The research phase is the period of gathering information that will help us focus on important topics and differentiate our work from the work already done and publicly available. As we progress in the research, the findings should become more readily usable for the development phase. The duration of research phase is not defined as much by the end deliverables as it is by the holiday period of 4th of July. That is the time when a checkpoint is made with respect to results thus far and the development is officially started. The development phase can be seen as the period of better structuring the information found in the research phase and developing new content as well as binding "glue" around the reused/referenced pieces of information. In the development phase, creation of original content is encouraged, but it should not be a goal in itself Ð in many cases value can be created even by repackaging existing information into a more accessible and concise format. For all the below research areas, perhaps with the exception of Vendor Research, the information gathered will provide the input for the development of "the grid". Therefore it is beneficial already in the research phase to think of what information would fall under which column/row in the grid and insert references/copy&paste text excerpts accordingly. Also some of the material may show variability according to Industry or Region Ð this kind of variability would provide input for the "Industry Segment" and "Culture/Region" deliverables, and should be referenced/copied&pasted similarly. Objectives are detailed below by research areas. These can be understood as definitions for the activities in the project plan. Andersen "Knowledge Exchange" Research
The goal is to find any relevant material across the whole project scope using AndersenÕs Knowledge Exchange databases and tools, to which only Andersen personnel have access. Literature Survey
The goal is to find any relevant material across the whole project scope as long as it originates from impartial sources. Industry Pre-survey
The goal is to find any material on security policies published by companies who apply those policies in their own operations. The material will be biased by nature and will have to be treated as such. Depending on the amount of information available from various sources, it may need to be categorised. An ideal goal would be to gain an understanding of the current state of the art, but the pre-survey is most likely going to leave a lot of that for the development phase. Vendor Research
The goal is to come up with the following in a tangible document (to be placed on the Web server or to be printed on paper)
  • classification of available products into two categories:
    • risk assessment tools
    • policy enforcement tools
      (decision support tools were explicitly descoped on Thu June 10th)

      Then subdividing these categories further if applicable and characterising the kind of tool support available, giving an opinion about their general maturity and value in practice, even if no specific products are then mentioned in the end deliverables.
  • market information on specific products, such as their relative strengths, who are the market leaders, how widely adopted these products are (naming important reference users, if possible),
Results will provide the first input for the deliverable called "Vendor information". (Split into two versions due to the need for CERIAS to remain neutral.) External Survey or Analysis
  • Justify need for the project
  • Gather information on current state of affairs in companies.
  • Creating new information/statistics in the area of security policy management in the eCommerce context would be the ultimate goal, but most likely we will have to settle with an analysis produced by Gartner/CSI upon request, or with an external vendorÕs help in finding relevant existing information.
AC Project Survey
  • Justify need for the project
  • Gather information on current state of affairs in companies.
  • Assess the readiness of AC projects to adopt the security policy frameworks to be developed in this project (will it be easy/hard to sell in each case, are they concerned with the same problems?)