Within the previous step, the SoW report conveyed a brief overview of the organization’s critical aspects and a list of the organization’s security needs. Now, you are ready to develop a comprehensive work breakdown structure (WBS).
This breakdown provides more detail, so you will need to devise examples of procedures you might recommend to your organization. Some examples include a penetration test, baseline analysis, or system logging. Note the tools and techniques to use in conducting a vulnerability assessment to be used later in the project.
Using a spreadsheet, create the comprehensive work breakdown structure, including key elements that must be tested and analyzed. Organize the spreadsheet using the elements identified in the SoW from the previous steps and the following:
- internal threats: personnel, policies, procedures
- external threats: systems, connectivity, databases
- existing security measures: software, hardware, telecommunications, cloud resources
- compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain
Note the security threats and vulnerabilities. This plan will serve as the second section of the final vulnerability assessment report.