Security is an important factor in IT project management. This presentation highlights security implications in delivering IT projects by focusing on project management processes, and Software Development Life Cycle. This also highlights how to implement security in Waterfall and Agile delivery methods. In addition, this presentation details delivering quality software by aligning project level strategies with organization’s security strategy and process.
Presented on June 2015 at ISSA, Durham, NC, USA.
2. Enterprise IT Security & Maturity…!
To Be Hacked!!!
Ref: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014
24 Large
Organizations
Hacked in 2014
3.
4. Project Management Institute
Founded in 1969
185 Countries
628,363 PMI Certification Holders
Certifications: PMP, PgMP, CAPM,
PfMP, PMI-ACP, PMP-PBA, PMI-
RMP, PMI-SP
Chaptered in 1985
14th Largest - Over 2800 Members
Community / Monthly Meetings &
Annual Conference
Agile, Leadership, Pharma,
Healthcare, Program Mgt, Public
Sector
NC Chapter
Ref: pmi.org
5. Enterprise Wide IT Projects
Large number of Stakeholders
Complex Dependencies
Multiple Tier Architecture
Diverse Technologies
In-house development and
Vendor Products
Open Source Products
Lack of Security Awareness
Image Ref: http://www.carnegiemuseums.org/
11. IT Security: Projects
Initiation Planning Execution
Monitoring and
Controlling
Closing
Enterprise Level
Review
Business and IT
Review
Infra / Network / Data /
Third-party
Code and Access
Vulnerabilities
Lessons Learned
13. Agile Manifesto - Values
Individuals and Interactions over process and tools
Working Software over Comprehensive Documentation
Customer Collaboration over Contract Negotiation
Responding to Change over Following a Plan
Reference: http://agilemanifesto.org/
14. Agile
Product Owner + Scrum Master + Scrum Team
Plan and
Commit
Sprint(s)
Demo and
Deliver
Inspect
and Adapt
Incremental
Capability
Continuous
Integration
Delivered in
Weeks
Accept Changes
Fail Fast, Learn,
and Improve
15. IT Security Layer: IT and Business
Business
Roles
Responsibilities
Access Policies
Data Retention
PCI Compliance
SOX and other
Privacy Laws
Audits
& More…
IT
ACL
AuthC / AuthZ
Encryption
Mobility & IOT
Social Media
Data Classification
Data Access
Data at Rest &
Transit
Virus / Malware
Business
Continuity
& More…
16. IT Ecosystems, Agility, and Security
IAAS / PAAS
Semi Automated,
Orchestrated, Public / Private Cloud
Public Cloud
Automated, Elastic,
Scalable, Orchestrated
Apps /
Services
PaaS
DB
VMs
Services
SaaS
Data Centers / Servers
Manual
Discrete Process
Discrete to Continuous Simple to Complex Manual to Automated
17. Enabling Security in Waterfall Projects
Requirements
Design
Development
Testing
Implementation
Support
Project Plan with Security Focus
Evaluate Third-party Products
Identify and document Security Risks
Business and IT, Internal and External
Security Architecture and design review
Code Review – Automated / Deep Dive
Monitor Risks closely throughout the
SDLC and Project life cycle
18. Enabling Security in Agile Projects
Security Review during Product backlog,
and Sprint planning
Definition of Done for Security (Compliance
and Security)
Create Security Awareness and training
Automated Code Scan for Security
Vulnerabilities
Standardized and Secured Platform
Retrospective after every Sprint specifically
for Security
19. Key Takeaways: Org Level
Plan: IT Leadership, IT Security
Strategies
Prepare: Governance and
Policies
Predict: Analyze and Predict
Prevent: Real time Monitoring,
Alerts
Security at Project Planning
Business & IT collaboration
Focus on People, Process, and
Technology
Security awareness and training
Key Takeaways: Project Level