Project Management Central

Please login or join to subscribe to this thread

Topics: Agile, Governance, Information Technology, Using PMI Standards
Do you think is important the integration of Information Security Compliance in Projects?
Network:207



Annoying this great community with my student life.

I will soon start working on my dissertation, and as a PM student and Information Security Professional, I want to work on these topics for reasons such as: be updated with latest practices and add valuable contribution on PM processes.

I have seen some material published, but I would like to know if you Project Managers consider it an important part of the Project life cycle, if Information Security Compliance as a process currently included in your Projects or maybe is only considered valuable in Agile projects instead.

I would appreciate some ideas or maybe concerns, obstacles, restrictions, incidents, risks you as Project Managements have faced in reference with Protection of this valuable asset (Information), this way I will make my best to research and at the same time contribute with good research work.

Thank you in advance for your support.
Sort By:
Page: 1 2 next>
Network:97



Most definitely. Within our environment, information is categorized as unclassified, confidential, classified (Protected A/ B), secret, top secret, etc. Additionally, we have what is referred to as "Controlled Goods and Technology" in response to the American International Traffic in Arms Regulations (ITAR). There are policies, directives etc. on how to handle such information, and non-compliance will result in a security investigation/ infraction. Additionally, Intellectual Property (IP) can be a huge issue if not dealt with appropriately in resulting acquisition contracts, especially if third parties are involved. One project I was involved with actually had to delete wireless transmission of data from their scope as they did not speak with the proper security OPIs. It was subsequently determined by security personnel, that the data in fact would be classified as "secret" and as such required the appropriate levels of encryption. That brought a whole new level of scope and complexity to the project that they were not prepared to deal with, so they just simply dropped the requirement.
...
1 reply by Jessika Garza
Sep 10, 2019 7:18 AM
Jessika Garza
...
I really appreciate your response, this refreshment of classification of information was really great and valuable.
I found out I was a little bit behind in respect to the latest Project Management processes, I did some research and I found out that Information Security is its part of the Project Life Cycle, now I wonder how is generally being handled in Projects, as part of the Objectives or in the Risk Management Plan, Control/Monitoring
Network:106671



Pretty well every IT project I've worked on required a Threat and Risk Assessment as well as a Privacy Information Analysis.

The TRA is usually done by the IT Security group for the project. The PIA can be done either by a project team member or a SME.

Often, projects cannot go live without approved TRA and PIA. (That was the case for my current project.)
...
2 replies by Jessika Garza and Steve Ratkaj
Aug 21, 2019 1:53 PM
Steve Ratkaj
...
Stéphane;

Just an observation/ question. I was reviewing some project documentation recently and had to make a comment on the fact that they had combined "risks" and "issues" together, and noticed that you have combined "threats" with "risks". Curious as to why threats are treated separately from risks, when typically threats and opportunity are identified under "risks"?.


Cheers;

Steve
Sep 10, 2019 7:37 AM
Jessika Garza
...
Thank you so much for your response, is very interesting and good to know that all the projects now include information Security. Now, also is very valuable for me to see that is part of the Risk Management as well, when you refer to PIA, is it because is part of the activities to be done in the project? if so, would that be on the Planning Phase? .

Another colleague told me Information Security is seen in the Communications Management part, so I understand it is basically done depending on the Project Management style or is it depending of which information is handled on the Project?
Network:1675



Jessika -

All projects will be subject to the regulations, standards & policies of the context they operate in.

For example, technology projects will have a set of functional requirements but tied to those will be a variety of quality requirements covering everything from information security to performance to accessibility needs.

Kiron
Network:97



Aug 21, 2019 10:49 AM
Replying to Stéphane Parent
...
Pretty well every IT project I've worked on required a Threat and Risk Assessment as well as a Privacy Information Analysis.

The TRA is usually done by the IT Security group for the project. The PIA can be done either by a project team member or a SME.

Often, projects cannot go live without approved TRA and PIA. (That was the case for my current project.)
Stéphane;

Just an observation/ question. I was reviewing some project documentation recently and had to make a comment on the fact that they had combined "risks" and "issues" together, and noticed that you have combined "threats" with "risks". Curious as to why threats are treated separately from risks, when typically threats and opportunity are identified under "risks"?.


Cheers;

Steve
...
2 replies by Keith Novak and Stéphane Parent
Aug 21, 2019 2:17 PM
Stéphane Parent
...
Unfortunately, Steve, that seems to be norm in Information Security. Obviously, it is meant to encompass threats and risks specific to Information Security. Given it is mandated by Information Security staff, I can hardly request them to abide by project management nomenclature.
Aug 21, 2019 9:37 PM
Keith Novak
...
Steve,
I think you and I do roughly the same sorts of things based on your IP answer.

A great explanation that is not mine about threats vs. risks:

The hazard is in a harmless state with potential to change into a threat; the threat is the same source, except in a harmful state. ... The hazards and threats are sources of the risk in the sense that they are the actual actors or agents with the potential to harm, while the risk is the potential harm.

I translate that as hazards and threats are the source conditions. Risks are the outcomes.
Network:106671



Aug 21, 2019 1:53 PM
Replying to Steve Ratkaj
...
Stéphane;

Just an observation/ question. I was reviewing some project documentation recently and had to make a comment on the fact that they had combined "risks" and "issues" together, and noticed that you have combined "threats" with "risks". Curious as to why threats are treated separately from risks, when typically threats and opportunity are identified under "risks"?.


Cheers;

Steve
Unfortunately, Steve, that seems to be norm in Information Security. Obviously, it is meant to encompass threats and risks specific to Information Security. Given it is mandated by Information Security staff, I can hardly request them to abide by project management nomenclature.
Network:884



Information Security is an important consideration when it's relevant.
...
1 reply by Jessika Garza
Sep 10, 2019 7:46 AM
Jessika Garza
...
Thank you so much for your answer, so how you consider is relevant? Classification of the information? if the information is considered relevant is which area are the processes or guidelines to follow in order to protect the information?
Network:15



In any project, there are functional and technical requirements. Part of technical requirements/objectives is a set of regulations or policies to comply with depending on the industry or customer. In IT projects, there are "global" Information Security requirements as well industry/customer specific security requirements. For example a secure login on a website is normally a standard security requirements, on the other hand compliance with HIPPA requirements are to be accomplished if the IT solution stores personal health information.

Hope this helps. Good luck.
...
1 reply by Jessika Garza
Sep 10, 2019 7:50 AM
Jessika Garza
...
Thank you very much for your answer, you are right about the regulations to follow. Even if the project is not entirely IT, depends also of the type of information right?. Now is it normally established in the Risk Management area? , I was told that is on communications as well, I would like to know what is a common practice, hence I could maybe work on a suggestion to standardise processes.
Network:501



Absolutely! I work in banking, so this is a highly important aspect in all of our projects. We build this into the projects, as the Project Manager is the only one sharing information with vendors in most cases. the reason for this is not only to let the resources focus on completing their tasks, but it allows us to gather all the information into concise emails/meetings and can share all this in a secure matter. I mean, we deal with personal information on a daily basis, so how you handle this is an extremely important matter.
Network:575



Regardless of the life-cycle - predictive like waterfall or iterative like Agile , you absolutely have to maintain Security compliance and Governance

1) IF you have vendors on your project , you need to have signed Non Disclosure agreements with them
2) IF you have vendors on your project, you ought to have done an Information Security Assessment on them to make sure that they will maintain the integrity of your Intellectual Property and it will give you an idea of their security practices and the regulations that they follow
3) You also additionally sign non disclosure agreements with your employees and contractors , whether working on your projects or operationally for your company.

4) you can also establish Secure Channels of exchanging documentation with vendors . e.g providing them only Encrypted USB drives or Sending information through online tools like SecureSend.

5) you also have Privacy Impact assessments (PIA) done on any new applications or systems that you are installing , to question how and where information is being stored by the new systems and applications and whether security guidelines are being followed . Based on the critical nature of the data , this will need to be reviewed by your CISO or your Legal and Privacy Officers
...
1 reply by Jessika Garza
Sep 10, 2019 12:09 PM
Jessika Garza
...
I really appreciate this information, it is really helping me a lot of how I can relate the topics and how are the practices are being done, thank you very much.
Network:357



Aug 21, 2019 1:53 PM
Replying to Steve Ratkaj
...
Stéphane;

Just an observation/ question. I was reviewing some project documentation recently and had to make a comment on the fact that they had combined "risks" and "issues" together, and noticed that you have combined "threats" with "risks". Curious as to why threats are treated separately from risks, when typically threats and opportunity are identified under "risks"?.


Cheers;

Steve
Steve,
I think you and I do roughly the same sorts of things based on your IP answer.

A great explanation that is not mine about threats vs. risks:

The hazard is in a harmless state with potential to change into a threat; the threat is the same source, except in a harmful state. ... The hazards and threats are sources of the risk in the sense that they are the actual actors or agents with the potential to harm, while the risk is the potential harm.

I translate that as hazards and threats are the source conditions. Risks are the outcomes.
...
1 reply by Steve Ratkaj
Aug 22, 2019 8:51 AM
Steve Ratkaj
...
Keith;

LOL. Yes, I noticed that over the last while. No surprise as I assume we are both working in the military domain, but just noticed now you haven't listed where you work. ;)


Cheers;

Steve
Page: 1 2 next>  

Please login or join to reply

Content ID:
ADVERTISEMENTS

Do, or else do not. There is no 'try'.

- Yoda

ADVERTISEMENT

Sponsors