Page |1
Wireless
Security
Project Initiation Charter
Green Team : Lewis N, Rob F, Richard L,
Stephen L, Dave C
Tatiana Outkina.
10/23/2009
Page |2
Contents
Introduction ................................................................................................................................................................................ 3
0.1
Purpose ..................................................................................................................................................................... 3
1.0
Definition ......................................................................................................................................................................... 4
1.1 Summary ........................................................................................................................................................................ 4
1.2
Project stakeholders .................................................................................................................................................. 4
1.3
In scope ..................................................................................................................................................................... 5
1.4
Out of scope .............................................................................................................................................................. 5
1.5
Pre-requisites ............................................................................................................................................................ 5
1.6
Assumptions .............................................................................................................................................................. 6
2.0 Project Deliverables ............................................................................................................................................................. 7
2.1
Management Deliverables ......................................................................................................................................... 7
Define Phase .................................................................................................................................................................. 7
Requirements Phase ...................................................................................................................................................... 7
Design Phase.................................................................................................................................................................. 7
Configure Phase ............................................................................................................................................................. 8
Verify Phase .................................................................................................................................................................... 8
2.2 Acceptance Criteria .................................................................................................................................................... 9
3.0 Project Team ...................................................................................................................................................................... 10
4.0 Milestones .......................................................................................................................................................................... 11
4.1 Design ..................................................................................................................................................................... 11
4.2 Implementation ....................................................................................................................................................... 11
4.3 Testing .................................................................................................................................................................... 11
4.4 Deployment ............................................................................................................................................................. 11
5.0 Project Cost........................................................................................................................................................................ 13
6.0 Quality Control ................................................................................................................................................................... 15
7.
Risk Management Plan ................................................................................................................................................. 16
7.1
Approach ................................................................................................................................................................. 16
7.2
Risk Log .................................................................................................................................................................. 16
8
Project Controls ............................................................................................................................................................ 17
8.1
Monitoring Progress and Reporting ......................................................................................................................... 17
8.2
End Stage Reviews ................................................................................................................................................. 17
8.3
Exception Conditions............................................................................................................................................... 17
8.4
Actions .................................................................................................................................................................... 17
8.5
Time Recording ....................................................................................................................................................... 17
8.6
Issue Management .................................................................................................................................................. 17
8.7
Change Control ....................................................................................................................................................... 18
8.8
Project Closure ........................................................................................................................................................ 18
9.
Communication Plan ..................................................................................................................................................... 19
10
Configuration Management Plan................................................................................................................................... 20
10.1
Document Repository ........................................................................................................................................ 20
10.2
Document Control .............................................................................................................................................. 20
10.3
Document Standards ......................................................................................................................................... 20
Page |3
Introduction
0.1 Purpose
This document is the Project Charter document for the Wireless Security Project
implementation.
The purpose of this document is to define the following aspects of the project:







The scope of the project in terms of the businesses and users to be covered
The objectives of the project
The deliverables which will be produced by the project and the quality criteria
which will support these deliverables
The roles and responsibilities of project staff
The reporting structure for the project, including the management structure which
will be established
The project governance processes which will be followed
The outline time-scale and plan against which the project will be measured and
managed
Defined
Scope
Proper
Resources
Time
Secure
Infrastructure
Project
Management
Page |4
1.0 Definition
1.1 Summary
Problem outline
The company has a wireless network in place for internal uses. We also have business guests and
contractors who utilize our wireless network to check e-mails and log into the company’s network
for various purposes. As we have never have a formal security model and policy for our wireless
security, we do not know our level of exposure and we have little or no security measures in place.
Expected Outcome
We will assess all the risks our wireless networks are exposed to. We will design and implement
adequate security measures on all 802.11 and 802.1x networks and devices in the company.
Moreover, we will create new operating procedures, acceptable uses polices and provide trainings
to project stakeholders to support this higher level of wireless security
1.2 Project stakeholders

Financial sponsors
o provide the necessary funding for the project

Legal Department
o provide legal guidelines on compliance of local laws and regulations regarding wireless
networking.
o Provide legal guidelines on local privacy laws

Information Security Office –
o Conduct the risk assessment
o Devise a acceptable security model for the wireless network;
o Evaluate and select the security products (hardware/software) necessary for the
project;
o New wireless network security testing and sign off

Information Technology Department
o Implementation and testing of the new wireless network system
o Prepare training for users; devise the roll out plans

All employees
o Accommodate their business operations to new environment.
o Must be compliant with the acceptable use policy.

Contractors and business guest –
o must be agreed and compliant with the new acceptable use policy
Page |5
1.3 In scope
The following high-level activities, user types, systems and processes are understood to be within the
scope of this project. The following in scope elements will be delivered










Project management
Conduct risk assessment on the company’s current 802.11/ 802.1X networks and devices
Design appropriate security model and policy to secure the wireless networks, without being in
conflict with company’s business model
Coordinate with legal department to ensure compliance to local laws and regulations
Installation and configuration of the existing hardware and new hardware concerning wireless
security
Perform system testing
Prepare operational and configuration documentations
Prepare new IT and users acceptance policy
Prepare tutorial for IT department and users on the new wireless security system
Devise communication plans to provide advance notifications on the implementation of new
wireless network design to all stakeholders
1.4 Out of scope
The following activities are considered out of scope for this:
 Wireless devices that are not running 802.11 or 802.1X. For example, any Bluetooth devices,
wireless input devices, RFID, black berries servers, wireless inter-comm etc
 General network security such as security for servers, traffic encryption on wired network etc
 Upgrading current wireless technology in use
 Improve the performance of current wireless network
 Provide long term technical support plan for new wireless security systems
 Maintenance and updating of the wireless security systems
1.5 Pre-requisites
The following must be in place before the project can commence:
 Detailed and signed statement of work (SOW)
 Agreed upon the acceptable outcome of the project
 Agreed upon project milestones and deliverables
 Agreed upon the acceptable level of impact on business operations
 Assigned work area and workstations for the project team
 Assigned financial resources for the project
 Legal Guidelines are provided by the Legal department on the local laws and regulations
concerning the project
 All stakeholders, from management to all employees, are notified about the project and the
inconsistencies it might bring to business operations
Page |6
1.6 Assumptions
The following assumptions are made:
 Project initiation has been approved by the management
 Project funding has been approved by the finance department
 Teams has been assembled and resources are allocated for risk assessment
 Security standards have been agreed upon
 Legal Guidelines for the project has been provided
 Financial resources are already allocated
 Full upper management support
 The acceptance period of Critical path deliverables will be incorporated into the project plan
Compliance
Approval
Resources
Project
Page |7
2.0 Project Deliverables
This section is a high level view of the overall project. Each Deliverable is listed, together with a Work
Breakdown Structure (WBS) reference and a statement as to whether formal acceptance is required
for that Deliverable. If a payment milestone has been agreed, against acceptance of a Deliverable,
then that is also shown.
Detailed descriptions for each project phase Deliverable defined are described below:
2.1 Management Deliverables
Define Phase
The project team shall deliver the following items as a result of the activities for this Phase.
Completion of these deliverables constitutes completion of this Phase. Deliverables shall be
accepted according to mutually agreed acceptance criteria.
 Document: Project Initiation Document that defines the scope and objectives of the
project. It includes an outline of the timescale and plan and is used as a baseline for
change control.
 Document: Deliverable Acceptance Form that lists completed activities within the Define
Phase.
Requirements Phase
The project team shall deliver the following items as a result of the activities for this Phase.
Completion of these deliverables constitutes completion of this Phase. Deliverables shall be
accepted according to mutually agreed acceptance criteria.

Event: Risk assessment. Risk assessment is conducted on the company’s wireless
networks

Document: Requirements Definition. This document includes all requirements for the
projects, such as result of the risk assessment, acceptable level of wireless security, set
limitation of the impact on business operation.

Document: Network Architecture Specification. This document identifies the best-fit
architectural solution concept including descriptions of hardware, software, and network
components.

Document: Project Plan. This document, which provides detailed tasks, milestones and
schedule for this SOW is made the baseline for the project. Changes to this Project Plan
after it is accepted shall follow the Change Control process described hereinafter.

Document: Deliverable Acceptance Form that lists completed activities.
Design Phase
The project team shall deliver the following items as a result of the activities for this Phase.
Page |8
Completion of these deliverables constitutes completion of this Phase. Deliverables shall be
accepted according to mutually agreed acceptance criteria.

Document: Design & Implementation Specifications that fully describes the design of the
security model and the specification for the implementation of the new hardware/software
security measures . This technical document contains sufficient detail to rebuild the current
wireless network security.

Document: Revised Project Plan. This document, which was created during the
Requirements activity, is updated to reflect any changes to the scope found in Design.
Changes to this Project Plan after it is accepted shall follow the Change Control process
described hereinafter.

Document: Deliverable Acceptance Form that lists completed activities.
Configure Phase
The project team shall deliver the following items as a result of the activities for this Phase.
Completion of these deliverables constitutes completion of this Phase. Deliverables shall be
accepted according to mutually agreed acceptance criteria.
All deliverables in this activity shall be completed in the development and test environments
only.
 Installation: Installed new hardware and software for the new wireless security measures on
the development and test environments
 Configuration: Configure all hardware and software on the wireless network to compliant
with the new wireless security specifications.
 Guidance: Prepared necessary documentation for the IT department.
 Document: Deliverable Acceptance Form that lists completed activities.
Verify Phase
The project team shall deliver the following items as a result of the activities for this Phase.
Completion of these deliverables constitutes completion of this Phase. Deliverables shall be
accepted according to mutually agreed acceptance criteria.

Event: The wireless networks are tested to ensure they meet all specifications as
described in the Requirements Definition and Design & Implementation Specifications.

Guidance: Documentations for IT department, including but not limited to the new wireless
IT security policy, new specifications and configurations of hardware and software in the
wireless network.

Configuration: Resolution for Acceptance Test problems in the implementation and
configuration.

Guidance: Advice on Deployment Plan.

Document: Deliverable Acceptance Form that lists completed activities.
Page |9
2.2








Acceptance Criteria
All project deliverables must be approved by project manager
User Acceptance Tests are successfully completed
Penetration test results have a rating of approximately secure to 80% of commonly known
attacks. (100% being military grade security)
Project is at or under allotted project budget
Project has not exceeded the allotted time period for its implementation
Stakeholders and sponsors are pleased with the final deliverable of the project
Wireless security protocol has been implemented and tested
Two-factor authentication method has been implemented and tested
Appropriate
Resources
Well
Managed
Team
Project
Success
P a g e | 10
3.0 Project Team
The following outlines the implementation team roles and responsibilities.
3.1 Project Manager
 Responsible for change control processes
 Setup milestones
 Oversee the successfulness of project
3.2 Information Security Officer / Technical Leader
 Conduct risk assessment
 Security police model
 Lead test team
3.3 System Administrator
 Review and update policies
 Work with Information security officer
 Purchase software
 Purchase hardware
3.4 Testers / Trainers
 Conduct test on network for security issues
 Aid in the risk assessment
 Train users and IT departments on new policies and the new network model
Project
Manager
CISO/TI
System
Admin.
P a g e | 11
4.0 Milestones
Each milestone will be Bolded and will dictate a time at which the development team and the project team must
undergo a quick-meeting to verify the contents and contributions of each member of the team and for the project
manager to gauge the overall progress being made.
4.1 Design








Preliminary analysis of Risk on company’s 802.11/802.11x networks and nodes.
Co-ordinate with legal departments to draft acceptable company standards for new product
Determine boundaries of company systems
Establish Workshops and company training programs for remediation of security principles
Compare requirements to vendor software.
Design on Vendor application suite to use for company wide use.
Decision to define and adjust timeline, scope and funds required to deploy web encryption over existing
applications
Team must plan maintenance window during a non-work period, to avoid interference with day to day
operations.
4.2 Implementation







Acquire Wireless Security apparatus.
Acquire third-party wireless security products
Program and design basic wireless controls.
Deploy new wireless security software to a test network
Team must configure and update servers to operate in accordance with new software
Rule out dependencies and compatibility issues.
Deploy and configure to gateways and test servers, synchronize gateway whitelists with input from employee
interfaces to ensure autonomous departments have full access to needed resources
4.3 Testing









Team must use multiple platforms and approaches to determine the possibility to breach the web filter
Team must review company policies and ensure that new software is in compliance
Team must review state/regulatory/federal laws and ensure that new software is in compliance
Team must ensure new software is not resource-intensive
Team must ensure that new software is compatible with all Operating systems employed in current network as
well as server hardware as it is currently being run.
Operational analysis testing for all current 802.11/802.11x systems
System benchmark comparisons before and after to determine the impact on network bandwidth and
performance
System benchmark comparison before and after to determine increase or decrease in rate of collisions or
mishandling of packets
Form debugging and issues log for error tracking databases.
4.4 Deployment



Draft new policies regarding secure communications over intra-corporate systems
Send mass-workmail to inform al l users of the system of a future work maintenance window.
Create backups of the old image; verify the operation of the old images
P a g e | 12




Roll-out updated mages to users and servers
Check for complete compatibility and troubleshoot where necessary
Signoff project over to DAA and inform Chief Information Officer as well as applicable stakeholders of new
changes
Lift maintenance window, return to full usability.
4.5 Work Break Down Structure
Task
Time Alotted
Slack Alotted
Persons Respoonsible
Preliminary analysis of Risk
7 Days
3 Days
Entire Team
Determine Scope and
Boundaries
Vendor Comparison
1 Day
0 Days
Lewis N.
1 Day
0 Days
Entire Team
Redefine Scope As needed
1 Day
0 days
Rob F.
Acquire Resource
Design Controls
Dependancies Control
2 Days
2 Days
1 Days
1 Days
1 Days
0 Days
Richard L.
Lewis Ng.
Dave
Deploy To Test
Testing Phases
Form Debugging and
Tracking
New Policies Draft
Inform Stakeholders, Create
backups
3 Days
12 Days
1 Days
2 Days
4 Days
2 Days
Stephen Lepage
Entire Team
Richard L.
1 Day
2 Days
0 Days
0 Days
Rob F.
Rob F.
Rollout Images To Users
1 Days
0 Days
Lewis Ng.
Backup and Verify
Signoff
2 Days
1 Day
1 Day
0 Day
Lift Maintenance Window
Richard L.
Entire Team
Design
Analysis of Risk
Determine Project Scope
Implementation
Acquire Resources
Allocate Resources
Deploy to Test Network
Testing
Functionality
Compliance
Deployment
New Policies and Procedures
Signoff to Maintenance, DAA
Full Realization
Return to Normal Operation
P a g e | 13
5.0 Project Cost
The following outlines the costs and a cost benefit analysis for the entire project.
5.1
Risk Assessment Cost
Item
Units
Cost
Laptop
WinSniffer
L0phtCrack 6 Consulting
AirMagnet WiFi Analyzer Pro
AirMagnet 802.11 a/b/g/n Wireless PC
card
LanGuard
Labour (team of 2 @ $40/hr)
NetStumbler
Kismet
Ettercap
LANBrowser
Etheral
5.2
Item
Cost Breakdown



1
40
1
1
1
1
1
Internal Cost For Security Implementation
Units
Training
Compliance / Legal consultation
Imeplementation and Design
5.3
1
$900.00
1
$45.00
1 $1,195.00
1 $3,000.00
1
$300.00
Total Purchasing Costs: 7,760.00
Total Labour Costs: $16,000.00
Total Cost: $23,760.00
$320.00
$80.00
$0.00
$0.00
$0.00
$0.00
$0.00
TOTAL
Cost
Extended
Cost
$900.00
$45.00
$1,195.00
$3,000.00
$300.00
$320.00
$3,200.00
$0.00
$0.00
$0.00
$0.00
$0.00
$8,960.00
Extended
Cost
160
$40.00
$6,400.00
1 $2,000.00
$2,000.00
160
$40.00
$6,400.00
TOTAL
$14,800.00
P a g e | 14
5.4
Cost-Benefit Analysis
The greatest cost is the labour, however these intangible costs are already incurred in our payroll.
The greatest benefit is the sense of reliability of our wireless network. A secure wireless network will
improve our standings in the industry through industry standard compliance.
Benefits:
 Improved relations with partners, contractors and clients
 Safeguarding sensitive data and intellectual property
 Resources to recover from an attack will consume more labour and costs
 Most software to conduct a risk assessment is free
 Network performance increase with less attacks
Cost
Benefit
P a g e | 15
6.0 Quality Control
6.1


Quality Criteria
Increase the level of security so only employees can access the wireless network
Increase confidentiality of data so packets cannot be read if intercepted.




Testing
When the prerequisite decisions on architecture have been made, testing will begin.
Any hardware needed will be purchased on evaluation terms from the manufacturer
The goal of testing is to reduce the load of troubleshooting that occurs upon implementation
Testing period must not exceed the time allotted.
6.2
6.3





6.4
Test Environment
Project Manager will give permission to deploy the test environment
Test environment will resemble final deliverable except in scale/scope
Test environment should be inaccessible to normal employees or outside users (no SSID
broadcast.)
Test environment should be as physically isolated as possible to eliminate variables
IT security team will configure test environment according to the previous deliverable plans

Penetration Testing
Penetration testing team will be contracted to audit the security of the wireless network
Reports should be created by the audit team regarding the physical security, wireless security
protocol (WEP, WPA), and best security practices (Non default naming)
Changes according to the audit should be implemented and tested for bugs



Authentication
Test different authentication methods, (swipe cards, tokens, one-time passwords)
Decide which best meets company’s needs
Must remain under the same budget as the rest of the project


6.5
P a g e | 16
7.
Risk Management Plan
7.1 Approach
Approach to managing risk is defined by the following steps
1. Identify the Risk.
 The Project Manager will provide the most appropriate method for risk analysis.
2. Analyze the Risk.


Each risk identified shall be analyzed for its potential impact on the project
A Risk Assessment shall be completed for each risk entered directly into the Project Risk Log
3. Decide on the most appropriate mitigation strategies:
There are several courses of action that can be taken to mitigate Risks:




Prevent the Risk by assuming it will happen, and providing for the full impact in the project plan
Reduce the Risk by implementing up-front some preventative actions aimed at reducing either the
likelihood of occurrence, or the impact if it does
Transfer the Risk to another party; for example, take out an insurance policy against the Risk occurring, or
agree that another party provides for the Risk should it occur
Accept the Risk; i.e. manage it if and when it happens.
4. Risk planning


Modify plans to include agreed actions to mitigate the impact of Risks
Identify and assign the resources to be used for the work to carry out the Risk mitigation requirements
5. Control the Risk.


Ensure that the planned Risk actions are happening
Check that execution of the planned actions is having the desired effect on the Risks identified
6. Monitor and report against the risks


The Project Manager will monitor the risks on a regular and ad-hoc basis in order to identify potential
changes to likelihood or impact.
The risks will also be reviewed in regular Progress Meetings.
7.2 Risk Log
The Risk Log states all known risks to the Project. The Risk Log will be a separate working document and maintained
through the life of the project by the Project Manager.
P a g e | 17
8
Project Controls
This section details monitoring and control mechanisms that will be used on the project.
8.1 Monitoring Progress and Reporting

The Project Manager will hold Checkpoint Meetings, gather progress information and progress
and issues and Risks from the project team.

Formal Progress Meetings will take place weekly.
8.2 End Stage Reviews



The Project Manager will submit an End Stage Report to the Project Board at the end of
each Project Stage.
End stage review will be performed even if project is not complete
Issues and solutions should be documented and submitted to Project Manager for use in
future projects
8.3 Exception Conditions



Exceptions to the project plan must be brought to the attention of the project manager
Project Manager will decide whether to allow use of more time or cost or other resources
Once approval is granted exception plan will be carried out
8.4 Actions

The Project Manager will maintain an Actions Log
8.5 Time Recording

The individual project tasks will be assigned to team members by the Project Manager
8.6 Issue Management



Project manager will be responsible for maintaining the Issue Log
Issue Log contains a summary of the current state of all project issues
Issues that have been solved or updated should be brought to the attention of the Project
manager to update the Issue log
P a g e | 18
8.7 Change Control

Changes to the project plan will follow the request for change method.

A Request For Change is a request to change the specification of requirements

An internal change process is favoured because it will result in faster change
management.
8.8 Project Closure
The Project Manager will:




Review Project Issues, Actions and Risks
Verify that all Acceptance Criteria have been met
Verify that the team is ready to close the project
Hold a formal hand-over meeting with the IT department
P a g e | 19
9.
Communication Plan
Communication should be done by a member of the team who enjoys communicating, has
good interpersonal skills and enough technical knowledge to be able to explain technical details to
non-technical people. All communications to the stakeholders will be signed off by the project
manager.
9.1
Management Team
Financial Sponsor(CFO)
Communication to the CFO will be once every two weeks. It should be brief and to the point
with a focus on project finances and completion of goals/milestones. Communication will be done
either by email or hard copies depending on the CFO's preference.
Information Security Officer
Since this project is heavily related to the companies security, the Information Security
Officer(ISO) will be given a semi-weekly update via email of the project on the details regarding to the
security implementation of the project. Communication should increase if necessary to inform ISO of
any changes or plans created for the project that can affect security.
9.2
Core Project Team
Information Technology Office
This department is directly affected by the project so a brief overview of the I.T. related parts of
the project will be sent on a daily basis. Project members may need to communicate more frequently
on an individual basis to this department to ensure the project integrates as flawlessly as possible with
the current I.T. infrastructure. Communication should be done by email. It may also be advisable to
set-up a wiki or a bug tracker for easy communication of technical details between the project team
and the I.T. department.
9.3
Legal Department
The legal department should be communicated with any time the project managers feels that
the something planned by the project might have a legal affect on the company. Every two weeks a
project update of what the project has done and what it plans on doing. This will make sure that if the
project manager may not have saw a legal problem created by the project the legal department can
have a chance to spot it. Communication should be done by email or hard copies depending on their
preference.
9.4
End users
Employees and Contractors/Business Partners
They should get notified of the project and a brief summary of what it means to them at the
beginning of the project. They should also get notified as soon as possible of what days they will be
trained on how to use the new secured wireless network. A week before the secured wireless network
goes live they should be informed to ensure work flow is not hindered. Communication should be via
email and a memo posted on company bulletin boards. We should set-up a help desk or utilize a
current help desk to communicate with users who may have issues during a roll out.
P a g e | 20
10
Configuration Management Plan
10.1
Document Repository
All versions of documents should be saved electronically somewhere all necessary project
stakeholders can view. The repository enables the Project Manager to


Publish and share documents and other work in a central location
Introduce a further element of control for projects where the team members are
geographically dispersed
 Track the documentation and other work via audit trails and version control
10.2
Document Control
The project has a unique name "XXXXX" and unique number – PRJ505 - which appears on all
documentation.
Document details, project name and date of issue will be included in a document header or
footer on every page
Electronic copies of appropriate documents will be placed in the documentation repository for
audit-able safe keeping.
Document version numbers will consist of major and minor versions, plus a draft character. An
example of a document life-cycle would be:







10.3
1.0a – first draft
1.0b – second draft
1.0 – first issue
1.1a – minor change, first draft
1.1 – second issue
2.0a – major change, first draft
2.0 – second issue
Document Standards
Standard authoring tool for textual documents.
Standard authoring tool for project Gantt charts is Microsoft Project 2007
Final form electronic documents in Adobe PDF format, which is viewable and printable on
multiple platforms using the free Adobe Acrobat Reader software at
http://www.adobe.com.
A requirement to deliver documents in other formats will be raised as a project issue.