So you have just started a project on introducing a new product, service or result into the organization. You are working with external vendors and internal teams to help deliver the new outcome.
And you have also asked the all important question " What are my information security requirements?"
On any project, where you are introducing or changing information , documentation, user details, processes , design or software which are the intellectual property of the organization you work for, it's your duty as the Project Manager to make sure that you have performed the due diligence on Information Security and have evidence to prove this.
If you have the luxury of a dedicated information security manager in your organization or an external consultant that helps provide consultation and help generate such artifacts on projects then it's great ! You already have the Organizational Process Assets -templates and guidelines that you can simply send to vendors and ask them to respond as to how they will ensure adherence.
Regardless of whether the information exists within your organization or you need to find out, as a project manager what would you need to know and enforce as Information Security requirements on your project?
- Do they adhere to nationally or internationally recognized security standards, for example ISO/IEC 27001?
- Send them a Non Disclosure Agreement (NDA) /Confidentiality agreement to make sure that they are not allowed to disclose any information that is your organization's Intellectual Property without prior written consent from your legal team
- Perform a quality audit on them. Ask them how they store information about other clients ? Do they store it in-house in electronic systems or safety vaults and are their data centers redundant in the event of disaster
- If dealing with software development projects, always give vendors dummy data to work with , which resembles the format of your production data (sizes, data types, Volumes)
- Invest in a good encryption software that can automatically churn out garbled data which you can provide to your vendor.
- Ask if the vendor's software or systems provide data encryption capabilities.
- Ask the vendors if their internal systems are protected from intrusion using firewalls and antivirus software.
- How are the vendors going to access your system for support or installations? Are they made aware of your security policies for accessing your systems and data centers.
- Does the software have audit trails ?
- Is the new Product or service you are procuring capable of interfacing with internal secure systems? eg Active Directory?
- Is your IT Department capable of providing an additional layer of encryption?
- Do you have software that can help perform a vulnerability assessment on the vendor's software for things like SQL injections or Denial of Service attacks?
- Will the servers that you are putting the software on be running the latest operating systems ? with the latest patches?
- Have your end users read your information security guidelines and understand how vital and confidential the information stored in your product or service is going to be?
- Can you provide disaster recovery capability to the new service or system that your project is implementing?
- Is your backup solution robust enough and compatible with the new service or system?
- Have the support persons in charge of resetting passwords or managing information within the system, been made aware and have signed off on Information security policies and guidelines?
- Are all internal servers fire-walled and protected using the latest supported versions of Antivirus Software?
There is always going to be an inherent risk of information security breaches but as Project Managers, by asking and find answers to the questions like the ones above, we have done due diligence and risk mitigation.
In the end, we have done what we are paid to do, but done it well !