a ‘Manageme SANS Security Leadership You will get more out of the course if you participate! SANS Security Leadership This course combines a discussion of technical terminology and concepts, the fundamentals of management, and a review of proper investment of money info the business of your organization. Itis updated multiple times per year and we are always looking for advice to make this course as useful as possible This course is designed to prepare the student for the GSLC certification. All of the notes are testable unless otherwise indicated, and the course is taught MBA style; your instructor is hitting, the high points, so make sure you read the notes multiple times. "Management is doing things right; leadership is doing the right things." Peter F. Drucker.Course Structure a Section 1 - Managing the Enterprise * Section 2 - Attacks Against the Enterprise and Defense- in-Depth * Section 3 - Crypto/Wireless/OPSEC Section 4 - The Value of Information ¢ Section 5 - Management Practicum Course Structure Section one will cover the physical plant: this includes everything from safety, power, and cooling, to the intellectual property that the plant protects. The management axiom is that if your physical security fails, the only thing that can protect your data is cryptography. Section two is defense-in-depth. We will cover the various threats with a particular focus on worms, and show why you need a variety of defensive mechanisms, There is always a way to make one of them fail. We will also cover security technologies, what we call the gadgets section. We will learn the technologies that are needed to design a defense-in-depth. Section three begins with a study of cryptography, followed by a discussion on ethics and operations security, Section four covers intellectual property, the six steps of incident handling and identifying and better protecting the information that is the real value of your organization. We will also formally consider how to apply everything we have learned as well as practice briefing ‘management on our risk architecture. Section five is not meant to be technical. Here we review the practice and discipline of ‘management in an IT environment.MANAGEMENT 512 SANS Security Leadership Essentials Section 1: Managing the Enterprise, Planning, Network, and Physical Plant This page intentionally left blank,Table of Contents Section 1: Managing the Enterprise, Planning, Network, and Physical Plant + Module 1: Budget Awareness and Project Management © Business Situational Awareness © Project Management For Security Leaders * Module 2; The Network Infrastructure ‘0 The Network Infrastructure * Module 3: Computer and Network Addressing ‘© Computer and Network Addressing o DNS: Domain Name System + Module 4: Vulnerability Management © Vulnerability Management: Outside View © Vulnerability Management: Inside View 0 Vulnerability Management: User View 0 Managing PDA Infrastructure © Managing the Mission Security Frameworks o Selling Security + Module 5: Managing Safety, Physical Security and The Procurement Process o Safety o Facilities and Physical Security © Managing the Procurement ProcessModule 1: Budget Awareness and Project Management This page intentionally left blank.Business Situational Awareness The manager will be familiar with the concept of situational awareness and the fundamental sources of information that lead to business situational awareness. Business Situational Awareness This page intentionally left blank.Business Situational Awareness * Is your security program aligned with your business? — Do you know your mission statement? ~ Revenue to date, compared with last year? — Names of all top executives and learning preferences (auditory/visual/graph)? * Can you list your organization's top three products and the opportunities for security to help protect these products? * Must achieve personal Situational Awareness before you can pass it to your team. Business Situational Awareness Business unit managers and business operations leaders are always telling information assurance managers that "Security needs to be aligned with business” What is Situational Awareness? The concept of situational awareness is apparent in military writings as early as the 6th Century BC. Sun Tzu's The Art of War is a collection of 13 chapters, each of which is devoted to one aspect of warfare and is, implicitly, a guide to ancient Chinese generals on how to be situationally aware of many factors affecting success on the battlefield. In military history some eredit this book as influencing Napoleon, the German General Staff in World War II, and even the planners of Operation Desert Storm. ‘These concepts have spilled over into business and managerial strategies as well. And, in tum, the business applications have influenced today's military departments in the United States to adopt Situational Awareness as a key component of business transformation [1] ‘The term was originally coined by Dr. Mica Endsley during work done between 1995 and 2000, and boils down to "the perception of elements in the environment along with a comprehension of their meaning and along with a projection of their status in the near future". [2] References: All links valid as of August 20, 2010 1 http:/www.army.mil/armybtke/focus/sa/index.htm 2 http://www.apsu.edu/oconnort/3430/3430lectO2a.htm4 Basic Processes 2 rn STS + Accurate baseline understanding of current situation + Make sure we are in the flow for incoming important information + Identify expectations & biases + Remain alert for drift between incoming information and our expectations 4 Basic Processes There are four basic process steps we need to implement as leaders: *+ Understand accurate baseline of current situation, understand impacts and trade-off at critical points in a process + Make sure we ate in the flow for incoming important information, facilitate decision- making with the right information + Identify expectations & biases, that unchecked lead to errors + Remain alert for drift between incoming information and our expectations. The best way to do this is to make predictions, write the predictions down, and review for accuracy and in the cases where you are wrong, do a lessons learned to improve in the future. A security manager must cultivate a strong situational awareness before they can pass this skill on to their team. Business Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening to the security team with regard to the organizational mission. More simply, its knowing what is going on around you and staying alert for change. Now that you have read this, stop and ask yourself, "How often do I actively pursue situational knowledge?” When was the last time you went and dug around the metrics that define the business of your organization and considered the security role in either supporting those metrics or even hindering those metrics. An introduction to Metrics Based Management can be found at http:/;www.cskishore.com/metries.aspCritical Controls and Information Flow ¢ Controls 1 and 2, inventory of authorized and unauthorized devices and software ¢ A major challenge due to “consumerization” of IT iPads, etc. and “I have an app for that” ¢ Must constantly scan address ranges and device configurations Critical Controls and Information Flow For hardware, deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the enterprise network. Both active tools that scan through network address ranges, and passive tools that identify hosts based on analyzing their traffic should be employed. Free tools include: POf v2 hitp://lcamtuf.coredump.cx/pOf.shtml and Nmap: hitp://nmap.org/ Commercial tools include: BSA Visibility (Insightix), IPSonar (Lumeta), CCM & IP360 (nCircle), SecureFusion (Symantec), CounterAct (ForeScout Technologies) and Nessus & SecurityCenter (Tenable). Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. Furthermore, the tool should record not only the type of software installed on each system, but also its version number and patch level. The tool should also monitor for unauthorized software installed on each machine. This unauthorized software also includes legitimate system administration software installed on inappropriate systems where there is no business need for it. Tools include: Parity (Bit), CCM & 1P360, (nCircle), Nessus & SecurityCenter (Tenable) and CounterAct (ForeScout Technologies)7 Classic Causes of Misconception EEE Insufficient communication * Fatigue / Stress * Task overload , dropping tasks * Task underload, boredom © Group mindset, like people think alike ¢ "Press on regardless" philosophy ¢ Degraded operating conditions 7 Classic Causes of Misconception Some of the best studies on failure to maintain situational awareness have been based on aircraft incidents and pilot error. The slides list some of the common causes of major errors.[1] One to be particularly aware of is missing drift between incoming information and our expectations. A Sandia study of Air Traffic Controllers lists “Misperception” of the available data as the single largest cause of error by far, it is over three times more likely to be a contributing cause of failure.[2] We would be wise to carefully consider the Will Rogers quote, “It isn't what we don't, know that gives us trouble, it's what we know that ain't so.”[3] References: All links valid as of August 20, 2010 1 https://www-nete.navy.mil/nascweb/erm/standmat/seven_skills/SA.htm 2 hutp://www.satechnologies.com/Papers/pdf/Sandia99-safety pdt 3 http:/www-brainyquote.com/quotes/quotes/w/willrogers385286.htmlTemet Nosce « Ona scale of 1 to 10, how do I rank my — Ability to make process measureable — Ability to create repeatable process — People management skills, knowledge and ability — Budget skills, knowledge and ability — Security technical skills, knowledge and ability — Track record of bringing what I start to close — Interpersonal skills ‘Temet Nosce Temet Nosce, meaning "thine own self thou must know" or "know thyself," was the sign above the door in the Oracle's kitchen in the movie The Matrix. As a popular blogger on that subject wrote: “Life, it seems to me, is a series of choices. Constantly we have to make choices and decisions...and the quality of our lives and often the direction it takes is decided by the quality of the decisions we make. As Neo rightly guessed in the Matrix Reloaded, ” Choice. The problem is choice.". Ihave been faced with choices, ofien life-changing ones, and had to make the decisions by myself. Most people would prefer to leave the decision in someone else's hands or posipone it until the decision matters no more or their hands are tied and they are forced to choose one over the other.“[1] (Read quick, link forwards to another page ) As computer security managers, we need to honestly understand our capacity for effecting change. We need management skills, security skills, and a track record of putting them to use. Our chance of effecting change in ourselves is much higher than with others, so let us each start at the beginning. So, please, stop everything; if possible, get to a quiet place. Take out your pencil and put your score on the paper; be as brutally honest as you can, you are the only one seeing your answer. In addition to these competencies, consider one of the many Internet resources to evaluate your own personality and character.[2] References: All links valid as of August 20, 2010, 1 hitp:/nissimnabar.blogspot.com/2006/06/tenet-nosccknow-thyself.htm 2 hitp://Avww.leamthat.com/business/learn-92-evaluate_yourself htm 1Positional and Personal Authority Temet Nosce Positional and Personal Authority Your goal as a leader is to find ways to increase both your personal and positional power in order to {influence your organization to improve their security posture. Personal power is gained through knowledge and experience. Positional power is based on your position within the company. Team members are more likely to be influenced by personal power, and upper management is more likely to listen if you have the positional power to back it up. Positional authority is that authority you get from your title and the location of your office (reporting to the Governor, for example).[1] Historically, you had to have a position of authority to be considered a leader - just like in the military.[2] In the Intemet Age with communication being so easy to achieve, we are starting to see the emergence of thought leadership. One person with an ability to write can influence industry with something as simple as a blog. However, positional authority is stil! the most common underpinning of authority. Direct and Order versus Ask, Plead and Cajole If you have positional authority, you can direct that things be done using the resources assigned to you. This seems like the logical method of management to a person with a military background, but does not always work so well in business. References: All links valid as of May 20, 2011 1 http://www.windley.com/arechives/2003/03/public_service_7.shtml 2 http:/www-leadersdirect.com/lead-authority.htm! 12Dangers of Positional Authority ¢ Authoritarian leadership style e “Airline captain problem” including the Tenerife aircraft disaster, deadliest accident in history and one of the worst situational awareness failures of all time ¢ As a leader, encourage your team to challenge if they think you are wrong Dangers of Positional Authority "When someone has a higher position or more authority than you, the automatic trigger is that ‘whatever that person says must be true. The FAA found that many errors by flight captains were not challenged or corrected by other members of the crew. This blind obedience to position and authority resulted in catastrophes, One airline, concerned about this evidence, tested their own flight crews via flight simulators. They created conditions that would lead to mental overload and emotional stimulation. The captains (in one study) would make fatal mistakes at a critical moment. The airline was shocked to find that 25% of the flights would have crashed because the subordinates did not take corrective action and challenge the position of the plane's captain.”[1] ‘The poster child example is Tenerife: on a foggy day, lined up on a runway that had another plane on it, KLM Capiain Van Zanten advanced the throttle, and the co-pilot advised the captain that ATC clearance had not yet been given. Captain responded, "! know that, Go ahead, ask." Co-pilot Meurs then radioed the tower that they were "ready for takeoff" and "waiting for our ATC clearance". The KLM crew then received instructions which specified the route that the aireraft ‘was to follow after takeoff. The instructions used the word "takeoff," but did not include an explicit statement that they were cleared for takeoff Captain Van Zanten then said “We're going”, the co-pilot chose not to embarrass his superior a second time by stating that they still did not have the proper clearance to take off. A number of other crashes have the same root cause and crews are now taught to challenge errors. In total, 583 people died when the KEM plane hit the Pan Am 747 on the runway [2] References: All links valid as of May 20, 2011 hitp://www.articleslash.net/Business/Sales-Management/91226__ Positional-Authority.htm| hitp:/Aveb archive.org/web/2008022806183 I/http://casa.gov.aw/fsa/2007/oct/44-49.pdf 13How to Budget Time Plan - Check your Daytimer or PDA; do you have appointments for important tasks six months from now? * Do - Always schedule time for yourself to ensure projects are on track * Check - At least monthly; make sure you are still planning time not just fighting fires How to Budget Time To be successful as leaders we need to budget our time, our resources, and our finances. Often we do not give sufficient consideration to our time. Take a minute to check your Daytimer; if you do not have regular appointments six months out or more to do the critically important tasks such as planning, personnel management, and systems and budget reviews, itis an indication that you are living day to day. It means every crisis that comes up can derail your program. Have you ever heard the expression, "Time is money"? There's some truth to it! We "spend" money just like we "spend" time, and in both cases we have to spend it wisely if we want to get something good in return,{1] And as leaders, we need to ensure we are spending, our organization's time and money wisely so that we are furthering the mission of our organization. ‘The Management 512 PDA/Daytimer exercise In this course, we do the following exercise on the first day of the conference. We ask all the computer security managers to get out their organizational tools and put their PDAs and Daytimers on the desk. We ask them to tum to six months from today and see what they have on their calendars. We have been doing this 6 - 8 times a year with an average of 30 - 40 leaders and only a handful have things planned for 6 months in advance, We know already that we have performance reviews to conduct, annual and semi-annual reviews, holidays and so forth. The first step is making time for strategic tasks. Try it now! Stop reading for a minute, open your own organizational device and check what you have in place 6 months from now. If it is empty, check the week before and the week after. If that is empty it may be a sign that you are 100% in fire fighting tactical mode. If that is true, you can be a more effective leader if you budget your time wisely, 14Strategic planning goals and benefits Strategic planning is a management tool, period. As with any management tool, it is used for ‘one purpose only: to help an organization do a better job - to focus its energy, to ensure that members of the organization are working toward the same goals, to assess and adjust the ‘organization's direction in response to a changing environment. [2] In order to plan well, we must first achieve Business Situational Awareness.[3] 1. Clearly define the purpose of your part of the organization and to establish realistic ‘goals and objectives consistent with that mission in a defined time frame within the organization's capacity for implementation. 2. Communicate those goals and objectives to the organization's constituents. [4] Try it now! Stop reading for a minute and invest a bit of time for you and your organizational system whether PDA or paper based. Look at goal number 1. Doesn't that sound like it would help align your program with the needs of the business? How comfortable are you that you are up to date and in alignment? If the answer is less than 100%, mark out a time to accomplish this important task. Move to goal number 2. Have you been doing that? Does the rest of the organization know what you are trying to accomplish? If you are not 100% sure, mark out a time to accomplish this important task. Now before you close your Daytimer, take a minute to fill in any dates you know you are going to have meetings or appointments, Block out your vacation if you have that planned. Short range tactical time budgeting To be effective we balance longer range more strategic planning with daily planned discipline We are going to eat, sleep, work etc, and that all takes time. However, we are on this earth for a purpose, each of us is going to perish, so we might as well accomplish something while we are here and leave a legacy. Important tasks are the tasks that leave your legacy. Urgent tasks are the tasks you have to accomplish to remain employed: try to keep them in balance. You can use the MSC method to sort your tasks into urgent and important: + Must Do - Urgent tasks + Should Do - Can be Urgent or Important + Could Do - Can be Important if they lead to your ability to leave a legacy Time management is a discipline, but not a particularly hard one to achieve. Many people feel it takes about 21 days of repetition of a discipline to form a habit. Habits are formed by a combination of instinctive needs, subconscious tendencies, and the originally conscious choices of learning and training which, with repetition, soon become subconscious. In other words, the body "remembers" how to behave in similar situations. The earlier the learning occurs, and the more often it is repeated, the stronger the habit [5] For the next month, which is more or less 21 working days, work on living to a time budget. A simple one is shown below. 15Sleep, S hours Prepare for work, eat, get dressed Thour ‘Commute to work, listening to training «mp3 S hours E-mail moming or meeting T hour Ungent tasks hours Tunch (away from computer with a person) Shours E-mail aflemoon or meeting T hour Important tasks hours Final e-mail or meeting 1 hour Work out, exercise “S hours, ‘Commute home, listening to music S hours Family time, dinner, relax, read, TV 4 hours Final check, e-mail Thour ‘Quiet activities before sleep, prepare for tomorrow _| 1 hour Of course everyone's situation is different, however there are some entries to take note of. Many of us try to redeem the time we spend commuting, So in this time budget we have some Sharpen the Saw time on the morning commute. During the afternoon commute, we suggest music as a way to separate work from life. Great leaders spend a lot of time working, yet, life is not work, so leave time for life. Whether the workout is in the morning or the afternoon is personal choice. If you have a lot of people management tasks, you may find you are mentally exhausted when you come home; a workout can clear the mind and give you a better outlook on life. Have you ever had a day where you felt you had accomplished nothing? E-mail isa thief, it steals time away from important tasks. Many managers and leaders report they feel that all of their time is spent on meetings and e-mail. This must not be the case, we become personally ineffective in short order. Also note that the day has a time block for urgent tasks and time for important tasks. If you budget time for e-mail, meetings and important tasks you will be effective. If you don't, you won't. Sounds great, but the problem is that we can always get swept up by a crisis. If that happens, the first things to go are the important times, the planning times. If you have an auto tickler like Outlook, set it monthly to check to see if you are still doing the important things. Practical Tips A List Apart Magazine carried an article titled A Four Day Workweek by Ryan Carson with the following tips:[6] 1. Avoid using instant messaging: it's a constant source of distraction, 2. Only check your e-mail twice a day: The surest way to waste time is the ol Send and Receive button. 3. Stick to what matters: Take care of the most important stuff first. Don't waste time on low- priority stuff. (In fact, delete the low priority stuff from your to-do list. Its not going to get done anyway). 4. Ask for alone time: If you need uninterrupted time to get something done, politely notify your co-workers that you'll be unavailable for a couple of hours. 165, Limit blog-reading time: Set a time limit on your blog reading. If you don't get through all your blogs in that amount of time, hit the trusty Mark All As Read button and move on, Make lists: Write a /o do list for each day (on paper if you can bear to tear yourself away from Outlook). Put the time-sensitive stuff at the top and be realistic. Choose three time- intensive things to do and five quick things to do. Make sure you finish all of them before you leave in the evening. Restrict meetings: If you can, restrict the amount of meetings you call, or are involved in, Meetings drag on and can eat into your day. Instead, aim for one or two meetings per week and plan them carefully to ensure you cover all important topics and keep on track. References: All links valid as of August 20, 2010. 1 hitp://pbskids.orgyitsmylife/school/time/article3.htm! 2 http:/www.idealist.org/iffidealisven/FAQ/QuestionViewer/default?section=03 &item=22 3 http://www.sans.edu/resources/leadershiplab/businesssitawareness. php 4 http://www.managementhelp.org/plan_dec/str_plan/str_plan.htm $ http://san,beck.org/Life6-Memory.html 6 https) istapart.com/articles/fourdayweek 17How to Budget Employee's Time BEES * Plan - The most important rule for scheduling people is to avoid thrashing (making them jump from one task to another). E-mail can be a time waster, too many recipients, unneeded attachments; worse, tasking by e-mail can increase thrashing. Do - Closely monitor the frustration level of your direct reports. Thrashing is the primary contributor to frustration. Check - At least quarterly, briefly chat with employees to determine what they consider their priority tasks. Very often there will be surprises. How to Budget Employee's Time When dealing with knowledge workers, our goal is to help them to be successful in accomplishing tasks. This will give them a sense of satisfaction; the feeling they've accomplished something. A primary key is to let employees focus on priorities. Writing good performance objectives can help. Characteristics of good objectives include: + Problems or opportunities that you want them to work on. + Process, when possible implement process, don't rely on memory or "tribal knowledge". *+ Make sure both you and the employee understand the mix of routine work and non- routine work. Most employees are most comfortable with routine work, employers use non-routine objectives to help employees develop new process or develop new skills. ‘The most important thing to keep in mind is not to assign too many objectives. If you let an employee have a dozen performance objectives for a quarter, then it will be hard or even impossible for them to "get it all done”. The thing that you believe is priority, may not be priority. E-mail is one of the primary sources of thrashing and employee frustration, we need to manage this. Two keys I have for you are: Get control of e-mail, and, after you conserve some time, remind them you expect measurable productive focused work. Let's discuss e-mail first. An overwhelming number of knowledge workers spend entirely too much time reading ¢-mail. There are a number of technical tricks you can learn for filtering e-mail and the like, but that is addressing the symptom not the problem. Leadership means sitting down with your people and addressing the large and the small. Let's do smalll first, carefully manage your recipients and attachments: 18+ Minimize the number of recipients. "The average time to write an e-mail message is about 4 minutes, and the average time to read a message is about half'a minute. It thus takes about eight times as long to write as to read messages. This means that if all messages had exactly one recipient, then people would spend about 90 % of their e-mail time writing messages, and only about 10 % of the time reading messages. In this situation, very few people would be overloaded with too much e-mail. Thus, a major cause of information overload is messages with more than one recipient. It is often not much more difficult to send a message to ten or a hundred or even more recipients, than to send a message to only one recipient."[1] + Only send attachments when necessary. From the University of Sydney, "The School of Public Health discourages the use of sending large attachments to School e-mail lists. It is wasteful of file server storage space on the mail server and recipient's time to send attachments that can be pasted into the body of the e-mail e.g. notices of seminars."[2] Note carefully, wasteful of server space, wasteful of the recipient's time. If the information can be pasted into the e-mail message, please do so. The most important fact about e-mail Almost no employees are hired to read or write e-mail. They are hired to accomplish some productive task. If we ever find ourselves in a situation where all we do is read and respond to e- mail in a working day, something is very wrong. I limit the amount of time I spend with e-mail so that I can do other things such as authoring this course. *smile* So, simple point about e-mail, do less of it, do more work, be more effective. It isn't that e-mail is bad, but e-mail can lead to job scope creep in a hurry and job scope creep leads to thrashing. I found this on an HR site, read it carefully, read it critically: "Employees ean better manage their time if they delegate the things they cannot perform. Whenever an employee finds something that he or she cannot perform during the time given to him or her, he or she should have the prudence to pass it along to other co-employees who have extra time to spare. Assuming too many tasks at once not only hampers productivity numbers, but also compromises work quality. If an employce rushes to finish a certain job just because there's a deadtine, at the expense of quality, then everybody loses in the long run. And more time is eventually wasted." [4] My response is maybe! It sounds good at first, but where is the accountability? If management allows employees to pass tasks, does the important work get done? Now there is a case for everything, if an employee truly cannot do a job, either for time reasons or lack of skills training, trying to force them simply frustrates everyone. However, both the e-mail discussion and this, bring up something that is very wrong in the modern workplace. Many knowledge workers are over-tasked. They have ten or twelve or more objectives. If that is true, what is a day or week like? Does this cause them fo jump from task to task to task? Here is something to think about, Assign fewer tasks and hold the employee accountable for their actions. A productivity blog suggests: 19"What task can you do that will get you the most return on your time?" Figure out the project that will get you the most recognition, win you awards, or get you the most business. Something that will pay off big. Not something you'll forget about in a week, but something that others will remember you by. This is an essential task. Make a list of these types of tasks - they're your most important things to do this week.[5] This is the kind of thinking we need as computer security managers. Be carefull of multi-tasking. Even if you are not changing the priorities and tasks, often you wil find out that other people are tasking your team’s resources. If their time is being used as a resource for others, this will lead to work being pushed around instead of work being done. Symptoms that work is being pushed around include: more than two people are involved in completing an atomic task; large amounts of phone, e-mail or Instant Messenger (IM) are required to complete transactions; and employees cannot describe the entire process to complete a task from beginning to end. Pushing work around instead of completing work is a distraction and tends to diminish situational awareness. ‘The responsibility of the leader is to monitor their employee resources, and make sure they are being allowed to accomplish what they are capable of doing. When you are planning your time, set aside time to meet with your people, even if it is just a phone call. One classic practice is to establish milestones and check on them quarterly. This is a good way to find out if “other things just came up". References: All links valid as of August 28, 2010. 1 http://ome.dsv.su.se/select/coping-with-too-much-email/ 2 http://www.health.usyd.edu.au/currenvit/policies/email_attach_policy.pdf 3 http://wwwsans.org/training/description php?mid=62 4 http://syamhrfiles. blogspot.com/2007/11/time-management-tips-for-employees.html 5 http://www lifehack.org/articles/productivity/simple-productivity-10-ways-to-do-more-by- focusing-on-the-essentials.html 20Budget Structure EES Top-down, ram it down from the top because senior management is all knowing Bottom-up, department managers submit expense and revenue parameters for major items Negotiated (or parallel), consensus approach Devolving, independent fiefdoms, department managers each develop and manage their own finances Plan - Decide on budget system (top down, bottom up style), track revenue and expenses for at least two years, if possible Do - Be sensitive to all stakeholders and ensure the budget covers them Check - At least monthly; check for budget drift Budget Structure All within the organization need to commit to the method by which the overall budgeting process is conducted. Top-Down Executive and/or senior management can create "Top Down" (or "imposed") budgets, and arbitrarily “push down" those budgets to lower levels of the organization for acceptance and implementation. All the budgeting decisions are made "from above", without any consult middle or departmental managers or their teams. with Bottom-Up Alternatively, line managers and department heads can contribute materially to, and/or create "Bottom Up" (or "participative") budgets, submit them (from the bottom up) to more senior and executive managers for critique, discuss the points of contention, compromise, receive approval and, then, proceed with implementation. In some cases, only information regarding resource requirements is collected and consolidated at lower levels and submitted to senior management for consideration, from which they set the budgets accordingly. At the very least, all managers within an entity are involved in the budget development and setting process, Negotiated Negotiated (or "parallel") budgets are derived from the "participative" approach. In this process, senior management sets broad guidelines for goals, objectives, operating assumptions, and constraints. Departmental managers and their teams prepare budgets that comply with those directives. ‘The process of finalization and allocation is completed through active participation, discussion, and negotiation between senior management and the department managers. 21Devolving Devolving budgets, or devolution, is the process of transferring the total responsibility of ‘managing the budget process to the local line or departmental Ievel. It includes the identification and justification of specific departmental goals and objectives by managers directly involved and affected. This method takes into consideration the entity's overall goals and objectives as well as internal and external constraints. Accordingly, those managers must also quantify the resources deemed necessary in order to deliver the forecasted results, How to Budget Money ‘The most important thing with a budget is to never spend it until you have it, Unless you're a start-up, you want to be comparing this year's performance with at least two years of history. Stephen Northcutt tracks revenue and expenses on a daily basis to identify drifts from history and drifts from plan. One of the hardest parts of budgeting is to ensure that all stakeholders are treated equitably, while the budget is still weighted in favor of the areas of the organization that are bringing in the money or establishing the organization's future. One of the most important lessons is to separate personal financial budgeting habits from professional budgeting practices. When you are managing money professionally, expectations probably require detailed attention, especially if you are managing a lot of money or resources 22IT Department Budgets Do you know your organization's and department's revenue and expenses for last year and year to date? ‘When budgeting for your organization, is the focus on reducing expenses first or increasing revenue? "Sales" of Internet and System Security to internal Business Units. Should Plan Ahead at least Two Years. Marketing of Products, Services and Project Development to external clients; running the IT department as a business. Dedicated Training and Professional Development. IT Department Budgets Security has been reactive in the past few years. A site gets hit with a worm; the CFO authorizes more money for security. While this has worked in the past, it can hardly be called leadership. We have a responsibility to think proactively and to provide senior management with a reasonable multiyear budget. CIO's should consider moving away from the traditional "cost-center" only mindset of running an IT department as merely a support function to the overall entity. Rather, it should be reconfigured to include revenue generating clements from internal (and external) sources. These sources, then, are quantified for each job/project completed or service provided, and are included as an integral part of its annual budget. A very informative examination of this subject may be found in an article by Stephanie Overby, entitled "How to Run IT Like a Business" (CIO Magazine, May 1, 2004). Her introductory comment states: "Evolving from a cost center, IT is taking on the character, rigor and practices ofa business within a business. It won't be easy, but for CIOs it's a matter of survival."[2] She goes on to say: "It's not a flavor of the month; it's a mutual mandate from the CEO, the CFO and the CIO. This one will tun IT from a credibility-damaged cost center into the aligned business partner it needs to be - and always should have been. But only if IT leaders understand what it really requires," The article draws its "... insight from a new in-depth CIO survey of more than 100 organizations selected for the study because of their exceptional IT reputations. For these 10s, running IT like a business is the defining principle for IT functions reborn in the post- Intemet-bubble recession."[3] Some of the companies mentioned in the article are Intel, Huntington National Bank, 7-Eleven, British Petroleum, Atmos Energy and Mannington Mills. 23Internal Sales ‘The IT department should treat corporate (the other divisions, departments, units, etc, of the entity) as its internal customers by marketing technology solutions to them; educating them; advising them on opportunities, risks, potential benefits and costs; securing their commitments for each of these "jobs" is recorded in the IT department's budget. Correspondingly, the IT department may be asked to quote on those "jobs" against outside sources. [4] External Clients Also, if the IT department has the capabilities, it should seek contracts with outside clients in order to contribute to the entity's overall growth and profitability. Internet and Systems Security The proliferation, concem, and potential threat represented by outside forces to eripple the entity's day-to-day operations necessitates that careful quantification be made, forecasted, and included in the budget for adequate systems and procedures, with respect to the general framework encompassing Internet and systems security. ‘Training and Professional Development In addition to corporate university training and development, the IT department's budget should include a dollar figure for cach employee that is earmarked for outside professional development and/or technical training [5] Major Line Items in the Budget Model One Year Summary All the underlying line item details are aggregated for the year to show Total amounts for: - Net Sales and Revenues - General and Administrative Expenses - Depreciation - Corporate Overhead - Reserve for Contingencies Which provide projected results for: - Gross Operating Income/ (Loss) ~ Net Operating Income/ (Loss) - EBITDA (Eamings Before Interest, Taxes on Income, Depreciation and Amortization)[1] Monthly Projections by Major Line Items In order to provide more detail on a month-by-month basis, the underlying line items are aggregated into the following major groups: Gross Sales and Revenues from Internal units and External clients, reduced by "Discounts and Allowances", to give Total Net Sales and Revenues 24General and Administrative Expenses (in alphabetical order): Advertising, PR Consultants, Independent Contractors Equipment Depreciation Equipment Leasing General Overhead Office Equipment Repairs and Expenses Staff Salaries, Withholding, Benefits, etc. Rent Taxes (other than Income) Telecommunications Travel and Entertainment Utilities Gross Operating Income/ (Loss), reduced by corporate Overhead Charge and Reserve for Contingencies, to give Net Operating Income/ (Loss) EBITDA (a widely quoted measure of operating performance which stands for Earnings Before Interest, Taxes on Income, Depreciation and Amortization). Net Operating Income/ (Loss) plus Equipment Depreciation is simply a metric for measuring the flow of money, not cash flow, since EBITDA doesn't measure actual cash flowing into a company. However, a manager should be aware of revenue and expenses on an almost daily basis. EBITDA is particularly helpful when you are in a money-losing situation or working within very tight margins, as long as there are no variations in accounting methods being used. It is not perfect and does not measure everything; examples of money flows not tracked include: - Cash required for working capital - Debt payments and other fixed expenses - Capital expenditures Detailed Monthly Projections Using the data entered on the three "Assumptions" sheets, the model prepares monthly projected budget numbers with considerable detail line-by-line. That type of presentation allows managers to: ~ Observe and analyze trends. - Change data/amounts in "Assumptions" to assess different "What If" scenarios. ~ Review the results with appropriate personnel. - Obtain a meaningful consensus to the final version. - Implement the budget. - Commit to ongoing Variance Analysis and action programs to achieve budget numbers. The details of those line-by-line items are self-explanatory in the model. 25References: L EBITDA is a widely-quoted measure of operating performance. Its calculation removes expense items which may be based on different, elective methods of calculation among entities in the same or similar businesses, thereby permitting more "apples-to-apples" types of comparisons. 2 Overby, Stephanie, "How to Run IT Like a Business." CIO Magazine, CXO Media, 492 Old Connecticut Path, Framingham, MA 01701, May 1, 2004. This article may be accessed over the Internet at http://www.cio.com/archive/0S0104/howto.html. 3 Ibid 4 Lim Swee Cheang, director at the Institute of Systems Science, commented in his article that appeared in Computerworld Singapore, Vol. 10 Issue No. 13, 18 - 24 February 2004: "A significant part of the IT department budget should be derived from the "sales" of internal projects. The outcome of the intemal sales will provide a good indicator to the CIO on the anticipated IT budget of the coming years. "The IT department should treat these business units as internal customers; market the technology solution to them; educate them; advise on the opportunities, risks, potential benefit and cost; secure their commitments, and implement the technology solutions to meet their business needs. "COs should abandon the traditional cost-centre mindset of running an IT department as a supporting function to the business, and move over to a revenue-centre mindset of running the IT department as a business venture with its business units as customers.” 5 Source: Denise Saboleik, the Managing Director of Information Technology at Pittsburgh- based FedEx Ground, commented in an article that appeared in the September, 2003 issue of Employment Review Online, "A dedicated training budget. In addition to corporate university training and development, does the IT department's budget include a dollar figure for each employee that's used for outside professional development and/or technical training?" 26Situational Awareness Summary e Weak managers are usually perceived as ignorant and unaware * We need to be aware of the heartbeat of our organization and our group » We must know our personal strengths and weaknesses ¢ We must understand the financials as this is the lifeblood of business Situational Awareness Summary Whether you are a newly appointed leader with security responsibilities or an established leader, today is a great day to assess yourself. Make a new day's resolution to be more effective, to increase your personal alignment with the needs of your business and your group's effectiveness in serving your business. Great leaders are aware of their surroundings, and they ensure that their team and co-workers are also aware. This is accomplished by prioritizing focused attention; it is also the result of minimizing distractions. They share their expectations and bring their teams into alignment. Great leaders know their weaknesses, and both work on them and create countermeasures to prevent their weaknesses from detracting from their effectiveness. They take budget and financials seriously as they know this is what makes business sueceed. They make every effort to be one percent better as a manager. Here are some suggestions by other managers with computer security responsibilities, from all us at the leadership lab, we hope they help: + You might also consult Chapter Five, Negotiating Success, in The First Ninety Days, by Michael Watkins, The rest of the book is fairly "arm-wavey" (too general). Chapter Five lists the important conversations that you need to have both with your boss in your new capacity as a manager and your new reports. These include how you like to be communicated with, what resources are available, and what should be considered the highest priorities. There are others. Perhaps Amazon will let you look at the chapter alone. Otherwise it's worth $20 in my opinion. I made all my newly hired people get a copy when I was headhunting. - Jodi L. Colbum 27There are, of course, a thousand and one books on management. A quick Amazon search will find many that ate 5 star rated. We all will have our favorites and you will have a nice list of reading material so far. *smile* I will offer a couple of books that I found usefill and then a smalll piece of advice. Try and get these books on tape / CD first so that you can listen to them on the way to/from work. This will get you the essence fastest and make use of that travel time. You can always get the book afterwards if you want the complete story. They are all on Amazon. am also looking at books that can have the fastest impact for you so some are very short, one is less than 100 pages and you can read it in an hour or two: 7 Habits of Highly Effective People - Steven Covey (get it on CD); Ultimate Rewards - What Really Motivates People - Steven Kerr; The One Minute Manager - Kenneth Blanchard, et al.; The Greatest Salesman on Earth - Og Mandino (yes, you are in sales). That's enough books. Now a small piece of advice. There is no shortage of great books on becoming a great leader, manager, rich, or smart, or whatever. So why are there so few rich, smart people who are great managers and leaders? Because most people read but do not implement. You need to DO, not just read and forget. This why I like these books listed. They are easy to digest and absorb and then easy to apply, day to day, everyday. Stay humble, be cool, give more than you take, and above all remember this from Admiral Grace Hooper; "You don't manage people; you manage things. You lead people." - Jos Pols I'd recommend Google-ing "DiSC personality profile", read through some of the sites to get the general idea, and then look up an appropriate book on the subject. DiSC personality profiling isn't a bad short-hand method for quickly identifying a person's general strengths and weaknesses, but take it with a grain of salt,..personalities are carved in flesh, not stone. I mention this because your work is now at least 80% about people...the technical gadgets and gizmos now move to the back burner...and your success will be measured on this as much as (or more than) on what your team does. But at least the pay should be better. - Joe Bieber Ifyou are newly promoted: You have to have a basic attitude shift from accomplishing things yourself to accomplishing goals through the actions of others, even if they don't do it as well, as soon, or as thoroughly, and at the end you will be accountable for the results. Every assignment will have two partially conflicting goals: accomplish the task and develop the staff. To do this you'll have to let people make mistakes, celebrate wins (even if you already knew the answer) and build confidence. Hardest of all: you may have to make decisions that hurt people. There's only so much money to go around, not all will get a raise. Recession is coming up, is someone underperforming? Or even small ones like limited budget and an axing a pet project. These are tough decisions not to be taken lightly since they involve folk’s lives. - Jeff Bryner 28Separating yourself from your previous role can really be the most difficult bit (well, unless you have crap staff, in which case the battles of personalities could bel). I found it difficult for quite some time in a small company to be treated equally to other managers who came in at that level. On top of that, not just being a one man action show with a bunch of glorified PAs can be hard if you don't change your mindset. And lonely too sometimes depending on the situation. Learning to delegate and keep on top of progress is key. Depending on who you work for, some companies (particularly larger corporates) can be big into their personal development and actually identifying your own weaknesses and taking appropriate courses (internal or external) can win real brownie points for your next year's performance appraisal. How's your budgeting side of things? Strategy and analyzing? Team building and influencing skills? Do you know the business that your company conducts inside out - can you talk to your C level execs at a level they respond to ... knowing what itis they're trying to achieve in the company? These are the things that 15 years of tech experience often doesn’t even scratch the surface on. Plenty of books and course on the first few items - perhaps working with a more senior mentor could help with the latter if appropriate. - Alan Davies I was promoted from within the trenches as well. Another thing to look out for that I ‘ally had issue with is detaching myself from doing the work. Sometimes I saw that if 1 did it myself (a specific task) I could get it done quicker because I was pretty much the subject matter expert, but I needed to delegate the tasks and help the individuals doing it (that’s where the experience comes in along with leadership and guidance). This way we created a team of everyone knowing what needed to be done. So do not get trapped into doing things and trust your guys and delegate the work to them, - Josue Rivas One thing I found is that you also need to be very careful because you are being promoted from within the ranks. Your relationships to those you used to work with in the trenches will definitely change as you are now their supervisor. Others may have been also vying for the position and receiving work directives from you may be difficult to accept. I believe the best way to fight this is to pull everyone together and repeatedly and clearly assert that you are there to fight the battles in the best interest of your unit and each individual with upper management and not now simply their "boss". Clear their way, free up resources, enable them and provide strategic leadership and guidance. - Alan Wong “In times of change, learners inherit the Earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists.” Eric Hoffer. 29Project Management for Security Leaders The manager will be familiar with the terminology, concepts and five phases of project management. Project Management for Security Leaders "Project management is the application of knowledge, skills, tools, and techniques to a broad range of activities in order to meet the requirements of a particular project. Project management is comprised of five Project Management Process Groups - Initiating Processes, Planning Processes, Executing Processes, Monitoring and Controlling Processes, and Closing Processes ~ ‘as well as nine Knowledge Areas. These nine Knowledge Areas center on management expertise in Project Integration Management, Project Scope Management, Project Time Management, Project Cost Management, Project Quality Management, Project Human Resources Management, Project Communications Management, Project Risk Management and Project Procurement Management." A Guide to the Project Management Book of Knowledge (PBOK Guide), - Third Edition 30What is a Project? * An organized effort to produce a product or service * Project Management (PM) classically uses 5 stages ~ Initiation (Project charter) — Planning ~ Execution — Monitor, Control, Conflict Resolution, and Change Management ~ Closing out the project * PM terms: task, milestone, resource, conflict, deliverable, dependencies sometimes referred to as the "long pole in the tent” What is a Project? ‘The project management approach to the development of information technology products is based on defining the tasks to be completed for a product or service to be delivered. In order to do this, there is a project initiation or project charter phase where you determine the scope and requirements, All but the smallest projects have milestones. A milestone is defined as a deliverable or an cvent that everyone can see and agree has occurred. The people, tools and processes that are used to implement a certain task are called resources. Conflict in project ‘management occurs when two different projects need the same resource. The output of all projects should be a deliverable PM Terms’ Task- Work done by a resource, with a defined start and stop time. Milestone- Indisputable that you are at a certain point or have accomplished a certain task Resource- The people, tools, and processes that are used to do work Confliet-When two or more projects need the same resource at the same time. Deliverable- When a creation of the project is accepted by the customer. Long Pole in Tent- Also known as a dependency; until it's completed the project cannot go forward. 31Step 1: Initiation, Project Charter a an Identify roles and responsibilities as well as stakeholders Decompose the project into manageable chunks with a preliminary work breakdown structure, Set high level project milestones and goals List resources and deliverables Define project scope and sequence, develop back of the envelope project plan Request the approval to proceed to create complete. plan Step 1: Initiation, Project Charter Improve the performance of a project with a good start, the project charter and high level hierarchical work breakdown structure to identify work that can be done separately. We can reduce the risk of project failure by investing some time in up front planning before we start. A. key to success in project management is to identify all stakeholders, and ensure that they clearly understand and support what the project should achieve. Have you ever had a situation where someone brought you a new software program or tool that you didn't ask for, that you were not given a chance to provide input as to what you needed? How did you feel? ‘To avoid such problems many organizations adopt a formal project charter, according to Wikipedia, "In project management, a project charter or project definition is a statement of the scope, objectives and participants in a project. It provides a preliminary delineation of roles and responsibilities, outlines the project objectives, identifies the main stakeholders, and defines the authority of the project manager. It serves as a reference of authority for the future of the project."[1] References: All links valid as of May 20, 2011 1 http://en.wikipedia.org/wiki/Project_ Charter 32)Scope ¢ What work will and will not be accomplished for this project? * Many projects fail due to "Scope creep" * Clearly define changes to project scope and have the stakeholders approve Large projects may require a scope management plan Scope What are the five most expensive words in the English language? "While you are at it." Every manager's ears should perk up when they hear that expression, It always means "scope creep", What is scope? Scope defines what the project will deliver, and wise project managers also specify what it will not deliver. The primary reason projects fail is that the scope of the requirements changes afler the project is initiated, This can create a situation where you have insufficient resources to complete the project. There is an art to scope management. Changes in scope to include the new work or deliverables affect cost, effort hours and/or duration, which will be modified (usually increased) to reflect this additional work, and the increase may not be linear. Scope Management Plan ‘As part of your planning phase you will need to define and manage the scope of your project. ‘There needs to be a clear understanding of what will be accomplished, and how to manage change in the scope of the project. Scope Statement Start with the project charter and expand the details. The result will be a clear understanding of what the project will and will not accomplish: it is important to identify "extra" requirements. Tasks that are not in the project scope can distract team members. A scope statement should include your project justification, product, deliverables, and objectives. 33Scope Management Strategy Documentation is crucial to resolve disputes arising from scope changes. All stakeholders should approve proposed changes to the scope, and the following elements should be included in the change order: + Document reason to increase/decrease scope *+ Describe scope change impact to project including costs of the change; this should also include timeline changes + Signature of stakeholder’s approval + Ifapproved, work from the new project plan that includes scope changesStep 2: Develop the Plan ARNG A plan is so you know what you are deviating from” Make sure the plan is within your planning skill level, do not attempt to plan years ahead Lists all the stakeholders Shows all milestones, tasks and dependencies Should be the result of communication and collaboration Explains the steps necessary to reach project completion ~ And the path to get there — Can be compared to a detailed checklist Step 2: Develop the Plan “A plan is so you know what you are deviating from" Captain Dan Elirick, US Marines, Retired [like to think of a project plan as something similar to a recipe in a cookbook: it gives me the ingredients I need, and often includes a picture of what the finished product will look like. It gives ime the steps in the sequence that I need to follow in order to create the final deliverable. Many times there are intermediate steps along the way, such as creating a sauce to be used later. You can think of these as milestones. Good cooks are always aware of "the long pole in the tent"; the task or dependency that controls when they will be able to produce the final product. As a manager, when someone asks you to review a project plan, itis strongly advised that you give it the cookbook test. The project plan should have all the items you'd see in a recipe in a well written cookbook. Here are some tips for the planning process from Scott Ambler, who uses the Agile approach [1]: + You can accurately plan in detail only for nearby tasks. I'm doing just in time (JIT) planning, + The people doing the work must be actively involved in scheduling. They're motivated to get it right, they have skills to understand the dependencies, and they need to accept the schedule, + People should choose their work, they shouldn't be assigned it, It is quite common on agile projects for the team to do the planning, not just the manager/coach. Project planning is so important that we want to get it right Discussion: Good cooks also know there is more than one way to do it. If you have been doing PMI for ten years, your blood pressure might be going up just a bit. That's ok, Agile project planning is a team based approach, lots of collaboration, less control is given to the project planner, Let's look at some other approaches. 35Project Kickstart, like Ambler’s above suggests not being too focused on infinity, they introduce the term, planning horizon. "Create a detailed work plan, including assigning resources and estimating the work as far out as you feel comfortable. This is your planning horizon, Past the planning horizon, lay out the project at a higher level, reflecting the increased level of uncertainty. The planning horizon will move forward as the project progresses. High-level activities that were initially vague need to be defined in more detail as their timeframe gets closer."[2] Businessballs.com suggests that "Planning for and anticipating the unforeseen, or the possibility that things may not go as expected, is called ‘contingency planning’. Contingency planning is vital in any task when results and outcomes cannot be absolutely guaranteed, Often a contingency budget needs to be planned as there are usually costs associated. Contingency planning is about preparing fall-back actions, and making sure that leeway for time, activity and resource exists to rectify or replace first- choice plans. A simple contingency plan for the fried breakfast would be to plan for the possibility of breaking the yolk of an egg, in which case spare resources (eggs) should be budgeted for and available if needed. Another might be to prepare some hash-browns and mushrooms in the event that any of the diners are vegetarian. It may be difficult to anticipate precisely what contingency to plan for in complex long-term projects, in which case simply a contingency budget is provided, to be allocated later when and if required.[3] Finally, here are some very usefuul and pragmatic tips from the folks that brought you random acts of kindness[4], "By staying closely involved with the groups and sharing your enthusiasm and ideas on a regular basis, you can help foster a sense of community among them. Here are some tips for working with groups: + Simplify your work by communicating with one contact person or leader from each group. + Have that group leader keep his/her group informed. + Make reminder calls or send e-mails before deadlines or event dates. Ask them if they have any last minute questions, * Set up a group e-mail list for quick and easy communication with group members. + Have a separate e-mail list for your group leaders so you can send messages just to them when necessary. + Make a list of all the groups involved and distribute it to each group. This will help the groups network with one another.” Bottom line for computer security managers developing a project plan: Keep it simple, communicate often, consider the idea Agile brings to the table of collaboration. Take some time to think about project horizon: if you are planning more than 90 days out, unless this is a repeatable task like building a house or you have years of experience planning, you are probably fairly wrong. Instead, update often, consider the Agile idea of Just in Time Planning. Expect problems; try to find the places where things can go wrong, Above all, make sure you have the work breakdown structure clearly in mind: memorize it and keep it up to date. References: All links valid as of August 28, 2010 1 http://www.ambysoft.convessays/agileProjectPlanning. html 2 hitp:/www.projectkickstart.com/downloads/tips 10-project-management-best-practices.cfin 3 http://wvww-businessballs.com/project.htm 4 http://www.actsofkindness.org/file_uploads/files/215_pdf.pdf (last visited February 2, 2009) 36Scheduling HHS * Define start time and end time for tasks ¢ Assign resources to tasks © Document all task dependencies ¢ Organize tasks, based on dependencies — Put tasks in order — This step makes many potential conflicts obvious Scheduling This is where a project management professional with high end software can blow your mind. They can track thousands of different tasks, conflicted resources and dependencies, and have the final deliverable come in within a matter of days of expectations, barring scope creep. Ifyou are doing paper driven, back of the envelope project management, that is fine. Some of the main things to be aware of are: when should each task start, and does the order matter. Order matters when there are dependencies, Dependencies are tasks that cannot begin until another task is completed. 37Step 3: Execution NER 80 * The project team simply follows the plan: — Organize the team, schedule kickoff meeting and begin on tasks ~ Continually ask for feedback from all team members * Recognize deviations from the plan — Cost, content, time React to deviations and return to the plan © Keep stakeholders in the loop Step 3: Execution ‘The plan is critical to stay on top of your project's progress, detect deviations, and identify specific problems with budget, resources, etc. Set specific goals for assessing project status, measure progress often, and use milestones to assess status, Your plan should spell out all resources needed for each task. People (and other resources) are rarely available 100% of the time. Iliness and competing priorities can affect availability for your project. Non-personnel resources can also be unavailable when needed, so you must know your critical resources and how availability issues will affect your plan, ‘Ask for evidence of completion for each task and milestone in status reports. You should have set this expectation when you assembled your team. You should never surprise stakcholders, $0 keep them up to date on both good and bad information. 38Step 4: Monitoring, Controlling, Conflict Resolution, Change Management emer aenememnna Expect conflicts both with availability of resources and among members of the project team Conflicts can highlight organizational problems Carefully scrutinize scope changes and leverage CCB The biggest cause of failure after scope creep is lack of support from management Other “Warning Signs” of project failure are described in the notes Step 4: Monitoring, Controlling, Conflict Resolution, Change Management The fourth step in project management is often called controlling, It means dealing with any changes to the plan. Two of the most common changes are conflicts for resources, and. ‘managing schedule change so that the project continues in an orderly, process driven fashion. Conflicts are an inevitable part of a project and should be expected and prepared for. Focus on conflict causes, not the symptoms, and avoid entertaining extraneous issues. ‘When dealing with project conflicts, reject any personal attacks and encourage positive or neutral statements of issues. Encourage all parties to consider alternatives and seek compromise. Consider the merits of all solutions, and pay attention to team communication to find out how things are really going. ‘Try to resolve problems before they blossom into large issues. Your conflict resolution methods must be consistent with the sponsor's policies, and stakeholders should approve conflict resolution plans. Resist Unnecessary Plan Changes This is another place where you have to operate out of the "Can Do" quadrant if you want to be successful For some reason, people delight in changing plans. A successful project manager takes the time to ensure that changes to the plan make sense and do not put the project at unneeded risk. Keep in mind that scope creep is one of the primary reasons projects fail, Your organization's change control board is not your enemy, they are your friend. It is true that you'll have to work with them to get any IT changes implemented; however, thereafter they will bbe watching your back and preventing unauthorized changes. 39Early Warning Signs of Project Failure ‘The article "Early Waring Signs of IT Project Failure: The Dominant Dozen" (Leon A. Kappelman, Robert McKeeman, and Lixuan Zhang) asserts that you can identify project failure carly in the cycle and suggests the following are the twelve dominant "Early Warning Signs" of project failure. This is almost common sense, but reading the list can help reinforce the fundamentals of project management. Dominant Dozen Early Warning Signs PEOPLE-RELATED RISKS + Lack of top management support + Weak project manager + No stakeholder involvement and/or participation + Weak commitment of project team + Team members lack requisite knowledge and/or skills + Subject matter experts are overscheduled PROCESS-RELATED RISKS + Lack of documented requirements and/or success criteria + No change control process (change management) + Ineffective schedule planning and/or management + Communication breakdown among stakeholders + Resources assigned to a higher priority project + No business case for the project "Early Warning Signs of IT Project Failure: The Dominant Dozen", Leon A. Kappelman, Robert McKeeman, and Lixuan Zhang http://www.ism-journal.com/IT Today/projectfailure.pdf 40Step 5: Closing Out the Project « Major tasks should terminate with formal closure reports — Communication plan spells out which tasks are considered major = Reports are normally generated at milestones — Client acceptance of product Minor tasks only need informal closure reports — Again, the communication plan should describe the reports required for each milestone Step 5: Closing Out the Project ‘You know what they say; "The job's not finished until the paperwork is done." You should prepare a report that summarizes all the work that has been completed. According to the State of Kansas, "The key elements to project close-out are: + Accepting the project's products indicated by user sign-off + Completing the Post Implementation Evaluation Report (PIER) + Disbursing the resources staff, facilities, and automated systems + Conducting a lessons learned session + Completing and archiving project records + Recognizing outstanding achievement + Celebrating project completion"{1] The Bottom Line Never forget to praise all those who have been crucial to the project. Submit a final budget so that all stakeholders can understand the actual expenses of the project, and, finally, show ‘changes in scope and their impact upon cost and schedule. References: All links valid as of August 28, 2010. 1 hetp://www.da.ks. gov/kito/Rel23/6closeou.doc rTManagement Application of PMO RO * Consider adding an experienced project manager to your team or, better, get a PMI Certification * There is a balance between spending too much time in the weeds with PM software and no time planning. Try the SANS PAAG, * Micromanaging should be avoided, however that which gets audited, gets done. Every time you give direction, make a calendar entry to check on it. Management Application of PMO There's nothing magic about project management, it simply means somebody is awake at the switch while the project is executing, watching for trouble (cost overruns, schedule delays), and acting quickly enough that the impact is minimized. The IT shop should have a small Project ‘Management Office (PMO), or at least one certified program manager (PMI) to hold people accountable for their tasks and activities in projects. Or perhaps, you should pursue a project management certificate to advance your own effectiveness. Project management software can consume a lot of time, but you need some form of organizational system, at least consider the PAG. Part of the art of management is the balance between micromanagement and passive - “no one is home” - management. When you assign an action item, make sure to have a due date, set a calendar reminder somewhere between half way and three quarters of the way to the due date in order to check on the progress. 42Module 2: The Network Infrastructure ‘This page intentionally left blank 43The Network Infrastructure The manager will understand and be able to communicate the fundamental technologies and concepts that describe LAN and WAN network infrastructure. > ‘The Network Infrastructure This page intentionally left blank.OSKivseiGP/iP Application Ost Transport (TCP) TCP/IP Internet Protocol (IP) Link & Physical network | OSL vs. TCP/IP The standard reference model for protocol stacks is the International Standards Organization's (ISO) Open Systems Interconnection (OSI) model of seven layers: + The Physical Layer handles transmission across the physical media. ‘This includes such things as electrical pulses on wires, connection specifications between the interface hardware and the network cable, and voltage regulation. + The Data Link Layer device driver connects the logical part (e.g. packets, data streams, and. drivers). to the physical part of the network (e.g. cables, electrical signals, and devices). + The Network Layer handles interaction with the network address scheme and connectivity over multiple network segments. It describes how systems on different network segments find and communicate with each other. + The Transport Layer actually interacts with your information and prepares it to be transmitted across the network. Itis this layer that ensures reliable connectivity from end- to-end. The Transport Layer also performs flow control, sequencing the packets in a transmission. + The Session Layer handles the establishment and maintenance of connections between systems. It negotiates the connection, sets it up, maintains it, and makes sure that information exchanged across the connection is in sync on both sides + The Presentation Layer makes sure that the data sent from one side of the connection is received in a format that is useful to the other side. For example, if the sender compresses the data prior to transmission, the Presentation Layer on the receiving end would have to decompress it before the receiver could use it. + The Application Layer interacts with the application to determine which network services will be required. When a program requires access to the network, the Application Layer will manage requests from the program to the other layers down the stack. 45Network Components MERE Hubs supply same traffic to all ports and can be thought of as physical layer 1 devices Both hubs and taps allow network monitoring Bridges separate traffic based on MAC address, layer 2 devices Switches operate at Datalink layer 2, only send traffic addressed toa port Routers separate traffic at layer 3; there are layer 3 switches that bring layer 2 speed to layer 3 decisions Layer 4 switches use the application data, usually from the source and destination port fields in transport or layer 4 header, as well as layers 3 and 2 Attacks against switches, flooding CAM table Network Components Hubs are one of the simplest devices you will find on a network. To build a basie LAN, simply connect the network interface cards (NICs) of your systems to ports on the hub via straight- through cables and, voila, you are networked! Hubs work at the physical layer (layer 1) of the OSI model. The device is thus a form of multiport repeater. Ethernet nubs are also responsible for forwarding a jam signal to all ports if it detects a collision. As a result, a data frame transmitted by one system is retransmitted to all other systems connected to the hub. A classic hub does not have traffic monitoring capabilities and cannot control which ports should or should not receive the frame, forming a large collision domain, This property of a hub has significant security implications, since a system connected to the hub may be able to intercept a data frame destined for someone else. Bridges are used to connect two physical segments of a network and minimize the traffic in a collision domain. Bridges learn which addresses are on one side or the other of the bridge and only forward traffic to a segment if the destination address of a packet is on that segment. Switches: A switch typically does not replicate frames to all ports making it resistant to sniffing attacks. At a high level we can say a network switch combines the functionality of a hub and a bridge into a single device. A switch consults its CAM table and only directs a data frame to the system or network segment for which it is destined, narrowing each port to its own collision domain. In their simplest mode switches are layer two devices, however modem switches can operate at layer three like a router, operate at the transport or even application layer. 46Routers interconnect logical networks. Much of the Internet relies on routers for determining what paths packets should take to get from one network to another. Like a switch or a bridge, a router makes decisions where to direct data that passes through it. However, while a switch makes its decisions by tracking MAC addresses, a router operates on a layer higher by looking at IP addresses when forwarding packets, Routers are very flexible devices and can handle and translate a variety of protocols. In this section, however, our main focus is on routers that process IP traffic that originates from or is destined to an Ethernet-based network MAC flooding attacks exploit the switch bridging or CAM table. We also learn about the capacity of the bridging table. "Switches have a finite amount of memory. This varies from switch to switch, but essentially all switches have a limit to the maximum number of MAC addresses they can record in their CAM tables. By generating a large number of MAC addresses and force- feeding them to the switch, the table will be filled. Older switches will then fail back to a Layer-1 mode.” [1] By layer 1, we mean acting like media (ethernet cable). If we are told a switch's 2 table can store up to 64,000 entries, that is the total for the entire switch. So one malicious user in one VLAN could use software to fill the bridging table and impact the other VLANs. If you can fill the bridging table, the switch will have to "flood all traffic. This means that an attacker with a sniffer in VLAN 2 could then sce all activity from VLAN 4 (or any other VLAN). There is an attack tool called macof{2] that makes filling the table easy to do. Dynamic Host Configuration Protocol DHCP is what your desktop or laptop uses to get its IP address and MAC address. DHCP Scope Exhaustion is the state where a malicious client acquires all of the available IP addresses. Tools like Yersinia and also The Gobber make this easy. Spanning Tree Protocol "creates a spanning tree within a mesh network of connected layer-2 bridges (typically ethernet switches), and disables the links which are not part of that tree, leaving a single active path between any two network nodes. Multiple active paths between network nodes causes a bridge loop. Bridge loops create several problems. First, the MAC address table (also known as ‘switch forwarding table’) used by the switch or bridge can fail, since the same MAC addresses (and hence the same network hosts) are seen on multiple ports. Second, a broadcast storm occurs. This is caused by broadcast packets being forwarded in an endless loop between switches, A broadcast storm can consume all available CPU resourees and bandwidth."[3] A vulnerable point for STP is to attack the Bridge Protocol Data Units (BPDU). STP uses path cost to build a tree without loops (loops would mess up communication as frames would go round in circles). An attack tool called Yersinia can read and write BPDUs and can be used for a number of attacks against a network using STP. Other potential attacks against layer 2 switches include, ARP, IPv6 discovery, Power over Ethemet, HSRP, more esoteric protocols and Denial of Service. Network Monitoring with Hubs and Taps Since packets are not forwarded, monitoring is more challenging in a switched environment. Mirrored, or SPAN ports, on switches are active network monitoring points. We say active because the CAM table on the switch manages, and possibly modifies, packet duplication across multiple switch ports. 47