In the beginning
VOICES ON PROJECT MANAGEMENT
BY RICHARD HUNT
Information security is often seen as a necessary evil, something that can be tweaked at the end of a project to meet the onerous rules of an audit. But that rarely works.
Instead, try following these five suggestions for a safe and secure project launch:
Tip 1: Security starts on day one.
Don't wait until you're in a rush to meet a go-live date to introduce security provisions. It may be too late—decisions affecting information security made in the design and blueprint phases of a project can be irreversible. Even if you can come up with a last-minute solution, it often means giving team members more system access than they require. This doesn't stop anything from working, but over time it leaves an organization open to hidden risks. Even though it's not in their area of responsibility, employees might be authorized to change vendor bank details, for example, and then use that information to divert vendor payments to their own bank account.
Tip 2: Mix business with security.
IT security can't be treated as strictly a technical problem. Project managers should also consider security from a business perspective and treat it as a separate workstream of equal importance.
Security specialists should have good knowledge of business roles and the activities users are likely to perform—and therefore the level of system access they will require.
»Project managers must ensure that the security design and build take place at the same time as other deliverables, aligning the security testing phase with the rest of the project's testing.
Consider running short workshops to educate the business process leads in the organization's security standards. The sessions could cover what will be needed to develop the project's security requirements and how to document them.
Tip 3: Keep things in context.
The security consultants on your project must, of course, capture the technical requirements, but they also must understand the business's needs to have a frame of reference. For instance, it's part of an administration role for specific users to maintain employee salary details. But such access could represent a major security risk, with staff members having the ability to control their own remuneration packages. The security team must therefore build these requirements into the security design to ensure that proper access to sensitive details is restricted, and that the compensation team must approve all changes.
Project managers must also ensure that the security design and build take place at the same time as other deliverables, aligning the security testing phase with the rest of the project's testing.
〉Join the discussion on PMI.org/Voices
In “Risk Simulation” Sanjay Saini, PMP, says there are two risks common to IT projects: a critical project worker going on emergency leave, and a database server crashing. He suggests simulating each of these risks to see how you manage the project and your team.
“In a project where time is a constraint, you can't afford to spend time on simulating the basic risks,” writes Prasad Karnati, PMP, in a comment.
Tip 4: Test, test and test again.
Security is often overlooked during the test phase of a project. But performing user-acceptance testing helps ensure that everything runs smoothly on go-live day and there are no holdups due to system access restrictions.
Testing new functionality often needs to be performed with wide system access to ensure things work effectively without constraints. However, these tests must be repeated with security restrictions in place. For example, initial testing of the staff address update function of a new employee self-service portal might take place using wide access to make sure the system works. However, in the live environment, employees typically have very limited access to the human resources system. An organization must test that, once access is restricted to its intended levels, the employees who need to can still update the necessary information.
Teams must also implement negative testing, which tracks whether security restrictions are operating as defined. We perform a positive test to, say, ensure an accounts payable clerk can create purchase orders, followed by a negative test to ensure that he or she cannot perform conflicting responsibilities such as executing the payment run. Project managers must ensure that a cycle of negative testing is included in the project plan to highlight potential security threats.
Tip 5: Don't lose momentum.
As the go-live date approaches, project teams have to distribute access changes and set up new users. Passwords will need resetting, and user accounts must activate on day one and not before. These activities all need to be timed appropriately to ensure minimal disruption to the business.
Involving IT security throughout the project life cycle will ensure that security is a fully integrated part of the process and all team members are pulling in the same direction. It also demonstrates an organization's commitment to best practices—and safeguards its potentially business-critical information assets. PM
Richard Hunt founded Turnkey Consulting, an IT security company, in 2004. Based in London, England, he has worked on security projects for more than a decade across the United Kingdom, Asia and Australia.
RAISE YOUR VOICE No one knows project management better than you, the practitioners “in the trenches.” Every month, project managers share ideas, experiences and opinions on everything from sustainability to talent management and all points in between in the Voices on Project Management column. If you're interested in contributing, please send your idea to email@example.com.
PM NETWORK SEPTEMBER 2010 WWW.PMI.ORG
SEPTEMBER 2010 PM NETWORK