The research phase is the period of gathering information that
will help us focus on important topics and differentiate our work
from the work already done and publicly available. As we progress
in the research, the findings should become more readily usable
for the development phase. The duration of research phase is not
defined as much by the end deliverables as it is by the holiday
period of 4th of July. That is the time when a checkpoint is made
with respect to results thus far and the development is
officially started. The development phase can be seen as the
period of better structuring the information found in the
research phase and developing new content as well as binding
"glue" around the reused/referenced pieces of information. In the
development phase, creation of original content is encouraged,
but it should not be a goal in itself Ð in many cases value
can be created even by repackaging existing information into a
more accessible and concise format. For all the below research
areas, perhaps with the exception of Vendor Research, the
information gathered will provide the input for the development
of "the grid". Therefore it is beneficial already in the research
phase to think of what information would fall under which
column/row in the grid and insert references/copy&paste text
excerpts accordingly. Also some of the material may show
variability according to Industry or Region Ð this kind of
variability would provide input for the "Industry Segment" and
"Culture/Region" deliverables, and should be
referenced/copied&pasted similarly. Objectives are detailed
below by research areas. These can be understood as definitions
for the activities in the project plan. Andersen "Knowledge Exchange"
Research
The goal is to find any relevant material across the whole project scope using AndersenÕs Knowledge Exchange databases and tools, to which only Andersen personnel have access. Literature Survey
The goal is to find any relevant material across the whole project scope as long as it originates from impartial sources. Industry Pre-survey
The goal is to find any material on security policies published by companies who apply those policies in their own operations. The material will be biased by nature and will have to be treated as such. Depending on the amount of information available from various sources, it may need to be categorised. An ideal goal would be to gain an understanding of the current state of the art, but the pre-survey is most likely going to leave a lot of that for the development phase. Vendor Research
The goal is to come up with the following in a tangible document (to be placed on the Web server or to be printed on paper)
The goal is to find any relevant material across the whole project scope using AndersenÕs Knowledge Exchange databases and tools, to which only Andersen personnel have access. Literature Survey
The goal is to find any relevant material across the whole project scope as long as it originates from impartial sources. Industry Pre-survey
The goal is to find any material on security policies published by companies who apply those policies in their own operations. The material will be biased by nature and will have to be treated as such. Depending on the amount of information available from various sources, it may need to be categorised. An ideal goal would be to gain an understanding of the current state of the art, but the pre-survey is most likely going to leave a lot of that for the development phase. Vendor Research
The goal is to come up with the following in a tangible document (to be placed on the Web server or to be printed on paper)
- classification of available products into two categories:
- risk assessment tools
- policy enforcement tools
(decision support tools were explicitly descoped on Thu June 10th)
Then subdividing these categories further if applicable and characterising the kind of tool support available, giving an opinion about their general maturity and value in practice, even if no specific products are then mentioned in the end deliverables.
- market information on specific products, such as their relative strengths, who are the market leaders, how widely adopted these products are (naming important reference users, if possible),
- Justify need for the project
- Gather information on current state of affairs in companies.
- Creating new information/statistics in the area of security policy management in the eCommerce context would be the ultimate goal, but most likely we will have to settle with an analysis produced by Gartner/CSI upon request, or with an external vendorÕs help in finding relevant existing information.
- Justify need for the project
- Gather information on current state of affairs in companies.
- Assess the readiness of AC projects to adopt the security policy frameworks to be developed in this project (will it be easy/hard to sell in each case, are they concerned with the same problems?)