Project Management

Never drop the ball on Information Security

From the My Professional Journey Blog
Sharing Insights from my Professional life , where I have been a Sales Engineer, A Health Professional and now , a Project Management Professional. These blogs encompass my observations or experiences. They may be regarding the Projects that I have led or been a part of or something close to our daily lives like Mindfulness and health which may affect our productivity as Project Managers.

About this Blog


Recent Posts

Define "Digital Project Manager" for me

The Pain of Legacy Systems

How a PMPĀ® helped me improve my PMSpeak

Selling Ice to an Eskimo

The Local Coffee Shop - My Conversation Catalyst

So you have just started a project on introducing a new product, service or result into the organization. You are working with external vendors and internal teams to help deliver the new outcome.

And you have also asked the all important question " What are my information security requirements?" 

On any project, where you are introducing or changing information , documentation, user details, processes , design or software which are the intellectual property of the organization you work for, it's your duty as the Project Manager to make sure that you have performed the due diligence on Information Security and have evidence to prove this.

If you have the luxury of a dedicated information security manager in your organization or an external consultant that helps provide consultation and help generate such artifacts on projects then it's great ! You already have the Organizational Process Assets -templates and guidelines that you can simply send to vendors and ask them to respond as to how they will ensure adherence.

Regardless of whether the information exists within your organization or you need to find out, as a project manager what would you need to know and enforce as Information Security requirements on your project?


  1. Do they adhere to nationally or internationally recognized security standards, for example ISO/IEC 27001?
  2. Send them a Non Disclosure Agreement (NDA) /Confidentiality agreement to make sure that they are not allowed to disclose any information that is your organization's Intellectual Property without prior written consent from your legal team
  3. Perform a quality audit on them. Ask them how they store information about other clients ? Do they store it in-house in electronic systems or safety vaults and are their data centers redundant in the event of disaster
  4. If dealing with software development projects, always give vendors dummy data to work with , which resembles the format of your production data (sizes, data types, Volumes)
  5. Invest in a good encryption software that can automatically churn out garbled data which you can provide to your vendor.
  6. Ask if the vendor's software or systems provide data encryption capabilities.
  7. Ask the vendors if their internal systems are protected from intrusion using firewalls and antivirus software.
  8. How are the vendors going to access your system for support or installations? Are they made aware of your security policies for accessing your systems and data centers.
  9. Does the software have audit trails ?


  1. Is the new Product or service you are procuring capable of interfacing with internal secure systems? eg Active Directory?
  2. Is your IT Department capable of providing an additional layer of encryption?
  3. Do you have software that can help perform a vulnerability assessment on the vendor's software for things like SQL injections or Denial of Service attacks?
  4. Will the servers that you are putting the software on be running the latest operating systems ? with the latest patches?
  5. Have your end users read your information security guidelines and understand how vital and confidential the information stored in your product or service is going to be?
  6. Can you provide disaster recovery capability to the new service or system that your project is implementing?
  7. Is your backup solution robust enough and compatible with the new service or system?
  8. Have the support  persons in charge of resetting passwords or managing information within the system, been made aware and have signed off on Information security policies and guidelines?
  9. Are all internal servers fire-walled and protected using the latest supported versions of Antivirus Software?

There is always going to be an inherent risk of information security breaches but as Project Managers, by asking and find answers to the questions like the ones above,  we have done due diligence and risk mitigation.

In the end, we have done  what we are paid to do, but done it well !


Posted on: April 23, 2017 11:38 PM | Permalink

Comments (1)

Please login or join to subscribe to this item

Please Login/Register to leave a comment.


A low voter turnout is an indication of fewer people going to the polls.

- Dan Quayle