Please login or join to subscribe to this thread
I think the answer would depend on the specifics of your organization. Core project management role and responsibilities are generally different from the IT Security and Governance role. The PM should look to that role for guidance. However, if your organization expects the PM to take care of both, then obviously your role would need to do both
You are not in charge of this. Your subject matter experts must be aware on this. As project manager you have to follow all process in secutiry and governance related to project. But you are not responsible for process related to product. Your subject matter experts are.
I agree: it's not PM's job and there is a Security/Governance function. However, at this point it is a joint effort by PMO and Security organization to come up with a document addressing what I described in the original post, thank you for your replies
I disagree. Risk Management and Stakeholder engagement are ABSOLUTELY part of the PM R&R.
Based on successful partnering with InfoSec at various companies, I would recommend very early engagement with these areas. InfoSec/Risk Management controls should be designed into a system for best success, and the best place to do that is in Planning, Requirements and Design.
Develop an ongoing relationship with the key stakeholders in this area so that you can brief them quickly on projects and assess the total impact early and check back often.
They are stakeholders just like any other and should be a critical part of any project, especially in this day and age, where the white hats are barely one step ahead of the black hats.
Kelley, great! Based on your experience of successfully engaging InfoSec, what do PMs need to know/plan in regards to Security and Governance?
Anon...I pretty much covered it. Engage them early, understand the requirements that they have.
IME, on developing projects if you bring them in late, total cost goes up due to refactoring to meet late requirements.
Bring them in early and often for better project execution, lower costs and better security.
Generally I find that it's frequently a conversation to cover off requirements or risk and then smooth sailing. When it comes to credential management or online security, it becomes more involved which is why I say...like any other stakeholder. Remember security is an intense and potentially costly affair, which is why you bring in the pros and follow their lead.
Please login or join to reply