Project Scoping 17
project sponsor, and he or she will be able to provide the project overview
statement fairly concisely. An NVA project definition might read like this:
This network vulnerability assessment is being carried out to measure
the risk associated with operating [company name’s] network in its
current state. The result of this project will include detailed knowledge
of vulnerabilities present in the network and the actions needed to
reduce the risk posed by those vulnerabilities.
This project definition fulfills the requirements stated earlier, in that it is a
short description and it contains a statement of the benefit of carrying out the
project (“knowledge of vulnerabilities present in the network and the actions
needed to reduce the risk posed by those vulnerabilities”).
The goal of an NVA is fairly standard, and not much time needs to be
spent working on this part. The goal of a NVA is:
As network configurations, organizations, and the outside world change
regularly, the risks associated with operating [company name] network
change. The goal of this project is for [company name] management
to be presented with a clear and concise view of the risks associated
with operating the network in the current control environment.
Many times, when the objectives part of the Project Overview Statement
is being developed, the meeting can “run away” from the meeting coordinator.
There is often a temptation to put detailed objectives in a Project Overview
Statement. Remember that a Project Overview Statement should ideally fill no
more than one page, and the list of objectives contained in it should be short.
A list of objectives for an NVA should resemble the following:
Obtain or compile a book of [company name] business objectives, strategic
business directions, mission statements, etc.
Compile a book of [company name] Information Security Policies, Proce-
dures, and Standards. Include applicable regulations, laws, guidelines,
circulars, etc.
Compile a book of network topography information that includes drawings,
notes, updates, operating system information, release numbers, patches,
etc.
Create an analysis report that comments on the effectiveness of [company
name] Information Security Policies, Procedures, Standards, etc.
Create an analysis report that comments on the current network configu-
ration.
Produce a management report, based on the analyses, that states the risk
associated with operating [company name] network in its current state,
along with detailed information on the actions needed and costs associated
with reducing that risk.
You can see from the above that the list of objectives looks like a very
broad Task List, the basis of a project plan, and it is meant to. While the