1 / 57

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 4 Project Processes. Objectives. Understand the purpose and benefit of processes in the project processes area Structure and run an effective project planning process

shelly-forbes
Download Presentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 4 Project Processes

  2. Objectives • Understand the purpose and benefit of processes in the project processes area • Structure and run an effective project planning process • Conduct effective, ongoing risk management • Control critical project activities such as configuration management and knowledge management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  3. Overview of Project Processes • The project processes involve all the control activities that ensure ICT work meets business, technology, and assurance goals • Control: a specific action or actions taken to ensure a desired outcome • Project management: oversees the organization’s ICT acquisition, development, and sustainment processes • Enforces the ICT policies and procedures • Ensures effective coordination and control of the organization’s everyday work practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  4. Defining and Coordinating the Project • Project management involves defining and deploying a fully integrated set of activities to achieve a given purpose • Project definition and subsequent coordination ensure the efficient use of resources • A project management plan defines the requisite activities and tasks for each project • The plan should always consist of concrete specifications of the work to be done • The plan is typically reviewed and refined over time Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  5. Defining and Coordinating the Project • The project manager is the person who writes the plan • The plan specifies the major elements of the project during the planning period • As well as the organizational resources allocated to support each element • Strategic planning progress: a set of rational activities that an organization undertakes to accomplish its long-range goals • Project activities are planned, documented, evaluated, and adjusted when necessary Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  6. Building the Project Team • Project teams are typically composed of an integrated mix of business and information technology (IT) workers • Questions to ask when building a team: • What is the precise mission of the team? • What organizational competencies are required to achieve that mission? • Are those competencies available for the particular project? • Capability: the level of assessed competence of a process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  7. Organizing the Project • Failure to satisfy the business purpose is a frequent cause of overall project failure • The planned involvement of business stakeholders ensures that all points of view are represented in the final product • Differences must be resolved for projects to move forward • It is a challenge to incorporate everyone’s vision and capabilities into project planning • Following the project process of the 12207 standard ensures best practice Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  8. The Project Processes of ISO 12207-2008 • The 12207 standard presents the processes in a logical order • Ranging from general best practices for planning, assessment, and implementation to specific project management and control practices • The project planning process establishes the generic management function for the given project • The project assessment and control area deals with all related implementation concerns • Figure 4-1 on the following slide shows the relationship of these process areas Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  9. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  10. The Project Planning Process (6.3.1) • Overall goal of project planning is to develop an effective and realistic set of plans for overall conduct of the project • Decides the scope and purpose of the project as well as the timeline and activities involved • The project planning process is responsible for describing the scope of work to be done and evaluating whether the work can be carried out with available resources and known constraints • Seeks to ensure proper alignment between project goals and reality Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  11. Project Initiation • First step in the project planning process is to establish the scope of the project • Includes defining objectives, motivations, and boundaries • Boundary: a perimeter that incorporates all items to be secured • Managers can then establish the feasibility of the project by confirming that all required personnel, materials, and technology are available • And that the project can be completed on time Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  12. Project Initiation Project initiation involves ensuring that the actions of all participants are correctly aligned and coordinated with the achievement of project goals The initiation activity must ensure that the project’s day-to-day activities and tasks are specified with appropriate detail Project initiation must assure that adequate lines of communication have been established among all participants to guarantee effective cooperation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  13. Project Planning • Plans usually include: • Schedules, milestones, time and resource estimates, and the assignment of roles, responsibilities, and work tasks • Might also include: • A detailed risk estimate for each activity and task • Lifecycle measures to assess the quality and security of each product and process • Security: confidence that a given approach will produce dependable and intended outcomes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  14. Project Authorization and Launch • After receiving the appropriate from other managers • The project manager takes steps to launch project • Projects are established by the creation of a customized management process that establishes: • Visibility • Management control over project activities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  15. The Project Assessment and Control Process (6.3.2) • The project assessment and control process ensures that events are on schedule, on budget, and fulfill the technical objectives laid out in the project plan • Quantitative data can be used to evaluate the options and implications of a decision • Managers cannot exercise control over projects unless they have an objective means of evaluating how well a project is going • Ability to obtain good measurement data is essential Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  16. The Project Assessment and Control Process (6.3.2) • By collecting standard project performance data managers can ensure project run appropriately and within budget • Project performance measures should be defined and instituted to support quantitative decision making • Performance data can also help identify emerging problems so that managers can judge potential risks and rewards of making further investments in an ongoing project • Based on reliable corporate benchmarks Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  17. The Project Assessment and Control Process (6.3.2) • Many different quantitative measures exist, including basic production metrics such as: • Project productivity measured in lines of code (LOC)or function points (FP) • The ISO 9126 standard also outlines metrics that consider the functionality, reliability, usability, efficiency, maintainability, and portability of the product under development Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  18. The Project Assessment and Control Activities • The aim of project assessment and control is to ensure that project objectives are successfully achieved and properly recorded • This process ensures: • Progress is monitored and reported • Interfaces between project elements are properly monitored • That managers can correct deviations from the project plan and prevent them from recurring Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  19. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  20. Project Monitoring • Project monitoring is the first formal activity • Ensures the: • Project is executed correctly • Outcomes of monitoring are reported to all internal and external project stakeholders • Project monitoring must account for the status of interfaces between internal project elements and outside interfaces with other relevant projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  21. Project Control • Managers must monitor a project in order to control it • Monitoring and control are closely associated • To enforce proper project control • The project manager must be able to investigate, analyze, and resolve any deviations from the project’s planned course of action • The impact from any deviation must be evaluated, authorized, and monitored • Routine reporting ensures general management oversight Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  22. Project Assessment Formal assessment activities during ICT product development are an essential part of good management practice Goal is to ensure that the work continues to run correctly from beginning to end of a project Systematic assessments assure the ICT product requirements and the project’s ongoing activities satisfy the plan’s objectives Assessment results can be used to establish steps that prevent future problems Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  23. Project Closure • Projects must be formally terminated • To avoid wasted resources • Reasons a formal termination procedure is necessary: • An organization must document that all ICT development activities have been completed as contracted • Project data has to be archived to preserve a history of the project • Lessons learned from previous projects can help in planning similar efforts in the future Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  24. The Decision Management Process (6.3.3) • Decision management is a fundamental process of project management • Seeks to ensure the best outcome for any concern that arises in the project environment • Evaluates all possible directions among a given set of alternatives and chooses the one that provides the likeliest benefit • Decision management is initiated by standard operating policies and procedures that are followed when a decision is needed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  25. Decision Management Activities • A decision management policy allows managers to make quick and rational decisions about issues that arise in the day-to-day execution of a project • Goal is to record, categorize, and promptly report problems and to develop alternative course of action to resolve those problems • With standard policies in place: • The project team can ensure decisions made during the project lifecycle are valuable to organization’s goals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  26. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  27. Decision Planning • A planning process is the first activity in decision management • Involves enumerating and prioritizing all categories of likely decisions • In addition to identifying the each type of decision: • Authorization and responsibilities for making it are assigned to the appropriate decision maker • Policies and procedures are selected to guide decisions in each category • A formal process is defined to address situations when no policy guidance is available Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  28. Decision Analysis • Overall aim of decision management is to come up with a decision that leads to the best result • Decisions are usually guided by policy • If there is no policy: • A decision-making strategy or decision protocol must be in place to ensure the right decision is made • A decision-making strategy includes functions for gathering information and making trade-offs • Allows for the project team to make the best decision from a range of alternatives Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  29. Decision Tracking • Each decision should be recorded and its outcomes should be tracked, evaluated, and reported • Ensures that the decision resolved problems or leads to the desired benefit • If not, knowledge gained can provide guidance • To track a decision: • Records of problems and decisions must be kept • Actions associated with the decision must be monitored through reviews, inspections, or audits Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  30. The Risk Management Process (6.3.4) • Risk management: a set of formal organizational processes that are designed to respond appropriately to any identified adverse event • Applies to all types of lifecycle activity • Goal is to identify, analyze, treat, and monitor all active and latent risks in the project • Threat: an adversarial action that could produce harm or an undesirable outcome • Threat assessment ensure that all project risks are identified and categorized Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  31. The Risk Management Process (6.3.4) • Risk analysis: the assessment of the overall likelihood and impact of a threat • Organizations must institute a targeted risk analysis function • Which facilitates qualitative and quantitative analyses of any newly identified or emerging risk event • Once a risk analysis function has been established • The organization must specify formal responses to correctly address all meaningful risks as they occur Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  32. Risk Management Activities • To determine the scope of the process, organizations must answer two questions: • What is the likelihood that each identified risk will occur? • What is its anticipated impact? • Answers are normally expressed as an estimate of loss, harm, failure, or danger for each risk • After scope is determined, risk management policies are defined and implemented • Organizations should set priorities for applying the resources needed to mitigate each risk Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  33. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  34. Risk Management Planning • Risk management planning goal: • To identify critical risks and then create and maintain an effective set of formal steps to manage each risk • Risk management planning helps an organization assign specific roles and responsibilities for the risk management function • The plan should describe the process for evaluating and improving overall risk management • Including how to use lessons learned • Acceptable risk: a situation in which the likelihood or impact of an adverse occurrence can be justified Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  35. Risk Profile Management • Risk profile management establishes a link between the risk management process and the project’s environment • By recording specific information for the state of each risk and its probability, consequences, and risk thresholds • Provides explicit policy guidance • Priorities established by the risk profile determine the application of resources for treatment • Risk thresholds dictate the conditions under which an organization may accept a level of risk Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  36. Risk Analysis • Risk analysis: information-gathering function that focuses on understanding the nature of risks • Documents mitigation strategies for every risk that surpasses its threshold • Defines measures for evaluating potential mitigation • Risk analysis ensures the most efficient use of security resources • Likelihood of occurrence: an assessment of the probability that an event will occur • Anticipated impacts are normally expressed as an estimate of loss, harm, failure, or danger Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  37. Risk Treatment • Risk treatment develops solutions for identified risks • The scope of coverage and the required level of assurance are primary influences that define this context • Roles and responsibilities have to be defined to carry out the actions necessary to mitigate risks • Establishes accountability • Each risk has to be categorized by priority to allow for decisions regarding resource allocation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  38. Risk Monitoring • Risk monitoring tells decision makers whether risk management objectives are being achieved • And whether risk control performance is in line with expectations • Qualitative analysis is useful in determining priorities • One of the main purposes of risk monitoring • Expressed through a set of nominal values, such as high, medium, and low • A blend of quantitative and qualitative measures is often used to monitor risk Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  39. Risk Management Evaluation • Information should be collected throughout the project lifecycle to help improve risk management • Data includes identified risks, their sources, their causes, their treatment, and the success of selected treatments • An important element of risk management is a series of periodic reviews • Two types of review are commonly used: • Time-based - occur at regular intervals • Event-based - capture information about a particular aspect of the risk management process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  40. The Configuration Management Process • Configuration management: a formal process to ensure the continuing status of ICT products • To ensure the status of every meaningful item in an ICT product is documented and known at all times • Goal: to establish and maintain the integrity of all project components by placing them under formal decision making and oversight control • Configuration management serves as the basis to measure quality by confirming the integrity of changes and ensuring they are verified as correct Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  41. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  42. Configuration Management Planning • A configuration management strategy must be planned for each project • Describes how configuration baselines are established, maintained, and archived for a project • Specifies which staff have the right to authorize, access, and reintegrate changes to baseline items • Must also specify the level of integrity, security, and safety for each baseline as well as storage medium • Once established, the project manager must specify which items are subject to configuration control (known as identification) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  43. Configuration Management Execution • The recording, retrieval, and maintenance of current and preceding configurations should be kept under management control to: • Assure correctness, timeliness, integrity, and security • A project baseline represents the status of the project at a fixed point in time or circumstance • Once the project baseline is established, any changes are described in the configuration record and maintained throughout the system lifecycle • Audits may be performed as needed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  44. The Information Management Process (6.3.6) • The information management process is a formal function that records and maintains information needed to manage a project over its lifecycle • Generates, collects, transforms, retains, retrieves, disseminates, and disposes of all necessary project information • Goal is to provide relevant, timely, complete, and valid information to decision makers • Ensures the form and content of all project information is proper and correct Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  45. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  46. Information Management Planning • The organization must identify and classify all relevant information and designate which media to use to capture and store information • The plan must specify the exact procedure used to capture the data kept for each information item • Must stipulate how each item under information management control is developed, inspected, and modified • Information management defines the rights, obligations, and commitments of designated parties for retaining and transmitting information Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  47. Information Management Planning • Information management planning also defines individual access rights for each information item under its control • Other primary drivers of information management planning are: • Legal • Security • Privacy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  48. Information Management Execution • Once the plan is complete and all responsibilities are assigned: • The project team begins to capture and retain the information identified in the plan • Stored records are maintained according to integrity, security, and privacy requirements established by the planning function • Information can more easily be distributed to all authorized parties by request, by scheduled agreement, or by defined circumstances Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  49. Information Management Execution • To ensure availability: • The medium, location, and protection of information must be ensured and must be compatible with all storage and retrieval requirements • Information management ensures that arrangements are in place to retain necessary documentation after a project ends Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  50. The Measurement Process (6.3.7) • The purpose of the measurement process is to collect, analyze, and report data for an organization’s products and processes • To ensure effective management of processes and to objectively demonstrate product quality • Also ensures all measurement activities are defined • Ensuring consistency of data is important because managers use it to make decisions about all types of project activity Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

More Related