ray-petty
Uploaded by
18 SLIDES
317 VUES
180LIKES

Defining the Security Project Scope for Effective Risk Management

DESCRIPTION

To successfully implement security projects, it is crucial to define the project scope with a holistic vision that aligns with the corporate security strategy. This involves adopting a proactive approach to security and focusing on risk management by evaluating and prioritizing security risks. Factors such as executive support, user involvement, and adhering to security policies and culture must be considered. By identifying critical success factors, defining clear project objectives, and applying constraints related to scope, time, and cost, organizations can effectively navigate security challenges and enhance their defenses.

1 / 18

Télécharger la présentation

Defining the Security Project Scope for Effective Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defining the security Project Presentation

  2. Defining Security Project Scope • For security projects define the scope with the following in mind: • Holistic vision • Proactive approach • Security risk management • Critical success factors • Constraints • Corporate culture and policies

  3. Defining Security Project Scope • Corporate security project plan or program • Provides a holistic vision to the enterprise security and strategy • All security projects must be in synch with the enterprise wide strategy • Focus on prevention vs. remediation • Proactive approach to security • Prevention is less costly than remediation

  4. Defining Security Project Scope • Include the task to • Evaluate and prioritize security risks • Ecommerce applications have greater exposure to security issues than applications that run locally • Payment applications have much more serious security problems that informational sites • Security risk management strategy balances business and security risks as it has been reflected by the corporate security plan • Up-to-date practice of security risks management is built on the basis of threats modeling

  5. Defining Security Project Scope • Ensure the critical success factors are in place • Executive support • More important for security projects than for any others • Security projects often are seen as “unnecessary burden” • User involvement • Needed to balance security and usability • Experienced project manager • Error or omissions in the area of security may cost a lot for the company business • Clearly defined project objectives • Identify the problem and the outcome • It will create the ground for defining the project objectives

  6. Defining Security Project Scope • Critical success factors (cont.) • Shorter schedules, Multiple Milestones • Make the project monitoring and control easier • Clearly define project management processes • Allows better organization • Avoid confusions and misunderstanding • Standard infrastructure • Use standard components whenever possible • Use standard templates, images

  7. Defining Security Project Scope • Apply security project constraints • Scope • Time • Cost • Quality

  8. Defining Security Project Scope • Take into account the corporate culture and policies • Be aware about security policies • Follow security standards and guidelines

  9. Defining Security Project Scope • Define Security Problem • Think in terms of CIA • What exactly is your problem? What is your priority? Is it confidentiality, or integrity, or availability? • Make a clear statement about what problem will be resolved

  10. Key Security Concepts

  11. Example • New application stores credit card data on your database server. You are requested to protect data on the server • What exactly are the security concerns? • Software code • Data confidentiality, integrity • Unauthorized access, • Business continuity

  12. Define Security Project • Define the outcome • What level of protection will be implemented? • Example • Best industry practice (OWASP, compliant to PCI-DSS)

  13. Define Security Project • Define potential security solution • Develop the ideas about how the security problem can be resolved • Follow best industry practice recommendations

  14. Define Security Project • Define the optimal security solution • Evaluate your options from the security outcome point of view – which one is better fit? • You may need to consult Risk Management department

  15. Define Security Project • Apply constraints • Scope • Time • Money • People skill • Re-define your project in accordance to the constraints, but do not sacrifice security

  16. Define Security Project • Identify the security project sponsor • CISO • CIO • CFO • Business VP • Operations VP

  17. Example • When you define a sponsor think about what part of organization is most to benefit from the project implementation • Business improved – go to business people • Regulatory compliance – business or risk management • Technology improvements – CIO or CTO

  18. Summary • Security project scope has been defined when you have understanding of • A security problem • A security outcome (must be improved!) • The optimal solution • Constraints (scope, time, cost, quality) • Project sponsor

More Related