Planning the scope of any security engagement audit needs to be a collaborative effort. It is essential to involve not only the security team but also management and the system or process owner. Additionally, technical experts and other interested parties may also need to be involved.
The purpose of the security engagement will help us define the scope. That is “the why” of the project. Generally it is necessary to start with the purpose of the project and refine this during the research phase as additional information comes to light. Working from the purpose of the security project (such as the need to become compliant to a regulatory standard such as the PCI-DSS for payment card processing) research will lead to a definition of the systems that need to be checked, the timeframe and the standards that need to be met.
With the purpose and research together, scope can be planned with various milestones and completion stages. The goal of the scoping exercise is to try and get a basic scope plan together before taking it to management. There are likely to be changes when the scope has been initially given to management of these will be rectified based on agreement. On the other hand, obtaining agreement on scope before doing additional research which leads to a change in scope and subsequent management re-approval has the consequence of making the security consultant, auditor or security team look incompetent.
Figure 1 An Audit is a Project
Always ensure that you have researched and fully documented your scope before taking it to management for approval.
As any security engagement is a project, this should ideally include a Gantt chart with the scope.
This addition makes it look like you have put more effort into the planning. Management and stakeholders appreciate this stage even when the project does not follow the predefined path as it does demonstrate that you have made the effort to research the project.
It is generally unlikely that management will scrutinize the Gantt chart in any detail, but the simple fact that you have included it makes it more likely that the scope will be accepted as it demonstrates forethought.
Remember, whether you are doing a penetration test, a security review or even implementing a new defensive system, security is a project. It is only once these systems have become incorporated into the daily operations that they become an operational concern and this is not a function of audit or review.