Information Security & Privacy as part of Project Management

A typical Project Management methodology doesn’t include details about ensuring confidentiality, integrity and availability of information or the privacy of personal information. Experience has shown that too often the information security or privacy subject matter experts are not consulted about the project until the test phase, or even worse when the project needs to be signed off or is about to go live.

These circumstances will feel very familiar to information security professionals and privacy officers alike. This situation often leads to delays in sign-off and go-live or even worse a new information system being launched into production without sufficient security and privacy controls implemented. This means exposure to risks such as:
● disclosure of information;
● unauthorised access to systems and information; or
● breaches of legal requirements, for example the Privacy Act.

Additionally “bolting on” security controls & mechanisms or privacy controls at the end of the development, for example a new application or the implementation of a new information system, is very expensive and time consuming.

Information security and privacy activities should be integrated into the organisation’s project management methodology. This ensures that information security and privacy risks are identified, assessed, addressed and managed as part of a project. This approach can be applied to any project regardless of its character, e.g. a project for a core business process, IT, facility management and other supporting processes.

This article is aimed at project managers, who are being put under a lot of pressure to ensure they deliver on time and within budget. To achieve implementation of a secure and compliant (legal & regulatory requirements) information system, it is essential to engage with information security and privacy subject matter experts from the moment a viable idea is considered for development.

The two main approaches to project management are:
● the waterfall approach (delivery is all-in-one-go, for example Prince 2 and PMP); and
● a release-based iterative approach (delivery is in bursts of functionality spread over time, for example Agile Scrum/Sprint methodology).

Both approaches have pros and cons and this article will not discuss any details of these two approaches, rather it looks at where and how information security and privacy should be incorporated into the project management cycle, regardless of which approach is chosen.

Process steps
All project management methodologies follow a similar high-level process of 4 or 5 steps, in the paragraphs below the steps for the Agile methodology are in (brackets). Each of these steps have their own goal/objective and a set of deliverables for that step.

During each of these steps, the project manager should involve a security professional. Incorporating security into projects from the start will avoid last-minute and (often very) costly additions later on in the project. The following bullet points give an overview of the information security and privacy related considerations during each project phase. More details on this topic can be provided on request.

  1. Scope/Initiation/Discovery (Stage 1 Vision)
    ● Is personal information involved in this project or processed by the delivered information system? If so the Privacy Officer needs to be contacted at this stage.
    ● What is the classification or sensitivity of the information processed?
    ● Ensure that the Information Security Officer (or equivalent role such as ICT security, CISO, ITSM) is involved to discuss security requirements, these must be an integral part of the business requirements.
    ● Is there a need for compliance with legal or regulatory requirements, national or international standards (NZISM, ISO27001) or contractual security and privacy obligations?
  2. Business Case/Planning (Stage 2 Product Roadmap and stage 3 Release Planning)
    ● Engage with the respective subject matter experts to discuss in detail the security and privacy requirements, so they can be considered during the design of the solution.
    ● Define the acceptance criteria for all the business requirements, including security and privacy.
    ● Identify security and privacy risks and perform risk and/or privacy impact assessments.
    ● Based on the results of these assessments, identify security and privacy controls and mechanisms to be included in the design.
  3. Development/Execution (Stage 4 Sprint Planning and Stage 5 Daily Scrum)
    ● Is the design implementing the identified security and privacy controls? Perform compliance checks and security reviews against requirements and selected controls, against existing policies and standards.
    ● Consider performing vulnerability scans (internally) and checking of the patch status.
    ● Engage with external security experts such as penetration testers, code reviewers and auditors.
    ● Make contact with the Operations team that will manage the solution from a security perspective after going into production.
  4. Test & Evaluation/Control & Validation (Stage 6 Sprint Review)
    ● Execute all security testing: penetration test, code review and/or ISO audit.
    ● Engage with security and privacy subject matter experts to assist with interpreting the resulting (test) reports.
    ● Revisit the risk register and re-assess all risks, based on the solution as it has been built.
    ● Have Security operations team reviewed the operational documentation?
  5. Launch/Close (Stage 7)
    ● Handover the outstanding security and privacy treatment plans, which have been agreed and accepted by the business owner.
    ● Start of business as usual: security operations, monitoring of risks and compliance.

Milestones or gates
The waterfall project management methods states that to manage and control the project phases, a number of checkpoints, milestones or gates should be introduced. The function of these gates is to ensure that all criteria are met, all necessary deliverables for that phase are completed, and to assess if the project is still “on time/within budget”.

These gates are the moment in time during a project where security and compliance checks can be introduced to ensure that the project is meeting all agreed business requirements, including security and privacy considerations. Below are some decisions, checks and lists that should be considered from an information security and privacy perspective:

  1. Scope gate
    ● Sensitivity of information assessed and decided.
    ● High-level business, information security and privacy risks identified.
    ● High-level business, information security and privacy requirements identified.
  2. Business case sign-off gate
    ● Detailed security and privacy requirements listed and acceptance criteria agreed.
    ● Complete a risk register that includes security risks, privacy risks and initial level of risk (also called gross risk).
    ● Based on the risks assessment, list all security and privacy controls and mechanisms.
    ● Engage IT design architects and information security subject matter experts to write a Risk Treatment Plan (which will include a resource plan/budget).
  3. Design sign-off gate
    ● Assessment of compliance, security and privacy reviews and checks against agreed sign-off criteria.
    ● Revisit the project risk register that includes security risks, privacy risks and potential residual risk (this is the remaining risk when all security controls and mechanisms are implemented).
    ● Engage with 3rd parties to agree scope of penetration test, Certification & Accreditation audits, code review or other security tests that are outsourced.
    ● Engage with the operational security team to discuss the solution and assess if the document set is complete, up-to-date and acceptable.
  4. Final business sign-off gate
    ● Are all selected security and privacy controls implemented as designed?
    ● Completed security testing – assessment of the results and decide if they are acceptable of not.
    ● Re-visit the risk register to include final residual risk of all risks, including security and privacy, ensuring the risks are sufficiently addressed (in for example a treatment plan) and accepted by the business owner.

Summary & conclusion
This article provides project managers with an overview of the security and privacy activities they should consider during the different phases of a project and how the project (quality) gates can incorporate checks and decisions related to information security and privacy. It also provides Project Management Offices with ammunition to update their project management process to include activities and decisions that are based on identified security and privacy risks.

The most cost-efficient way to build security into products or processes is to implement the security and privacy controls and mechanisms into the design. Adding them later or after the project has gone live, is much more expensive and would reduce the Return-on-Investment of the project significantly.

Incorporating information security and privacy into the organisation’s project management methodology has the following benefits:
● It ensures that information security and privacy risks are identified, assessed, addressed and managed as an integral part of a project.
● It prevents having to “bolt-on” security mechanisms at the end of the development of a new application or the implementation of a new information system, which is very expensive and time consuming.

In summary, building security and privacy into project management ensures that:
● information security and privacy objectives are included in project objectives;
● security and privacy risk assessments are done throughout the different phases of the project, so that
● adequate controls to mitigate these risks are identified and taken into account when designing the solution;
● compliance checks against all business requirements (including security and privacy) are performed throughout the project; and
● corrections & changes to the design are taken into account where necessary.