14 Managing Network Vulnerability Assessment
in Exhibit 9 and a blank Project Scope Document is shown in Exhibit 10.)
This chapter also discusses what might well be the most important part of
project scope: how to manage scope change.
A note here about project management style and specifically about the
definition of what is “in scope” and “out of scope” in a project: some project
managers take the time and trouble to define activities, organizations, and
data that is “out of scope” (in addition to those that are “in scope”). As a
matter of personal preference, we work on the assumption that anything not
specifically defined as “in scope” is out of the scope of the project.
General Scoping Practices
Project Overview Statement
The first step in developing a Project Scope Document for any project is
drafting the Project Overview Statement, a document that we use to convince
management that our project is worthwhile and will bring benefit to the
organization. The Project Overview Statement is also the equivalent of a charter
for the project and will set out — in the broadest of terms — what the project
is about.
We must be mindful of the audience for the Project Overview Statement.
The document’s readership will include management who are not IT manage-
ment (i.e., internal audit, business unit management, compliance, human
resources, facilities management, etc.). The writing in the Project Overview
Statement must be clear, to the point, and, most importantly, free of acronyms
and technology terms. We will use language that is easily understood by the
nontechnologist.
The Project Overview Statement for an NVA should be one page, simple
in its statements, and clear in its objectives. It should contain:
Project definition: a short description of the purpose of the project and
must contain a statement of the benefit that doing the project will bring
Project goal: one or two sentences that state what problem or weakness
the project will address
Objectives: a short list of objectives that have to be met to reach the project
goal
Success factors: quantification of the benefits of doing the project. For an
NVA, the success factor can be a detailed knowledge of the weaknesses
in the organization’s network (knowledge is a benefit). Note: this section
is not intended for the “old favorite” project success factors such as on
time, within budget, etc.
Assumptions: details of the strengths, weaknesses, opportunities, and
threats involved in the project, but simplicity is the key
Once completed, the Project Overview Statement will be sent to the members
of management who have control over the budget for the project, plus others
who have oversight responsibility or a vested interest. These others may be