Development and Inclusion of Information Security specific process(es) in PMBOK to equip PM and PM team to better manage and handle security of all sensitive Project Information/data during project d
Rohit Kumar GoelCybersecurity | IT Consultant| Various ClientsDwarka, New Delhi, Delhi, India
In today’s scenario, I feel Information Security has become one of the most critical requirement and challenge for most organizations/industries whether or not an organization has a mature and robust security culture, setup and resources in place. Especially, Security attacks such as ransomware today can easily impact adversely a project’s schedule, cost baseline/budget or even the complete project outcome, if such an attack is able to render project information/data unavailable while project is still underway. On the other hand leakage of sensitive information/data during project may also adversely impact customer confidence and contractual obligations leading to premature project termination or in form of penalties or some legal action.
Therefore, I am of the opinion that PM and PM team should have some basic level of awareness and should be equipped with some tools and techniques to take care of security of all sensitive project information belonging to their project during entire project life cycle. And for this purpose, it may help if one or more dedicated processes pertaining to Information Security inlcuding relevant tools and techniques are defined and included in PMBOK to help PM and PM team to effectively handle security of all sensitive project information/data generated/used during project duration. Such an awareness, knowledge and availability of some tools & techniques with PM and PM team will compliment an organization that has some mature/robust security system and culture in place, Whereas, in case of other organizations that have a weak or no Security culture/Program in place, PM and the PM team using Information Security relevant process(es) and tools & techniques will be able to better handle and manage security of all sensitive project Information generated/used during the project duration in a reliable manner in addition to taking help of a SME if available on such matters.
Request valued feedback and expert opinion on the above. Saving Changes...
This would fall under the business continuity & disaster recovery planning programs within most organizations. Certainly if the scope of a particular project might increase information security risk then that needs to be considered within the planning efforts but outside of that situation, this would not be something that individual PMs should try to address independent of organization or regulatory requirements.
Kiron
...
1 reply by Rohit Kumar Goel
Jan 24, 2018 1:02 PM
Rohit Kumar Goel
...
Kiron,
Thanks for your valued feedback.Your point is well taken but it is helpful only in those organisations which have a mature and robust Information Security and BCP/DR culture and setup in place.
For other organisations that have a weak or no securtiy culture and setup in place, I believe PM and PM team still have the ownership and accountability for ensuring that all sensitive project information/data of their project is adequately secured to ensure its confidentiality, integrity and availability is maintained throughout the project life cycle. It is critical to ensure that customer confidence is not lost and any contractual obligations are not adversely impacted which also one of the primary responsibility of PM and the team. In such organisations with no Security culture and maturity, PM and PM team with some knowledge of security related issues, threats, processes, tools and techniques can easily ensure security is better managed and maintained. Though PM and PM team may also take opinion and support of some SME but having basic security awareness and access to Security relevant processes, tools and techniques will be of immense value especially in today’s Security scenario and ever changing threat landscape.
Saving Changes...
Sergio Luis ConteHelping to create solutions for everyone| Worldwide based OrganizationsBuenos Aires, Argentina
Information Security could be a component of a specific project but not a component of the project management body of knowledge. See the definition inside the PMBOK itself about what body of knowledge means. Beyond that, there is not enough room here but I can explain you why the knowledge areas included into the PMBOK I learnt from people that create the PMI and others (just in case you never heard it). On the other side, Information Security is not needed in lot of initiatives mainly in the context you wrote (technology focus). Please let me say that in the context of project management Security is about all type of security from physical security to logical security.
...
1 reply by Rohit Kumar Goel
Jan 25, 2018 5:59 AM
Rohit Kumar Goel
...
Interesting point Sergio. However, would like to clarify here that Information Security is not only about the security of digital information stored and processed on computers or some other similar computing devices such as servers, mobiles, tablets and laptops. Information Security is very comprehensive in its scope and deals with the security of all forms of Information such as digital, paper, audio, video, spoken etc. and all types of physical and logical security are part of Information security. It is different and superset of other forms of security such as IT security which primarily deals with the security of Information stored and processed on computers or Cyber Security that primarily deals with Security of Information that resides in Cyber space.
In most projects, since a lot of Information/data pertaining to project management processes, various inputs and outputs of these processes and products, services or results of the project may be generated or processed during the project duration and many such Information may be spoken, digital, paper based, or may exist in audio or video format and if any such information is sensitive in nature for both performing and requesting organisations, then security of all such project and product information becomes important and one of the primary responsibilities of PM and PM team at least until the Project is completed. In this context, having some well defined processes pertaining to the security of sensitive project and/or product information together with various inputs, tools & techniques that a PM and PM team may use can help PM and PM team in effectively managing the security of all sensitive information pertaining to the project or its products/results.
Once again, I believe that security of all sensitive information generated/used during a Project duration is directly PM and PM team’s responsibility and they may be contractually bound to take care of security requirements of the sensitive project/product information irrespective of the fact that performing organisation has some in-house dedicated security organisation or has no such setup and culture in place. Depending upon Information Security process requirement, a PM can always request services of an external SME.
Saving Changes...
Rohit Kumar GoelCybersecurity | IT Consultant| Various ClientsDwarka, New Delhi, Delhi, India
Jan 24, 2018 12:32 PM
Replying to Kiron Bondale
...
Rohit -
This would fall under the business continuity & disaster recovery planning programs within most organizations. Certainly if the scope of a particular project might increase information security risk then that needs to be considered within the planning efforts but outside of that situation, this would not be something that individual PMs should try to address independent of organization or regulatory requirements.
Kiron
Kiron,
Thanks for your valued feedback.Your point is well taken but it is helpful only in those organisations which have a mature and robust Information Security and BCP/DR culture and setup in place.
For other organisations that have a weak or no securtiy culture and setup in place, I believe PM and PM team still have the ownership and accountability for ensuring that all sensitive project information/data of their project is adequately secured to ensure its confidentiality, integrity and availability is maintained throughout the project life cycle. It is critical to ensure that customer confidence is not lost and any contractual obligations are not adversely impacted which also one of the primary responsibility of PM and the team. In such organisations with no Security culture and maturity, PM and PM team with some knowledge of security related issues, threats, processes, tools and techniques can easily ensure security is better managed and maintained. Though PM and PM team may also take opinion and support of some SME but having basic security awareness and access to Security relevant processes, tools and techniques will be of immense value especially in today’s Security scenario and ever changing threat landscape. Saving Changes...
Rohit Kumar GoelCybersecurity | IT Consultant| Various ClientsDwarka, New Delhi, Delhi, India
Jan 24, 2018 1:00 PM
Replying to Sergio Luis Conte
...
Information Security could be a component of a specific project but not a component of the project management body of knowledge. See the definition inside the PMBOK itself about what body of knowledge means. Beyond that, there is not enough room here but I can explain you why the knowledge areas included into the PMBOK I learnt from people that create the PMI and others (just in case you never heard it). On the other side, Information Security is not needed in lot of initiatives mainly in the context you wrote (technology focus). Please let me say that in the context of project management Security is about all type of security from physical security to logical security.
Interesting point Sergio. However, would like to clarify here that Information Security is not only about the security of digital information stored and processed on computers or some other similar computing devices such as servers, mobiles, tablets and laptops. Information Security is very comprehensive in its scope and deals with the security of all forms of Information such as digital, paper, audio, video, spoken etc. and all types of physical and logical security are part of Information security. It is different and superset of other forms of security such as IT security which primarily deals with the security of Information stored and processed on computers or Cyber Security that primarily deals with Security of Information that resides in Cyber space.
In most projects, since a lot of Information/data pertaining to project management processes, various inputs and outputs of these processes and products, services or results of the project may be generated or processed during the project duration and many such Information may be spoken, digital, paper based, or may exist in audio or video format and if any such information is sensitive in nature for both performing and requesting organisations, then security of all such project and product information becomes important and one of the primary responsibilities of PM and PM team at least until the Project is completed. In this context, having some well defined processes pertaining to the security of sensitive project and/or product information together with various inputs, tools & techniques that a PM and PM team may use can help PM and PM team in effectively managing the security of all sensitive information pertaining to the project or its products/results.
Once again, I believe that security of all sensitive information generated/used during a Project duration is directly PM and PM team’s responsibility and they may be contractually bound to take care of security requirements of the sensitive project/product information irrespective of the fact that performing organisation has some in-house dedicated security organisation or has no such setup and culture in place. Depending upon Information Security process requirement, a PM can always request services of an external SME. Saving Changes...
Sergio Luis ConteHelping to create solutions for everyone| Worldwide based OrganizationsBuenos Aires, Argentina
I understood. What I tried to say is just in case you have to include something related to security into the PMBOK the name would be "project security". Still I say: it could be part of project activities but not a knowledge area. All related to information security and what you stated is covered by project configuration management environments. You have a practice guide there (I was part of the group or authors but if you ask me is not a good piece or work). Is a support activity and in my opinion must not be a knowledge area due to lot of IEEE standards outside there. Saving Changes...
