Do you think is important the integration of Information Security Compliance in Projects?

Steve,
I think you and I do roughly the same sorts of things based on your IP answer.

A great explanation that is not mine about threats vs. risks:

The hazard is in a harmless state with potential to change into a threat; the threat is the same source, except in a harmful state. ... The hazards and threats are sources of the risk in the sense that they are the actual actors or agents with the potential to harm, while the risk is the potential harm.

I translate that as hazards and threats are the source conditions. Risks are the outcomes.

Most definitely. Within our environment, information is categorized as unclassified, confidential, classified (Protected A/ B), secret, top secret, etc. Additionally, we have what is referred to as "Controlled Goods and Technology" in response to the American International Traffic in Arms Regulations (ITAR). There are policies, directives etc. on how to handle such information, and non-compliance will result in a security investigation/ infraction. Additionally, Intellectual Property (IP) can be a huge issue if not dealt with appropriately in resulting acquisition contracts, especially if third parties are involved. One project I was involved with actually had to delete wireless transmission of data from their scope as they did not speak with the proper security OPIs. It was subsequently determined by security personnel, that the data in fact would be classified as "secret" and as such required the appropriate levels of encryption. That brought a whole new level of scope and complexity to the project that they were not prepared to deal with, so they just simply dropped the requirement.

Pretty well every IT project I've worked on required a Threat and Risk Assessment as well as a Privacy Information Analysis.

The TRA is usually done by the IT Security group for the project. The PIA can be done either by a project team member or a SME.

Often, projects cannot go live without approved TRA and PIA. (That was the case for my current project.)

Information Security is an important consideration when it's relevant.

In any project, there are functional and technical requirements. Part of technical requirements/objectives is a set of regulations or policies to comply with depending on the industry or customer. In IT projects, there are "global" Information Security requirements as well industry/customer specific security requirements. For example a secure login on a website is normally a standard security requirements, on the other hand compliance with HIPPA requirements are to be accomplished if the IT solution stores personal health information.

Hope this helps. Good luck.

Regardless of the life-cycle - predictive like waterfall or iterative like Agile , you absolutely have to maintain Security compliance and Governance

1) IF you have vendors on your project , you need to have signed Non Disclosure agreements with them
2) IF you have vendors on your project, you ought to have done an Information Security Assessment on them to make sure that they will maintain the integrity of your Intellectual Property and it will give you an idea of their security practices and the regulations that they follow
3) You also additionally sign non disclosure agreements with your employees and contractors , whether working on your projects or operationally for your company.

4) you can also establish Secure Channels of exchanging documentation with vendors . e.g providing them only Encrypted USB drives or Sending information through online tools like SecureSend.

5) you also have Privacy Impact assessments (PIA) done on any new applications or systems that you are installing , to question how and where information is being stored by the new systems and applications and whether security guidelines are being followed . Based on the critical nature of the data , this will need to be reviewed by your CISO or your Legal and Privacy Officers