Hi PMI Community!
I am a junior IT Project Manager and this is my first post here. I am currently facing an issue related to my company's processes. I am preparing a proposal to change these processes, specifically focusing on risk management, and I need your expertise to ensure my proposal is well-founded.
The current processes state that if security findings are discovered during a penetration test, they must be resolved and the risk reduced to at least medium before risk acceptance can be granted and approval given for promotion to production. However, even after the project goes into production, it remains open, and corrective actions continue until all security findings are fully resolved within a reasonable timeframe. Only once complete resolution is confirmed can the project be closed.
This approach creates significant problems when resolution is not straightforward and requires development work. My proposal suggests that once risk acceptance has been granted and the project has been delivered to production with the identified assumptions, the initial project should be closed. If the implementation and resolution horizon is one year or longer, a new project should potentially be opened to address the findings.
I would appreciate your feedback on this approach and any insights or experiences you can share.
Thank you!
