If I were start on this assignment, I would do the following.
1. Write up a risk assessment 2. Develop a plan of action documents based on templates from SANS website 3. Develop a good working relationship with someone in the senior management and get their buy-in on this. (You might have heard this… “policy without teeth is not a policy after all” ) The third step is most important one; if I were not able to get management buy in. Doesn’t matter how good the plan that I have proposed and what vulnerabilities it is uncovering. It would probably become another plan on the shelf and will probably never be implemented. On the side note, the timeframe for this engagement is very small and to make things complicated, you will most likely receive heavy resistance on this from every level of the organization (sorry but don’t mean to discourage you) but my experience is that people in the public sector are hardest to accept change, especially from an outsider. I really liked the analogy of military commander in a hot DMZ… that Christopher Meidinge sketched in one of the posting I just saw… I think you right in the middle on this one. Good luck, Steve My 0.2 Canadian cents Bill Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------