Proposal for Security Risk Assessment

Presented to

Client
July 22, 2011

CONFIDENTIAL

The enclosed material is proprietary to COMPANY, Inc. and is copyrighted. This document may not be disclosed in any manner to anyone other than the addressee and the employees or representatives of the addressed firm who are directly responsible for evaluation of its contents. This document may not be used in any manner other than for the purpose it was distributed. Any unauthorized use, reproduction or transmission in any form is strictly prohibited.  Copyright 2011 COMPANY, Inc.

1 Document Properties
1.1 Purpose
The purpose of this Statement of Work (SOW) is to provide an initial, detailed definition of the proposed project. The SOW acts as a vehicle to ensure that the Professional Services team clearly understands the project requirements and that Customer requirements and expectations will ultimately be met. The SOW isa dynamic document that may be updated throughout the project as the project progresses and changes.

1.2 Ownership
The enclosed material is proprietary and is copyrighted. Thisdocument may not be disclosed in any manner to anyone other than the addressee and the employees orrepresentatives of the addressed firm who are directly responsible for the evaluation of its contents. Thisdocument may not be used in any manner other than for the purpose it was distributed. Any unauthorized use, reproduction or transmission in any form is strictly prohibited.

1.3 Addressee(s)
Security Risk Assessment Services will be provided to: Company Name: Client, Inc. Company Address: Main Contact: Telephone: Mobile: Email Address:

1.4 Revision History

22July 2011 1.0 John Doe

2 Executive Summary
Client, Inc. ( Client ) has requested COMPANYto provide this proposal for security consulting services, specifically Security Risk Assessment for Client servers hosting Noble System applications.

2.1 Overview
Security Risk Assessment can be defined as a process of evaluating security risks, which are related to the use of information technology. It can be used as a baseline for showing the amount of change since the last assessment, and how much more changes are required in order to meet the security requirements. The assessment process of a system includes the identification and analysis of: all assets of and processes related to the system threats that could affect the confidentiality, integrity or availability of the system system vulnerabilities to the threats potential impacts and risks from the threat activity protection requirements to control the risks selection of appropriate security measures and analysis of the risk relationships To obtain useful and more accurate analysis results, a complete inventory list and security requirements for a system shall be made available as inputs to the identification and analysis activities. Interviews with relevant parties such as administrators, computer / network operators, or users can also provide additional information for the analysis. The analysis may also involve the use of automated security assessment tools depending on the assessment scope, requirements and methodology. After evaluation of all collected information, a list of observed risk findings will be reported. For each of the observed risks, appropriate security measures will be determined, implemented and deployed.

2.2 Security Risk Assessment Steps

Figure 1. General Security Risk Assessment Steps

Planning
Before a security risk assessment can start, planning is required for proper preparation, monitor and control. Listed below are several major items that should be defined first. y Project Scope and Objectives y Background Information y Constraints y Roles & Responsibilities of Different Involved Parties

Information Gathering
The objective is to understand the existing system and environment and identify the risks throughanalysis of the information / data collected. By default, all relevant information should be collected irrespective of storage format. Listed below are several kinds of information that are often collected. y Security requirements and objectives y System or network architecture and infrastructure, such as a network diagram showing how the assets are configured and interconnected y Information available to the public or found in the web pages y Physical assets such as hardware equipment y Systems such as operating systems, network management systems y Contents such as databases and files y Applications and servers information y Network such as supported protocols and network services offered y Access controls y Processes such as business process, computer operation process, network operation process, application operation process, etc. y Identification and authentication mechanisms y Government laws and regulations pertaining to minimum security control requirements

Documented or informal policies and guidelines

Risk Analysis
Risk Analysis helps to determine the value of the assets and their associated risks. In general, this process can be divided into the ff. several sub-processes: y Asset Identification & Valuation y Threat Analysis y Vulnerability Analysis y Asset/Threat/Vulnerability Mapping y Impact & Likelihood Assessment y Risk Results Analysis

Identifying & Selecting Safeguards

After reviewing the results of security risk assessment, safeguards may be identified and evaluated for their effectiveness. Security assessment team would recommend possible safeguards to reduce the likelihood and impact of identified threats and vulnerabilities to an acceptable level.

Monitoring & Implementation

Risk assessment results should be properly documented. This enables the security risk assessment process to be audited. This also facilitates on-going monitoring and reviewing. Re-assessment should be conducted whenever necessary. It is essential to keep track of the changing environment and the changing priority of the identified risks and their impact. Security audit is one of the ways to review the implementation of security measures. Roles and responsibilities of related personnel such as operators, system developers, network administrators, information owners, security officers and users should be clearly defined, reviewed and assigned to support the safeguard selection and implementation. Management should commit resources and provide support to monitoring and controlling the implementation.

2 Project Plan
2.1 Project Timeframe Summary
Project Phase Phase 1: Security Risk Assessment Planning Information Gathering Risk Analysis Selecting Controls Implementation Testing Migration and Acceptance TOTAL Estimated Duration (Days) 2 2 5 2 10

21

2 Conclusion
COMPANY, Inc. would like to take this opportunity to thank Client for allowing COMPANY Professional Services team to provide security risk assessment services. We feel that the commitment betweenboth Clientmanagement and COMPANYwill create dynamic teams and enable us toaccomplish the goals discussed in this proposal for the benefit of Client. COMPANY Professional Services is preparedto provide industry security and technology experience and continue the business relationship with Client.

2.1 Acceptance of Scope

Client Resources & Consultancy, Inc.

SIGNED: _________________________________ DATE: __________________

NAME / TITLE: __________________________ / ____________________________

COMPANY, Inc.

SIGNED: _________________________________ DATE: __________________

NAME / TITLE: John Doe / Director of Professional Services