During my early years in the information security domain, one of the first problems I faced was estimating any activity’s effort. Sometimes, this estimation is more complex as the work involves all the other departments. For example, the server team, network team, etc.
Here is a basic framework that I use, and I also have trained my team on the same. In another post, I will share the detailed excel sheet and how to do an estimation.
In the first of many series, we will cover the estimation for a generic security assessment. To estimate a security assessment effort, consider the following steps:
- Define the scope: Assess the scope of the security assessment, such as the systems, applications, and infrastructure to be tested.
- Assess resources: Identify the resources required for the assessment, such as personnel, equipment, and tools.
- Evaluate complexity: Consider the complexity of the systems and applications being assessed and the potential risk to the organization.
- Use industry standards: To guide the assessment, use industry standards and methodologies, such as the NIST Cybersecurity Framework or the OWASP Top 10.
- Review past assessments: Review previous security assessments to identify any recurring issues and areas of improvement.
- Consider time constraints: Consider any time constraints or deadlines for the assessment, such as an upcoming audit or regulatory deadline.
- Develop a budget: Estimate the budget required for the assessment, including personnel, equipment, and tool costs.
- Review and adjust: Regularly review and adjust the assessment plan based on actual results and experience.
Always keep some contingency (~ 5 – 10%, depending on the information available) to plan better.
Leave a Reply