When the internet and computer systems were getting popular in the 1980s and 1990s, security was not a significant concern. As organizations strive hard to minimize the time to market (TTM) for their applications, they often consider security an after-development activity. In some cases, they even ignore security considerations altogether for on-time deployment of their products and services.
Fast forward to 2021; this practice is not sufficient anymore. As threats in our cyberspace continue to evolve at an unprecedented rate, organizations can no longer ignore security considerations. As a result, in the last few years, we have seen the emergence of privacy by design and privacy by default principles, credits to GDPR. Development methodologies like DevSecOps are also becoming a topic of discussion among the security community. This article explores how you can include information security in your project management activities.
LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX.
What Does ISO 27001 Say About Information Security In Project Management?
ISO 27001:2013 has a dedicated control for incorporating information security practices in project management. Control A.6.1.5 states that “information security shall be addressed in project management, regardless of the type of the project.” Put plainly; ISO 27001 requires organizations to address information security concerns in every project they undertake.
A wrong interpretation of this control is to adopt a project management methodology in information security-related projects. Cybersecurity professionals should be cautious in ensuring that they convey the right meaning and not the absolute contradiction.
How To Implement Security In Project Management?
Implementation guidance for this control specifies that an organization should integrate information security into their project management method(s). As a part of this integration, it should identify various risks and take the necessary steps to address those risks. To clarify, this must apply to all types of projects, including those focussing on core business processes, IT, development, facility management, etc. An ideal project management method should include:
- Consideration of information security objectives while undertaking discussions on overall project objectives;
- Conducting information security risk assessment at an early stage of the project for identifying necessary controls; and
- Including information security in all the phases of the project methodology.
In addition, organizations should conduct regular reviews and address information security implications for their projects. They should define relevant roles for designating individuals with information security responsibilities in their project management method(s). Like this, the privacy by design principle requires organizations to incorporate privacy considerations throughout the engineering project. It is an example of a value-sensitive design where organizations consider human values throughout the process. Under Article 25, GDPR incorporates privacy by design and default principles.
Another parallel can be drawn from the DevSecOps methodology. It stands for development, security, and operations. While DevOps is a well-known software development approach, DevSecOps is a relatively new concept. This approach seeks to implement security practices at the same scale and speed as development and operations. As a result, organizations pay attention to security considerations throughout the development process.
To sum up, the following diagram aptly represents the implementation requirements for information security in project management.
What Are the Benefits Of Information Security In Project Management?
By incorporating information security practices in project management, organizations can ensure that their output comes with the highest level of security possible. Another benefit of this is to demonstrate compliance with ISO 27001:2013 requirements. It is a well-known fact that a cyber-attack disrupts business operations and results in financial and reputational losses. Certainly, organizations must not ignore these considerations anymore. As your program continues to mature over time, you will realize multiple ways through which it will benefit you and your business operations.