VIE WPOIN TS
VOICES ON PROJECT MANAGEMENT
IN THE BEGIN
Information security can’t be an afterthought.
BY RICHARD HUNT
Information security is often seen as a necessary evil, something that can be tweaked at the end of a project o meet the onerous rules of an audit. But that rarely works.
Instead, try following these five suggestions for a safe
and secure project launch:
Consider running short workshops to educate the busi-
ness process leads in the organization’s security standards.
The sessions could cover what will be needed to develop the
project’s security requirements and how to document them.
Tip 1: Security starts on day one.
Don’t wait until you’re in a rush to meet a go-live date to
introduce security provisions. It may be too late—decisions
affecting information security made in the design and
blueprint phases of a project can be irreversible. Even if
you can come up with a last-minute solution, it often
means giving team members more system access than
they require. This doesn’t stop anything from working,
but over time it leaves an organization open to hidden
risks. Even though it’s not in their area of responsibility,
employees might be authorized to change vendor bank
details, for example, and then use that information to
divert vendor payments to their own bank account.
Tip 3: Keep things in context.
The security consultants on your project must, of course,
capture the technical requirements, but they also must
understand the business’s needs to have a frame of reference. For instance, it’s part of an administration role for
specific users to maintain employee salary details. But
such access could represent a major security risk, with staff
members having the ability to control their own remuneration packages. The security team must therefore build
these requirements into the security design to ensure that
proper access to sensitive details is restricted, and that the
compensation team must approve all changes.
Project managers must also ensure that the security
design and build take place at the same time as other deliverables, aligning the security testing phase with the rest of
the project’s testing.
Tip 2: Mix business with security.
IT security can’t be treated as strictly a technical
problem. Project managers should also consider
security from a business perspective and treat it
as a separate workstream of equal importance.
Security specialists should have good knowledge of business roles and the activities users
are likely to perform—and therefore the level
of system access they will require.
>>Project managers must
ensure that the security
design and build take place at
the same time as other
deliverables, aligning the
security testing phase with the
rest of the project’s testing.