640 likes | 672 Vues
MANAGEMENT of INFORMATION SECURITY Second Edition. Learning Objectives. Upon completion of this chapter, you should be able to: Understand basic project management Apply project management principles to an information security program Evaluate available project management tools.
E N D
MANAGEMENT of INFORMATION SECURITY Second Edition
Learning Objectives • Upon completion of this chapter, you should be able to: • Understand basic project management • Apply project management principles to an information security program • Evaluate available project management tools Management of Information Security, 2nd ed. - Chapter 12
Introduction • Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one since information security is a continuous series, or chain, of projects • Some aspects of information security are not project based; rather, they are managed processes (operations) • Employers are seeking individuals that couple their information security focus and skills with strong project management skills Management of Information Security, 2nd ed. - Chapter 12
Figure 12-1Position Posting Management of Information Security, 2nd ed. - Chapter 12
Figure 12-2The Information Security Program Chain Management of Information Security, 2nd ed. - Chapter 12
Project Management • The Guide to the Project Management Body of Knowledge defines project management as: • The application of knowledge, skills, tools, and techniques to project activities to meet project requirements • Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing • Project management involves the temporary assemblage resources to complete a project • Some projects are iterative, and occur regularly Management of Information Security, 2nd ed. - Chapter 12
Project Management (continued) • Benefits for organizations that make project management skills a priority include: • Implementation of a methodology • Improved planning • Less ambiguity about roles • Simplified project monitoring • Early identification of deviations in quality, time, or budget • In general, a project is deemed a success when: • It is completed on time or early as compared to the baseline project plan • It comes in at or below the expenditures planned for in the baseline budget • It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity Management of Information Security, 2nd ed. - Chapter 12
Applying Project Management to Security • In order to apply project management to information security, you must first identify an established project management methodology • While other project management approaches exist, the PMBoK is considered the industry best practice Management of Information Security, 2nd ed. - Chapter 12
Table 12-1PMBoK Knowledge Areas Management of Information Security, 2nd ed. - Chapter 12
Table 12-1PMBoK Knowledge Areas (continued) Management of Information Security, 2nd ed. - Chapter 12
Project Integration Management • Project integration management includes the processes required to ensure that effective coordination occurs within and between the project’s many components, including personnel • The major elements of the project management effort that require integration include: • Development of the initial project plan • Monitoring of progress as the project plan is executed • Control of the revisions to the project plan • Control of the changes made to resource allocations as measured performance causes adjustments to the project plan Management of Information Security, 2nd ed. - Chapter 12
Project Plan Development • Project plan development is the process of integrating all of the project elements into a cohesive plan with the goal of completing the project within the allotted work time, using no more than the allotted project resources • These three elements—work time, resources, and project deliverables—are core components used in the creation of the project plan • Changing any one element usually affects the accuracy and reliability of the estimates of the other two, and likely means that the project plan must be revised Management of Information Security, 2nd ed. - Chapter 12
Figure 12-3Project Plan Inputs Management of Information Security, 2nd ed. - Chapter 12
Project Plan Development (continued) • When integrating the disparate elements of a complex information security project, complications are likely to arise • Among these complications are: • Conflicts among communities of interest • Far-reaching impact • New technology Management of Information Security, 2nd ed. - Chapter 12
Project Scope Management • Project scope management ensures that the project plan includes only those activities necessary to complete it • Scope is the quantity or quality of project deliverables expanding from the original plan • Includes: • Initiation • Scope planning • Scope definition • Scope verification • Scope change control Management of Information Security, 2nd ed. - Chapter 12
Project Time Management • Project time management ensures that the project is finished by the identified completion date while meeting objectives • The failure to meet project deadlines is among the most frequently cited failures in project management • Many missed deadlines are rooted in poor planning • Includes the following processes: • Activity definition • Activity sequencing • Activity duration estimating • Schedule development • Schedule control Management of Information Security, 2nd ed. - Chapter 12
Project Cost Management • Project cost management ensures that a project is completed within the resource constraints • Some projects are planned using only a financial budget from which all resources must be procured • Includes the following processes: • Resource planning • Cost estimating • Cost budgeting • Cost control Management of Information Security, 2nd ed. - Chapter 12
Project Quality Management • Project quality management ensures that the project adequately meets project specifications • If project deliverables meet requirements specified in the project plan, the project has met its quality objective • A good plan defines project deliverables in unambiguous terms against which actual results are easily compared • Includes: • Quality planning • Quality assurance • Quality control Management of Information Security, 2nd ed. - Chapter 12
Project Human Resource Management • Project human resource management ensures personnel assigned to project are effectively employed • Staffing a project requires careful estimates of effort required • In information security projects, human resource management has unique complexities, including: • Extended clearances • Deploying technology new to the organization • Includes: • Organizational planning • Staff acquisition • Team development Management of Information Security, 2nd ed. - Chapter 12
Project Communications Management • Project communications conveys details of activities associated with the project to all involved • Includes the creation, distribution, classification, storage, and ultimately destruction of documents, messages, and other associated project information • Includes: • Communications planning • Information distribution • Performance reporting • Administrative closure Management of Information Security, 2nd ed. - Chapter 12
Project Risk Management • Project risk management assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project • Information security projects do face risks that may be different from other types of projects • Includes: • Risk identification • Risk quantification • Risk response development • Risk response control Management of Information Security, 2nd ed. - Chapter 12
Project Procurement Management • Project procurement acquires needed resources to complete the project • Depending on common practices of organization, project managers may simply requisition resources from organization, or they may have to purchase • Includes: • Procurement planning • Solicitation planning • Solicitation • Source selection • Contract administration • Contract closeout Management of Information Security, 2nd ed. - Chapter 12
Additional Project Planning Considerations • Financial considerations • Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available • Priority considerations • In general, the most important information security controls in the project plan should be scheduled first • Time and scheduling considerations • Time can affect a project plan at dozens of points in its development Management of Information Security, 2nd ed. - Chapter 12
Additional Project Planning Considerations (continued) • Staffing considerations • The lack of qualified, trained, and available personnel also constrains the project plan • Scope considerations • In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization • Organizational feasibility considerations • Another consideration is the ability of the organization to adapt to change Management of Information Security, 2nd ed. - Chapter 12
Additional Project Planning Considerations (continued) • Procurement considerations • There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers • Training and indoctrination considerations • The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies Management of Information Security, 2nd ed. - Chapter 12
Additional Project Planning Considerations (continued) • Technology governance and change control considerations • Technology governance is a complex process that organizations use to manage the effects and costs of technology implementation, innovation, and obsolescence • By managing the process of change, the organization can: • Improve communication about change across the organization • Enhance coordination among groups within the organization as change is scheduled and completed Management of Information Security, 2nd ed. - Chapter 12
Additional Project Planning Considerations (continued) • By managing the process of change, the organization can (continued): • Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce • Improve quality of service as potential failures are eliminated and groups work together • Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security Management of Information Security, 2nd ed. - Chapter 12
Controlling the Project • Once a project plan has been defined and all of the preparatory actions are complete, the project gets underway • Supervising implementation • The optimal approach is usually to designate a suitable person from the information security community of interest, because the focus is on the information security needs of the organization Management of Information Security, 2nd ed. - Chapter 12
Executing the Plan • Once a project is underway, it is managed using a process known as a negative feedback loop or cybernetic loop, which ensures that progress is measured periodically • Corrective action is required in two basic situations: the estimate is flawed or performance has lagged • When an estimate is flawed, as when an incorrect estimate of effort-hours is made, the plan should be corrected and downstream tasks should be updated to reflect the change • When performance has lagged, correction is accomplished by adding resources, lengthening the schedule, or reducing the quality or quantity of the deliverable Management of Information Security, 2nd ed. - Chapter 12
Figure 12-4Negative Feedback Loop Management of Information Security, 2nd ed. - Chapter 12
Executing the Plan • Often a project manager can adjust one of the three following planning parameters for the task being corrected: • Effort and money allocated • Elapsed time or scheduling impact • Quality or quantity of the deliverable Management of Information Security, 2nd ed. - Chapter 12
Wrap-Up • Project wrap-up is usually a procedural task assigned to a mid-level IT or information security manager • These managers collect documentation, finalize status reports, and deliver a final report and a presentation at a wrap-up meeting • The goal of the wrap-up is to resolve any pending issues, critique the overall effort, and draw conclusions about how to improve the process in future projects Management of Information Security, 2nd ed. - Chapter 12
Conversion Strategies • Direct changeover: also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new • Phased implementation is the most common approach and involves rolling out a piece of the system across the entire organization • Pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization • Parallel operation involves running the new methods alongside the old methods Management of Information Security, 2nd ed. - Chapter 12
To Outsource or Not • Just as some organizations outsource part of or all of their IT operations, so too can organizations outsource part of or all of their information security programs, especially developmental projects • The expense and time it takes to develop effective information security project management skills may be beyond the reach—as well as the needs—of some organizations, and it is in their best interest to hire competent professional services • Because of the complex nature of outsourcing, organizations should hire the best available specialists, and then obtain capable legal counsel to negotiate and verify the legal and technical intricacies of the contract Management of Information Security, 2nd ed. - Chapter 12
Dealing with Change • The prospect of change can cause employees to be unconsciously or consciously resistant • By understanding and applying change management, you can lower the resistance to change, and even build resilience for change • One of the oldest models of change management is the Lewin change model, which consists of: • Unfreezing - the thawing of hard and fast habits and established procedures • Moving - the transition between the old and new ways • Refreezing - the integration of the new methods into the organizational culture Management of Information Security, 2nd ed. - Chapter 12
Unfreezing Phases • Disconfirmation • Induction of survival guilt or survival anxiety • Creation of psychological safety or overcoming learning anxiety Management of Information Security, 2nd ed. - Chapter 12
Moving Phases • Cognitive redefinition • Imitation and positive or defensive identification with a role model • Scanning (also called insight, or trial-and-error learning) Management of Information Security, 2nd ed. - Chapter 12
Refreezing • Personal refreezing occurs when each individual employee comes to an understanding that the new way of doing things is the best way • Relational refreezing occurs when a group comes to a similar decision Management of Information Security, 2nd ed. - Chapter 12
Considerations for Organizational Change • Steps can be taken to make an organization more amenable to change • Reducing resistance to change from the start • Communication is the first and most crucial step • The updates should also educate employees on exactly how the proposed changes will affect them, both individually and across the organization • Involvement means getting key representatives from user groups to serve as members of the process Management of Information Security, 2nd ed. - Chapter 12
Developing a Culture that Supports Change • An ideal organization fosters resilience to change • This resilience means the organization accepts that change is a necessary part of the culture, and that embracing change is more productive than fighting it • To develop such a culture, the organization must successfully accomplish many projects that require change • A resilient culture can be either cultivated or undermined by management’s approach Management of Information Security, 2nd ed. - Chapter 12
Project Management Tools • There are many tools that support the management of the diverse resources in complex projects • Most project managers combine software tools that implement one or more of the dominant modeling approaches • The most successful project managers gain sufficient skill and experience to earn a certificate in project management • The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs: • The Project Management Professional (PMP) • Certified Associate in Project Management (CAPM) Management of Information Security, 2nd ed. - Chapter 12
Project Management Tools (continued) • Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project • Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work • The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis Management of Information Security, 2nd ed. - Chapter 12
Work Breakdown Structure • A project plan can be created using a very simple planning tool, such as the work breakdown structure (WBS) • In the WBS approach, the project plan is first broken down into a few major tasks • Each of these major tasks is placed on the WBS task list Management of Information Security, 2nd ed. - Chapter 12
Work Breakdown Structure (continued) • The minimum attributes that should be determined for each task are: • The work to be accomplished (activities and deliverables) • Estimated amount of effort required for completion in hours or workdays • The common or specialty skills needed to perform the task • Task interdependencies Management of Information Security, 2nd ed. - Chapter 12
Work Breakdown Structure (continued) • As the project plan develops, additional attributes can be added, including: • Estimated capital expenses for the task • Estimated noncapital expenses for the task • Task assignment according to specific skills • Start and end dates • Work to be accomplished • Amount of effort • Skill sets/human resources • Task dependencies Management of Information Security, 2nd ed. - Chapter 12
Work Phase • Once the project manager has completed the WBS by breaking tasks into subtasks, estimating effort, and forecasting the necessary resources, the work phase—during which the project deliverables are prepared—may begin Management of Information Security, 2nd ed. - Chapter 12
Table 12-2Early Draft WBS Management of Information Security, 2nd ed. - Chapter 12
Table 12-2Early Draft WBS (continued) Management of Information Security, 2nd ed. - Chapter 12
Table 12-3Later Draft WBS Management of Information Security, 2nd ed. - Chapter 12
Task-Sequencing Approaches • Once a project reaches even a relatively modest size, say a few dozen tasks, there can be almost innumerable possibilities for task assignment and scheduling • A number of approaches are available to assist the project manager in this sequencing effort Management of Information Security, 2nd ed. - Chapter 12