The document discusses the importance of integrating security into IT projects, highlighting the complexities and risks associated with large-scale enterprise projects. It emphasizes the need for collaboration between business and IT, security training, and the application of security throughout the project lifecycle in both waterfall and agile methodologies. Key takeaways include the development of organizational security strategies and the need for real-time monitoring and awareness to mitigate risks.

1. Embedding Security in IT Projects
Dr. Kaali Dass, PMP, PhD.
Program Manager
Cisco Systems, Inc.
June 2015
© 2014-2015 Dr. Kaali Dass

2. Enterprise IT Security & Maturity…!
To Be Hacked!!!
Ref: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014
24 Large
Organizations
Hacked in 2014

4. Project Management Institute
 Founded in 1969
 185 Countries
 628,363 PMI Certification Holders
 Certifications: PMP, PgMP, CAPM,
PfMP, PMI-ACP, PMP-PBA, PMI-
RMP, PMI-SP
 Chaptered in 1985
 14th Largest - Over 2800 Members
 Community / Monthly Meetings &
Annual Conference
 Agile, Leadership, Pharma,
Healthcare, Program Mgt, Public
Sector
NC Chapter
Ref: pmi.org

5. Enterprise Wide IT Projects
Large number of Stakeholders
Complex Dependencies
Multiple Tier Architecture
Diverse Technologies
In-house development and
Vendor Products
Open Source Products
Lack of Security Awareness
Image Ref: http://www.carnegiemuseums.org/

6. PMI Process
Initiation Planning Execution
Monitoring and
Controlling
Closing

7. About PMI Knowledge Areas
Reference: PMBOK Guide 5th Edition
Integration
Management
 Cost Management
 Time Management
 Scope Management
 Risk Management
 Human Resource Management
 Stakeholder Management
 Communications Management
 Quality Management
 Procurement Management

8. Project Structure
Organization’s Initiatives
(Portfolio)
Programs Projects 1…N
Programs Project 1…N
Programs Projects 1..N

10. Strategy and Planning
Programs and
Initiatives
Projects & Dev Teams
IT Security: Organization

11. IT Security: Projects
Initiation Planning Execution
Monitoring and
Controlling
Closing
Enterprise Level
Review
Business and IT
Review
Infra / Network / Data /
Third-party
Code and Access
Vulnerabilities
Lessons Learned

12. Waterfall
Requirements
Design
Development
Testing
Implementation
Support
Delivery Time: Many Months to Years

13. Agile Manifesto - Values
Individuals and Interactions over process and tools
Working Software over Comprehensive Documentation
Customer Collaboration over Contract Negotiation
Responding to Change over Following a Plan
Reference: http://agilemanifesto.org/

14. Agile
Product Owner + Scrum Master + Scrum Team
Plan and
Commit
Sprint(s)
Demo and
Deliver
Inspect
and Adapt
Incremental
Capability
Continuous
Integration
Delivered in
Weeks
Accept Changes
Fail Fast, Learn,
and Improve

15. IT Security Layer: IT and Business
Business
Roles
Responsibilities
Access Policies
Data Retention
PCI Compliance
SOX and other
Privacy Laws
Audits
& More…
IT
ACL
AuthC / AuthZ
Encryption
Mobility & IOT
Social Media
Data Classification
Data Access
Data at Rest &
Transit
Virus / Malware
Business
Continuity
& More…

16. IT Ecosystems, Agility, and Security
IAAS / PAAS
Semi Automated,
Orchestrated, Public / Private Cloud
Public Cloud
Automated, Elastic,
Scalable, Orchestrated
Apps /
Services
PaaS
DB
VMs
Services
SaaS
Data Centers / Servers
Manual
Discrete Process
Discrete to Continuous Simple to Complex Manual to Automated

17. Enabling Security in Waterfall Projects
Requirements
Design
Development
Testing
Implementation
Support
 Project Plan with Security Focus
 Evaluate Third-party Products
 Identify and document Security Risks
 Business and IT, Internal and External
 Security Architecture and design review
 Code Review – Automated / Deep Dive
 Monitor Risks closely throughout the
SDLC and Project life cycle

18. Enabling Security in Agile Projects
 Security Review during Product backlog,
and Sprint planning
 Definition of Done for Security (Compliance
and Security)
 Create Security Awareness and training
 Automated Code Scan for Security
Vulnerabilities
 Standardized and Secured Platform
 Retrospective after every Sprint specifically
for Security

19. Key Takeaways: Org Level
Plan: IT Leadership, IT Security
Strategies
Prepare: Governance and
Policies
Predict: Analyze and Predict
Prevent: Real time Monitoring,
Alerts
Security at Project Planning
Business & IT collaboration
Focus on People, Process, and
Technology
Security awareness and training
Key Takeaways: Project Level

20. IT Security - Future
Plan
Predict
Prepare
Prevent

21. kdass@cisco.com
dassconnect@gmail.com
https://www.linkedin.com/in/kaalidass