Project Management Excellent workshop for understanding project management activities and the many domains. Learn the PMI way for navigating the various project work functions to include budget, cost, resource management, financial challenges, risk management, time, human resources, and materials. PMI (Project Management Institute) is a leading global organization that provides resources, certifications, and a community for project professionals, aiming to enhance project success and elevate the project management profession. Provides Resources: PMI offers tools, templates, publications, and online resources to support project managers at all stages of their careers. Offers Certifications: PMI is known for its project management certifications, such as the Project Management Professional (PMP) and the Agile Project Management Professional (PMI-ACP), which are recognized globally. Facilitates Networking: PMI provides opportunities for project professionals to connect, collaborate, and share knowledge through its global network of chapters, online communities, and events. Conducts Research: PMI conducts research to identify trends and best practices in project management, contributing to the advancement of the field. Promotes Advocacy: PMI advocates for the importance of project management and its role in achieving organizational goals and societal impact. Focuses on Project Success: PMI's purpose is to maximize project success and elevate the world through the power of project management.  Sure! Here’s a 1000-word summary of project management, including its key concepts, processes, and best practices: ⸻ Project Management: A Comprehensive Overview Project management is the application of knowledge, skills, tools, and techniques to project activities to meet specific goals and deliver value. It ensures that a temporary endeavor—known as a project—is completed efficiently, on time, within budget, and according to specifications. Projects differ from ongoing operations in that they have a clear beginning and end. ⸻ Key Elements of Project Management 1. Project Goals and Objectives A project starts with a clear understanding of what needs to be achieved. Goals are broad primary outcomes, while objectives are measurable steps toward achieving those goals. Well-defined goals ensure everyone is aligned and working toward a shared purpose. 2. Scope Scope defines what is and isn’t included in the project. Scope management involves clearly outlining the work required and controlling any changes to the project’s scope to avoid “scope creep,” which can lead to missed deadlines and cost overruns. 3. Time (Schedule) Time management involves planning the sequence of project activities, estimating their duration, and creating a project timeline. Tools like Gantt charts, critical path method (CPM), and project scheduling software help visualize and manage the timeline.


1. 2021 Annual Secure Coding
Training
Deb Bond
Manager, Information Security Governance & Compliance

2. Annual Required Training
Annual Secure Coding Techniques training is a compliance requirement for
PCI-DSS (PCI-DSS 6.5)
Below is the high level requirement and minimum evidence CCI must provide
as part of the annual PCI Audit
6.5 Address common coding vulnerabilities in software-development processes as
follows:
Train developers in secure coding techniques, including how to avoid common coding
vulnerabilities, and understanding how sensitive data is handled in memory.
Develop applications based on secure coding guidelines.
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry
best practices when this version of PCI DSS was published. However, as industry best
practices for vulnerability management are updated (for example, the OWASP Guide,
SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used
for these requirements.
Examine software-development policies and procedures to verify that training in
secure coding techniques is required for developers, based on industry best practices
and guidance.
Examine records of training to verify that software developers receive up-to-date
training on secure coding techniques at least annually, including how to avoid
common coding vulnerabilities.
Verify that processes are in place to protect applications from, at a minimum, the
following vulnerabilities:

3. Annual Secure Coding Training
Training period dates:
September 1, 2021 to September 30, 2021
Step 1: Bookmark the OWASP Top Ten website:
https://owasp.org/www-project-top-ten/
Step 2: Watch the OWASP video in its entirety at this location:
https://www.youtube.com/watch?v=7UG8wE58vU8
Step 3: Complete the 2-question quiz on the next slide (quiz is based on the video)
Email your responses per instructions in this slide deck
Step 4: Review this slide deck. These slides cover the PCI requirements to ensure applications are protecting cardholder data.
Step 5: Complete the Google Sheet provided by Alex Weitzer
Note: This required training will be considered incomplete if steps are missed or incomplete.

4. QUIZ
Answer the following post-training questions.
Email your responses to deborah.bond@consumercellular.com
1. Most successful attacks start with:
a) Vulnerability probing
b) Password spray
c) Netscan
2. What is the SECOND most prevalent issue in the OWASP Top 10:
a) Cross-Site Scripting (XSS)
b) Injection flaws in legacy code
c) Broken authentication

5. STEP 4
PCI Requirement 6
Review PCI-DSS 6.5.1 through 6.5.10
6.5.1
Are injection flaws, such as SQL injection flaws, OS Command Injection, LDAP and XPath injection
flaws and other injection flaws addressed by coding techniques that include:
Validating input to verify user data cannot modify meaning of commands and queries;
Utilizing parameterized queries.
6.5.2
Buffer overflow – are buffer overflows addressed by coding techniques that include:
Validating buffer boundaries;
Truncating input strings.

6. PCI Requirement 6
6.5.3
Is insecure cryptographic storage addressed by coding techniques that:
Prevent cryptographic flaws
Use strong cryptographic algorithms and keys
6.5.4
Are insecure communications addressed by coding techniques that properly authenticate and encrypt all
sensitive communications
6.5.5
Is improper error handling addressed by coding techniques that do not leak information via error messages (for
example, by returning generic rather than specific error details)
6.5.6
Are all “High” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS
Requirement 6.1) addressed by secure coding techniques
6.5.7
Is cross-site scripting (XSS) addressed by coding techniques that include:
Validating all parameters before inclusion
Utilizing context-sensitive escaping
Note: Applies to web applications and application interfaces (internal or external)
Review PCI-DSS 6.5.1 through 6.5.10

7. PCI Requirement 6
6.5.8
Are improper Access Controls (such as insecure direct object references, failure to restrict URL access, and directory traversal)
addressed by coding technique that includes:
Proper authentication of users
Sanitizing input
Not exposing internal object references to users
User interfaces that do not permit access to unauthorized functions.
Note: Applies to web applications and application interfaces (internal or external)
6.5.9
Is Cross-site request forgery (CSRF) addressed by coding techniques that ensure applications do not rely on authorization
credentials and tokens automatically submitted by browsers.
Note: Applies to web applications and application interfaces (internal or external)
6.5.10
Is broken authentication and session management addressed via coding techniques that commonly include:
Flagging session tokens (for example cookies) as “secure”
Not exposing session IDs in the URL
Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Note: Apply to web applications and application interfaces (internal or external)
Review PCI-DSS 6.5.1 through 6.5.10

8. PCI at Consumer Cellular
PCI – Payment Card Industry
Consumer Cellular follows the Payment Card Industry Data Security Standards to protect credit card and ALL customer information. As an employee it is your
responsibility to help in the protection and proper use of information and technology assets.
Fraudulent Use of Sensitive Information is a Crime
Arizona Laws ARS 13-2008,13-2015 and Oregon Laws ORS 165.055,165.800
CCI computers and systems are for business purposes only. All data contained on CCI systems may be monitored, recorded or captured in any manner, and disclosed
by authorized personnel. Employees using company computers have no right of privacy. Access or use of CCI’s computer systems constitutes consent to these terms.
Information Security and Acceptable Use Reminders
Log off or lock your computer when you leave it unattended, even if for just a moment
Ensure sensitive information is not accessible by those who are not authorized
Keep your password secret. It should not be shared with anyone (not even the help desk)
Access to sensitive information is formally assigned based on need to know and business requirements
Do not reveal sensitive information
Do not transmit, copy, move, or store sensitive information in an unsecured manner
Do not disable security controls (Antivirus, firewall, etc.)
Practice safe E-Mail and internet use.
Never write down or type cardholder data (CHD) or customer PII (personally identifiable information)
Never take screenshots of CHD or PII
CHD should never be sent via email, IM, chat, or by other electronic messaging technologies

9. STEP 5
• Update the Google Sheet provided by Alex W.
• Acknowledge that you have reviewed this training deck
• Acknowledge that you watched the OWASP video
• Send your quiz responses to Deb Bond via email
• Review the SDLC procedure and Information Security Policy as
supplemental to this training.