

Removed

Asset Identification

Risk Assessment Methodology & set Baseline Acceptable Risk Value

Asset Register Preparation

Evaluate Threats, Vulnerabilities and Existing Controls

Was

Removed

Invoice Point II: At completion of Phase 2: US$

Phase 3 - IS Security Testing (Vulnerability and Penetration Testing)

Was

Removed

Was

Removed

Security Testing

Conduct Vulnerability Assessments Was

Removed

Conduct Penetration Testing

Was

Removed

Invoice Point III: At completion of Phase 3: US$

Toal Amount of the Project: US$

Note: Dates are in DD-MON-YY format.

Total cost DOES NOT include cost of Travel, Accommodation, visa, etcto the Client premises, if needed. These costs will be paid after 7 days of submitting the invoice

by the consultant.

N.B.

Other Additional works requested by Was Removed or his client that is not part of the

Statement Of Work - SOW - described above will be invoiced separately.


6. Project Communications

During the course of the project, it will be important to communicate the schedule, progress and other

issues related to this project to key stakeholders. The following platforms & parameters shall be

considered for the same:

Process Agenda Involvement Frequency Medium

Weekly Project

Progress

1. Project Update to the Project

Sponsor & Project Manager

2. Update on weekly project

progress

3. Any delays, issues & risks

1. SARA-IT

Consultant

2. WAS

REMOVED

Project Sponsor

3. WAS

REMOVED

Project Manager

Weekly Email

Project Review 1. Project update to Project

Sponsor, Project Manager and

WAS REMOVED client.

2. Overall project progress in 1

month

3. Discussion on any issues & risks

4. Any other expectations from the

project

1. SARA-IT

Consultant

2. WAS

REMOVED

Project Sponsor

1. WAS

REMOVED

Project Manager

2. WAS

REMOVED

Client

Monthly Email


7. Assumptions

1. Was Removed will assign a single point of contact for all project related deliverables and activities.

2. Was Removed will provide SARA-IT with all required information and access to relevant personnel related to this project on a timely basis. Making all the documents, drawings, reports, facilities, WAS REMOVED personnel and other resources needed, available for the development work is the Responsibility of WAS REMOVED

3. Was Removed Project Team will coordinate actively with their client representative/s, wherever required, during the course of the project.

4. Was Removed will be able to provide logistic support to SARA-IT while conducting discussions, meetings, etc., that are relevant to this project.

5. Was Removed Client Representative/s appointed for this project should be well informed about the

Solution developed by Was Removed.

6. Was Removed would be able to manage request for meetings, presentations, documents, etc., in the earliest possible manner. Any other support that will be needed for the satisfactory completion of the work such as provision of printing, photocopying, meeting rooms, and other needs, etc. is

Was Removed responsibility.

7. Was Removed will provide review comments for all the deliverables within 5 working days after the date of submission. Deliverable without the review feedback shall be treated as final after 5 days of submission.

8. Members identified from Was Removed or their client to work on this project or activities related to this project do accept the additional responsibilities assigned to them.

9. Necessary approvals such as conducting Risk Assessment, access to systems for data collection for Vulnerability Assessment or Penetration Testing and others as deemed necessary are obtained

by Was Removed from their client and government agencies if needed.

10. SARA-IT will not be responsible for configuring or testing IT systems and other equipment procured and implemented as a part of this project.

11. All deliverables submitted by SARA-IT will be developed and presented in English only.


8. Project Team

8.1. Project Organization Structure

A formal structure of the project team is necessary to effectively coordinate and perform project related

activities. Thus, a project organization structure that supports seamless communication and ensures

tasks are completed as per timeline is defined as below:

8.2. Project Team Roles & Responsibilities

The key roles and responsibilities for the Was Removed RA and ISST project are outlined below:

Was Removed - Project Sponsor, Was Removed

1. Ultimate authority of the project

2. Provide required funding for the project

Project Sponsor WAS REMOVED

Project Manager WAS REMOVED

WAS REMOVED Project Management

SARA-IT Consultant

SARA-IT Technical Assistant


3. Provide management support during the project.

4. Provide leadership in support of the project.

5. Removes obstacles that prevent the project from moving forward

6. Build trust among all stakeholders of the project Champion the overall project

activities

7. Take ownership of the project execution from Was Removed side.

8. Take key decisions during the project

9. Provide sign off on the project deliverables to SARA-IT

10. Provide sign off on the project closure to SARA-IT

11. Approves/Reject/Recommend changes to the project scope, as may be required.

Was Removed - Project Manager, Mr. ______________

1. Set functional/technical expectations on project deliverables

2. Manage the project planning and control with SARA-IT Consultant which may

include:

a. Ensuring project deliverables are in line with the project plan.

b. Managing project resources from WAS REMOVED side and their client

c. Managing project scope, change control and escalation of issues wherever

necessary.

d. Recording and managing project issues and escalations.

3. Monitor closely project progress and its overall effectiveness

4. Review all project deliverables and provide suggestion for improvements

5. Ensure project meets the expectations of management

6. Review recommendations to the changes in project scope, if any.

SARA-IT Consultant, Mr. Iyad Abou Hawili

1. Act as subject matter expert for the project.

2. Accountable for the overall success of the project from SARA-IT side

3. Track project progress on a weekly basis with SARA-IT Technical Assistant

4. Address any project escalations and concerns

5. Ensure quality standards are maintained in all deliverables


6. Responsible for the overall success of the project from SARA-IT side.

7. Manage all expectations of Was Removed

8. Create Project Plan and track it on an ongoing basis.

9. Manage project deliverables in line with the project plan.

10. Ensure all project time lines are met

11. Ensure all deliverables meet the expectations of Was Removed

12. Provide project status updates to Was Removed management on a periodic basis

13. Ensure all assigned activities are completed on a timely basis

14. Maintains appropriate records of work in progress

15. Escalates all issues to project manager on a timely basis


9. Project Plan Sign Off

Questions Your Response

Do you agree with the overall project plan?

Do you have any special expectation that you would like to highlight?

Was Removed SARA-IT

Name: Role:

Name: Iyad Abou Hawili Role: Consultant/Owner

Signature: Date:

Signature: Date:


10. Project Changes

Change

Description Requestor Impact

Date of

Approval Approver


11. Project Closure Sign Off

Questions Your Response

Do you consider the project as completed?

Has any of the project deliverables not provided by us?

Has any of your expectations not met by us?

Was Removed SARA-IT

Name: Role:

Name: Iyad Abou Hawili Role: Consultant/Owner

Signature: Date:

Signature: Date: