Cybersecurity for Project Managers. A PRACTICAL GUIDE 9781234567890, 1477123456, 2018675309
1,794 345 3MB
English Pages [114] Year 2021
Polecaj historie
Table of contents :
Title Page
Copyright
Dedication
Preface
INTRODUCTION
CHAPTER 1: WHY SHOULD YOU CARE ABOUT CYBERSECURITY?
CHAPTER 2: BASIC TERMS
CHAPTER 3: RISKS YOU SHOULD WATCH OUT FOR
CHAPTER 4: INITIATION
CHAPTER 5: PLANNING
CHAPTER 6: EXECUTION
CHAPTER 7: MONITORING & CONTROLLING
CHAPTER 8: CLOSING
CHAPTER 9: TAKEAWAYS
Acknowledgement
About The Author
About The Author
References
Citation preview
CYBERSECURITY FOR PROJECT MANAGERS A PRACTICAL GUIDE Niharika Srivastav & Sanjay Saxena
Copyright © 2021 Niharika Srivastav & Sanjay Saxena All rights reserved The characters and events portrayed in this book are fictitious. Any similarity to real persons, living or dead, is coincidental and not intended by the author. No part of this book may be reproduced, or stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without express written permission of the publisher. ISBN-13: 9781234567890 ISBN-10: 1477123456 Cover design by: Art Painter Library of Congress Control Number: 2018675309 Printed in the United States of America
This book is dedicated to our parents who taught us to dream big and help others.
Contents Title Page Copyright Dedication Preface INTRODUCTION CHAPTER 1: WHY SHOULD YOU CARE CYBERSECURITY? CHAPTER 2: BASIC TERMS CHAPTER 3: RISKS YOU SHOULD WATCH OUT FOR CHAPTER 4: INITIATION CHAPTER 5: PLANNING CHAPTER 6: EXECUTION CHAPTER 7: MONITORING & CONTROLLING CHAPTER 8: CLOSING CHAPTER 9: TAKEAWAYS Acknowledgement About The Author About The Author References
ABOUT
Preface Why are businesses and government agencies concerned about cyber security? Why is it becoming a key concern for the boards of directors in numerous companies? Cyber-attacks have had a significant impact on the world in recent years. For example: In May 2021, Colonial Pipeline, the largest gas pipeline in the United States, was hit by a cyberattack affecting the pipeline's computer systems. The pipeline was shut down, resulting in gasoline shortages across the East Coast. The hackers got away with a ransom of $5 million. In 2020, hackers breached a third-party software supplier SolarWinds, to monitor the internal operations of over 200 organizations worldwide, including many US government agencies. In 2018, Marriott International, a global hospitality company, reported that hackers had stolen the personal information of millions of customers. More than 100 million consumers' credit card numbers and expiration dates were suspected to have been stolen. In 2017, Equifax, one of the major credit bureaus in the United States, reported that personal information of about 148 million individuals had been stolen. These are only a few examples. The list of cyber-attacks in recent years is long, and it is growing every day. According to Cybersecurity Ventures, global cybercrime cost will grow by 15% each year over the next five years. [1]By 2025, it will reach $10.5
trillion USD per year. Furthermore, by the end of 2021, there will be 3.5 million unfilled cybersecurity jobs worldwide. [2] With the expected large spending on cybersecurity and a severe scarcity of security professionals, cybersecurity has become everyone's responsibility, particularly yours as a project manager. You play a critical role in your organization. You manage projects, and programs, that develop new products and applications as well as add enhancements to the existing ones. You manage and plan activities, collaborate with various teams, and interact with the leadership and, on occasion, with the board. You play an important role in your organization. When compared to your coworkers who may be more individual contributors, you are at the heart of many moving parts to get projects completed and products delivered on time. It is extremely important that you arm yourself with the knowledge of Cybersecurity to secure yourself, your teams, your work, and your organization. If you work in an organization, knowing about cybersecurity will help you elevate your personal brand and advance in your career. It will help you have meaningful conversations with the various stakeholders in your organization. If you are seeking for work, it will help you stand out in your job search.
[1] https://securityboulevard.com/2021/03/cybercrime-to-cost-over-10-trillion-by-2025/ [2] https://cybersecurityventures.com/jobs/
INTRODUCTION We have been in the industry for over 25 years managing projects, programs and portfolios. As project management professionals, we’ve literally had to hunt for relevant information on cybersecurity as information just wasn’t easily available. Even if it was available and accessible, the information we came across with was either too basic or technical for us and our team members to comprehend. Due to this dilemma, we decided to find a way to simplify this information, in the form of a book tailored for project managers. This book will equip you with the tools needed to secure yourself, your products, and your company. Whether you are a technical or a non-technical Project Manager, this is designed to be a one stop essential read for you. We'll start with the questions, "Why is it essential for you to know about Cybersecurity?" And why is it so important for you to acquire this knowledge in this day and age?” There is an ocean of information in front of you, but what information is critical to you as a Project Manager? And how will you put this information into perspective and use it in your projects and programs?
We'll provide you with the practical guidance and tips needed to succeed at work. According to the PMBOK (Project Management Body of Knowledge) 6th edition, the project management processes are divided into five groups[1]: 1. 2.
Initiating Planning
3. 4. 5.
Executing Monitoring & Controlling Closing
Example of Process Group Interaction within a project PMBOK 6th Edition
We'll go through each process group of the project and give real, concrete steps you and your teams can take to develop secure products and applications. Chapter 1 defines Security and Privacy, as well as the major events that have made expertise in cybersecurity vital for Project Managers.
Chapter 2 discusses the key cybersecurity concepts and definitions in context of a case study.
Chapter 3 talks about the risks you should watch out for as a
Project Manager.
Chapter 4 discusses the project's Initiation processes and "the actionable steps" you and your team must take to create secure and compliant products integrated from the beginning.
Chapter 5 covers the project planning processes. It delves into how to embed security into the different plans you develop throughout the planning process.
Chapter 6 covers building or enhancing the products with a security mindset in project's execution processes.
Chapter 7 provides guidance on making sure that your team is following the plan from a security and compliance perspective
Chapter 8 discusses the closing processes
Chapter 9 covers the measures you should take to instill a cyber secure culture in your workplace.
CHAPTER 1: WHY SHOULD YOU CARE ABOUT CYBERSECURITY? Why should you be concerned about cybersecurity? You may have successfully led and managed critical projects as a project manager. Your team may have been tremendously successful at bringing products to market and solving some real business problems. However, despite all that success, there might be a missing piece. Well, what is it? It’s making sure that security is not just a project checklist item required for a project sign-off, but that it's deeply ingrained in every single phase of the project life cycle. There has been a massive surge in cyberattacks in the recent past, which has made it more important now than ever to keep your products secure. According to Wired Magazine, 80 percent of cyberattacks could have been prevented. This shows how you, a project manager, can play a significant part in mitigating the risk of a future attack on your company. In this chapter, we’ll discuss security as well as privacy, as both go handin-hand. We'll also look at recent events that have raised the risks of cybercrime. Let’s first define two of the most fundamental terms of this chapter, Security and Privacy.
SECURITY When we leave the house, we lock our doors. Why do we lock our doors? We do this to safeguard our physical belongings such as electronic devices, gadgets, critical documents, and private information stored on digital devices (laptops, tablets, and smartphones, etc.). In this case, the lock is a layer of security. Why is it just a layer? Because locking the door simply isn’t enough to prevent theft. Even if you locked the front door, what about the windows and the back door? They, too, will have to be locked and secured. Monitoring cameras, alarm systems, sensors, and other devices serve as additional layers in preventing theft. In a
nutshell, we are securing the assets and information in our house and, hence, implementing Security. Similarly, your organization also has a variety of physical assets (critical documents, office supplies, server rooms, etc.). You definitely don’t want unauthorized people to get access to these assets. Apart from these physical assets, software applications and products also exchange sensitive data over the internet. I’m sure you don’t want any sensitive data to end up in the wrong hands during transit. So, how do you protect your assets? You implement technologies, put in processes and practices, and hire professionals to safeguard your sensitive information and other assets. Security refers to how your belongings and information are protected. In other words, security could be defined as implementing technologies, processes, and practices designed to protect your assets and sensitive information from unauthorized use and access.
PRIVACY Do you host parties? Well, we’re assuming that as soon as the pandemic ends, you might. When hosting a party, we welcome guests into our home. However, do we allow them any access to sensitive information such as our social security number (SSN), mother's maiden name, credit card, and bank account information. No, of course not. This information is ours to keep. You’ll never know when somebody who crashed into your party exploits this sensitive information to harm your reputation. Perhaps he may use this information against you financially. How will he exploit it? He could use your credit card to buy a PS5 for his daughter. Well, how frequently do you review your credit card transactions? Probably not often, right? Maybe he's been using it for months or even years, but you’re not even aware of it. Perhaps, he records a fictitious criminal action involving you using your SSN. This record now clings to your credit history until you learn one day that your daughter was denied admission to a school because of your background check. Privacy is keeping your own, personal critical information to yourself or to the people you earnestly trust. Let’s talk about privacy on social media. We share our accomplishments with friends and family on Facebook, Instagram, Twitter, etc. We agree that
during the COVID-19 pandemic, social media provided an excellent way to stay in touch with family and friends. However, do you disclose sensitive information there? I'm sure you don't, and you certainly wouldn't want social media sites to disclose your information without your consent either. Come to think of it, you would not want any business you contact with, whether it is your bank, doctor's office, or mortgage company, to share your information without your consent. Everyone has a right to share information while keeping some information private. Privacy is your right to have control over how your personal information is collected and used. In a nutshell, privacy is about what information is protected, and security determines how that information is protected.
Security
Privacy Privacy is your right to Security is the application of have control over how your technologies, processes, and controls to protect your assets and sensitive information personal information is collected and used. from unauthorized access or use. [Exercise] We have an exercise for you. Identify your personal information that is critical for you and think about the steps you are taking to maintain the security and privacy of that personal information. Events that are driving the demand for security As we mentioned earlier, the number of cyber-attacks and breaches has increased significantly in the last couple of years. Four compelling reasons driving the need for it are: 1. 2. 3. 4.
Digitization The Pandemic An increase in attacks Compliance
Let's go through each of these in-depth.
Digitization Let's start with defining Digitization: What is digitization? Let’s use calling a taxi as an illustration. Do you still use your rotary phone to call a taxi to the airport? No. Is the taxi driver already carrying your credit card details in order to save you time? No. Is the driver aware of your prior interactions with other taxi drivers? These questions surfaced before Uber and Lyft came into existence. You now can use these apps to improve your cab experience. The taxi industry has been digitized. Let's look at another example, a Bank! Do you still go to the bank to deposit checks, check your balance, or transfer money? No, you can now deposit checks on your smartphone by utilizing your bank's app. You now have the option to check your balance at any moment, including after-hours. You could also send money using the same app, if you wanted. As a result, your banking procedure has been modernized, it has been digitized.
Digitization is the process of converting paper information into a digital format so that it can be used by computers. Organizations use their computers and this data to provide you a quality user experience, like this Uber app. We have seen tremendous digitization this past decade. Organizations are rapidly adopting technologies to automate their processes and provide a better user experience to their customers. COVID-19 has further accelerated the deployment of digital technology. Technology is being employed in a plethora of ways. We now use our phones and laptops to do things like banking and grocery shopping. We have reduced our grocery store trips by around 90% in the last year. This might be the case for you too. The amount of time we spend on our gadgets has increased dramatically in recent years. We are constantly sharing our data on social media, and some of us are connecting to free Wi-Fi networks. Gen Z (the younger generation, kids born after 1997) is the most active generation on the internet right now connecting with the world through TikTok, Instagram, and other social media mediums. This vast world of information and data is stored in the cloud. There are
connected devices all around us - our phones, vehicles, refrigerators, microwaves, and a variety of other equipment all connected to the internet. These connected devices are often referred to as IoT - the Internet of Things. The introduction of 5G has made connected gadgets, even more, connected than before. Okay, Digitization has occurred at a rapid pace. But why should you be concerned? What effect does this have on you as a project manager? Rapid digitization has raised cyber threats. Your projects may generate a large volume of data that must be protected. Furthermore, your organization may store data in the cloud. You must be aware of what data is being kept in the cloud and how it’s being protected. Your applications may run on mobile and IoT devices, and it’s essential that they be protected. As a leader, you must be aware of the new risks that have arisen as a result of digitization and need to know how to handle them. All of this is to suggest that cybersecurity awareness has never been more vital. Pandemic COVID-19 has compelled businesses to establish remote workforces. Some of us are still working remotely and some of us are assisting our children who are attending school online from home. This is making us more vulnerable and distracted than ever before. On the other hand, cybercriminals are also working from home and are maybe working harder than us. Since they too, were not going on vacation, or shopping malls because of the quarantines around the world, they could enhance their repertoire and skills to be more efficient at cyber-attacks. They have more tools, resources, and patience than one might think. Cybercriminals are increasingly targeting remote employees by sending them fake, spam emails. If an employee opens one of these emails, this gives hackers an opportunity to steal sensitive information and gain control through remote access. According to the FBI, the number of cyberattack reports has risen to as high as 4,000 a day. This is a 400% increase above what they were witnessing before the coronavirus. As a project manager, ensure that your team understands the standards for safeguarding digital assets and corporate data when working remotely.
Increase in attacks & sophistication of attacks: The growing frequency and severity of cyberattacks on vital infrastructure are widely regarded as one of the most serious problems of the current decade. Recent cybersecurity occurrences provide credence to this assertion. The breach into SolarWinds, which is thought to have been coordinated by Russia's intelligence agency, and the hacking attack on Microsoft-designed systems, which was most likely carried out from China, highlighted the growing number of attackers worldwide and the sophistication of the tools they are using. Cybercriminals recognize that businesses cannot keep up with technology developments while still having employees protecting information and data. Since the development team is constantly on the go to build new products and features, they sometimes forget to give importance to security and frequently ignore it altogether. This gives the well-prepared, skilled cybercriminals the ability to easily pounce on any opportunity. You and your teams must be well-informed of the recent attacks in order to plan to defend against them. It will also enable you to have educated conversations with your organization's security specialists as a project manager.
Compliance What is Compliance? Various authorities have enacted rules to ensure that businesses comply with various laws, as well as security and privacy standards. Fines are levied if these are not followed. Compliance requirements are dependent on industry, type of business, services provided and some standards the government requires. For example: Healthcare organizations must comply with HIPAA to protect patient’s sensitive data. Any company that accepts credit card payments must adhere to the PCIDSS (Payment Card Industry - Data Security Standard)
SOX - Sarbanes-Oxley - affects all publicly traded firms in the United States. You may wonder that you already have a lot on your plate, and now you have to comply with these frameworks. Do these authorities enjoy handing extra responsibilities to companies? Actually, these frameworks have simplified the process. As a consequence, we don't have to start from scratch when it comes to ensuring security and compliance in some areas. These frameworks have rules and guidelines for your team to adhere to. It is critical for you, as a manager, to be aware of the latest compliance requirements when managing your projects and initiatives. As a Project Manager, you may need to factor time and budget for the Compliance team to analyze and provide feedback on your project. You should also account for the time it will take the team to fix any defects. Review your understanding 1.What is privacy? 1. 2. 3. 4.
2. 1. 2. 3. 4.
The practice of defending computers and servers, mobile devices, electronic systems, networks, and data from malicious attacks. The right to have control over how personal information is collected and used. in an organization. None of the above
What is security in cybersecurity? Protection from unauthorized access Rules on storing sensitive data The quality of being reliably true. Something pledged for repayment of a loan, to be forfeited in the event of a default.
3.
What happens when an organization does not give enough attention to its cybersecurity needs?
1. 2. 3.
Loss of trust and user base if data is leaked. Increased chance of a large fine if compliances are not met. Easier for critical sensitive information held by the firm to reach the wrong hands. All of the above
4.
4.
What are the reasons for increasing cybersecurity needs in the world?
1. 2.
Cybersecurity risks and attacks are increasing day by day There are compliance standards set by organizations on how certain types of data are to be handled. The world is rapidly digitizing, resulting in an increase in data leak risk and attacks. All of the above
3. 4. 5. 1. 2. 3. 4.
It does not affect It decreases cyber risks It increases cybersecurity threats A or C 6.
1. 2. 3. 4.
How does Rapid Digitization affect organizations?
Which of the following is not a part of compliance? Laws and Policies Rules and Standards Regulations and Requirements Threats and Attacks
7. 1. 2. 3. 4.
What is compliance? The practice of defending computers against cyberattacks Regulations put in place by authorities A request for personal data to the company None of the above
Summary In this chapter, we saw why we, as project managers, need to educate ourselves on Cybersecurity. Security for the applications we develop should not be just a checklist item; Instead, it should be deeply ingrained within the products we build to protect our applications from any future attacks. We also went over some basic definitions of security and privacy. Security of your organization is how assets like various physical belongings, critical documents, and important information are protected from unauthorized access.
Privacy is the right to have control over how personal information is collected and used.
We also saw in detail how rapid digitization, increase in cybersecurity attacks, and compliances such as HIPAA and PCI-DSS is driving cybersecurity needs across the globe and why as project managers/leaders, we need to be aware of the new risks that have originated from digitization and how to manage those.
Answers 1b 2a 3d 4d 5c 6d 7b
CHAPTER 2: BASIC TERMS As we covered in the previous chapter, knowledge of the basics of cybersecurity are essential for you and your team, whether you are a project manager, program manager, or the head of the PMO (Project Management Office). However, what in the vast field of cybersecurity should you be aware of? What do you need to do in order to have informed discussions with your company's security professionals? Lastly, how do you discuss security, privacy, and compliance with your team members? Do you happen to recall any meetings where your developers were discussing security? If you do recall any of them, they may have used technical jargon which you simply couldn’t understand. To cheer yourself up you might have discreetly affirmed to yourself “Don't worry, you don’t need to know this stuff, it’s for technical people, you’re in management.” Well, despite that you probably would’ve felt more engaged if you could comprehend what they were talking about. Good news for you, this chapter will help you sound much more well-informed and knowledgeable in the event of another meeting where security is discussed. We hope that you become more vocal, utilizing the terminology you learn as you keep reading. Most importantly though, you will play a critical role in integrating security in the products and applications your team is developing. There’s that, let's now dive into some fundamental terminology and concepts. It’s generally easier to understand new terms and concepts when they are contextualized. So, as an example, we’ll refer to a case study. Let's suppose, you work for a healthcare company and have been assigned as the project manager for a new project. The goal of this project is to help patients recover after being
hospitalized. When patients are discharged from the hospital, there is no way for doctors to monitor whether or not patients are following the guidelines required for recovery. Your team is in charge of addressing this issue by developing patient selfservice applications that will allow patients to interact with their care team, track their physical activities, and remind patients to take their medications, and set up post-op appointments.
Let’s now try to understand the basic terms of security and privacy in the context of this case study. We’ll name this project "My Health." In this section, we'll go over three fundamental security principles. They are Confidentiality, Integrity, and Availability. We’ll acronymize these three fundamental principles by calling it the CIA Triad. Make sure not to confuse this with the Central Intelligence Agency.
The 3 Pillars of the CIA Triad:
Confidentiality Integrity Availability Confidentiality Our “My Health” project will deal with personal patient health information such as name, age, SSN, Insurance ID, doctor's findings, and more.
Now, ask yourself a question. Would the patient be willing to share this information with the hospital personnel? Of course! How else would she be able to receive the care she requires? Should this information, however, be shared with someone else? It really comes down to who this "someone else" is. Why? Mainly, because you wouldn’t want the rest of the world to know about a patient's personal information and health problems. This is sensitive data and should most definitely be kept safe and in the right hands. The protection of data from unauthorized use is referred to as Confidentiality. It is about ensuring that no confidential information is disclosed to unauthorized individuals. We have some questions for you to answer now. What data is collected in your projects? How much of that data is sensitive? Who on your team knows this information? In most projects, this information is provided by business specialists and product owners. They collaborate with the security and privacy teams to compile a list of confidential data pertinent to the project. There are frameworks like HIPAA (Health Information Portability & Accountability Act) that have guidelines to identify what data is considered sensitive. Find out what frameworks apply to your project. As a Project Manager, what you can do is make sure everyone on your team has this information easily accessible. Here is a sample of what data is confidential… PHI - Personal Health Information (examples: patient’s name, address, birth date, hospital admittance, discharge dates, etc.) PCI - Payment Card Industry (examples: Cardholder’s name, account number, security code, etc.) PII - Personal Identifiable Information (name, address, birth date, etc.) Integrity
Assume a doctor has prescribed 100 mg of a certain medication to a patient. What if a hacker intercepts it while it’s in transit from the doctor's office to the pharmacy and decides to tamper with it? Let’s assume that as a result, he decides to change the value from 100 to 300 mg, because he very well can. For hackers, this isn't a big deal, but what about the patient? Subsequently, if the patient takes 300 mg of medicine instead of 100, he could die, and if he doesn’t die, he could still lose his senses permanently. Anything is possible. Your products may now be under scrutiny, and you and your team may face consequences that could have easily been averted. It’s important that the recipient receives the messages intact, in other words, without them being altered. If a message is modified, then it loses its value. The accuracy and completeness of data are what we call Integrity. You and your team need to ensure that the data in your application is safe from unauthorized modification, deletion, or destruction. Exercise: Find out what data your application will share or exchange with external systems. Assume the patient requires the My Health app to renew medications and communicate with the care team, but the app is unavailable. This could be due to servers failing or systems being shut down as a result of a cyberattack. Regardless of the reason, the users won’t be able to access the application. Some examples of a Cyber-attack are Ransomware, DDOS, etc. Don't fret about these new terms; we'll go over them in the upcoming chapters. Keep note of the fact that if the data is unavailable or servers are unavailable, it will render your website or mobile app malfunctioning. This will have an impact on the patient's care, and if the patient is in critical condition, anything can happen. It will lead to mishaps, a loss of reputation, and the loss of your patient’s trust. There’s also a great possibility, fines could be levied against your company Availability ensures that all systems and applications are up-to-date and available to the users. The systems must be protected from unintentional destruction, and information must be available when needed, even during
holidays or natural disasters. Exercise: Work with your team to determine what data you’re collecting in your projects and how the data's confidentiality, integrity, and availability are maintained.
More Cyber Security Terms ASSET An asset is anything that is valuable, useful, and must be protected. Look around you. Is there anything that you consider to be valuable? They would include your laptop, phone, furniture, documents with sensitive information, and other items you would deem confidential. Want a more holistic explanation of what you’d consider an asset? Let us assist you. Here are some examples of assets: Physical devices such as laptops, tablets, smartphones, and essentially any device that your team uses to access company and customer data may be considered assets in your project. Software, this includes mobile apps, websites, employee applications, and the application your team is currently developing. Data: Customer data, company data, and even project data, inclusive of user stories, requirements, product backlogs, and any other information created and used in your project, can all be considered. Finally, assets include work locations such as the company's office, hospitals, server rooms, data centers, meeting rooms, and your home office. Assets must be safeguarded against attacks or unauthorized access.
THREAT A bear in the jungle. Or an armed gunman. They’re both threats to your physical security, aren’t they? Now let’s look at it from a Cybersecurity standpoint. A threat is any person or event that can impact the confidentiality, availability, or integrity of any asset. An unidentified person roaming around the office building is a threat. A phone call saying that your car’s warranty has expired, and you must purchase it during this call, is a threat. Another call saying that you have been involved in criminal activity and that your crime can be fixed if you deposit money, is a threat. Let us now shift our focus from personal threats to organizational threats. Outsiders may attempt to obtain your project team member's credentials. Their goal may be to gain access to customer and company information. In our hypothetical projects, a cybercriminal may be able to access a part of the application without a login and view sensitive data. This could happen
as a result of a design or coding flaw. As a manager, you must be aware of potential threats. As we progress through this book, we'll take a close look at the various types of threats. RISK The possibility that something detrimental will occur is referred to as risk. Consider the following scenario: you have completely secured your home, but one of your windows was open. This would be ideal for a thief to break in and steal your belongings. The repercussion of this is a financial loss, as well as your personal information falling into the hands of an individual with malicious intentions. In our My Health project example, if a patient's data falls into the hands of unauthorized individuals, the organization's reputation could be jeopardized, permanently. It could render financial consequences as well, as the company may be fined for data theft. As we discussed earlier, patient health data is classified as PHI (protected health information). Healthcare organizations must comply with HIPAA and can face severe penalties if PHI falls into the wrong hands. Risk management is an integral part of your job; the better you manage security and privacy risks, the less likely your organization will be a victim of cyberattacks and data breaches. In the next chapter, we will go over the risks you should watch out for as a project manager. VULNERABILITY It is defined as a flaw or weakness in the design or implementation of an asset that could be exploited by a threat. A broken window in your home is a vulnerability because it can be used by a thief to gain entry. People with malicious intent are always on the lookout for a flaw or loophole in the system. A vulnerability would be an employee who does not lock the workstation
when leaving or writes the password on a Post It note. In our example My Health applications, a vulnerability is a design or coding flaw that allows an intruder to access the application. It is critical that your project does not introduce any new vulnerabilities, and that any that do exist are identified and fixed as soon as possible.
BREACH If a thief breaks into your home and gains access to valuables and confidential documents, It's a breach. At the workplace, unauthorized access to an email account, laptop, server, or computer network is considered a breach. The very infamous SolarWinds breach that happened in 2020 exposed sensitive data of top government agencies and large organizations. “Not long ago, a data breach affecting a few million people would have made headlines. Breaches affecting hundreds of millions or even billions of people are now far too common.” CSO Online [2] When an intruder gains unauthorized access to an organization's protected systems and data, it’s referred to as a breach. In our sample "My Health" program, a breach occurs if an intruder gains access to patient data.
Exercise: In the table below, list the assets, potential threats, risks, vulnerabilities, and breaches in your project.
Assets Threats Risks Vulnerabilities Breaches These were some fundamental words you should be familiar with. As we introduce new words throughout the book, we will define them.
Review your understanding 1. Which of the following is not an element of the CIA Triad? 1. 2. 3. 4.
Confidentiality Privacy Availability Integrity 2.
1. 2. 3. 4.
Collection of user’s personal data Protection of data from unauthorized use. Storage of personal information None of the above 3.
1. 2. 3. 4.
What is confidentiality?
The accuracy and completeness of data is called Integrity Confidentiality Privacy Availability
4. 1. 2. 3. 4.
Protected from unauthorized modification Protected from deletion or destruction Kept consistent with its source. All of the above
5. 1. 2. 3. 4.
Ensuring your systems and applications are available to users at all times is called Completeness Liveness Availability Integrity
6. 1. 2. 3. 4. 5.
Which of the following could be termed as an asset to your company? Your laptop The application that lets you login to your company portal The user requirements for a new product you are building All of the above None of the above
7. 1. 2. 3. 4.
For data to withhold integrity, it should be
An unidentified person roaming around in the office building is Asset Risk Threat All of the above
8. The probability that something bad will happen or a situation involving exposure to danger is 1. 2.
Asset Risk
3. 4.
Threat None of the above
Summary In this module, we covered some important terms and definitions relating to cybersecurity with the example of an application - My Health. We understood that there are three foundational principles of security that combined together form the CIA Triad. They are Confidentiality The protection of data from unauthorized access and use Integrity The accuracy and completeness of data are called Integrity. This includes protection from unauthorized modification, deletion, or destruction and keeping data consistent with its source. Availability It is ensuring systems and applications are available to users at all times.
We also discussed a few other terms
Asset
Anything that is valuable, useful, and which needs to be protected is an Asset. This can include but is not limited to Physical devices, Software, Data, Work locations, etc Threat Any person or event that can negatively impact the confidentiality, availability, or integrity of any asset. Risk The probability that something bad will happen to your asset Vulnerability A flaw or weakness in the design or implementation of an asset that could be used by a threat. Breach Unauthorized access to any of your assets is called Breach. In the next chapter, we will discuss the risks you should be aware of as a Project Manager.
Answers 1b 2b 3a 4d 5c
6d 7c 8b
CHAPTER 3: RISKS YOU SHOULD WATCH OUT FOR What is a RISK? We defined what a “risk” was in the last chapter, but let’s review it one more time. A risk is the probability of something detrimental occurring. Risk management is an important aspect of your job. The first step in Risk management is to identify the potential risks. What are the security, privacy, and compliance risks you should be aware of? Let’s look at what could be potential risks to our example "My Health" project.
RISK OF NON-COMPLIANCE Assume you've been invited to a high-end formal party. A large number of high-profile individuals and senior executives from your company are expected to be there. You have a fantastic opportunity to network and meet new people. Your boss sent you an email about the party, with the dress code. You somehow missed reading it and arrived at the party unprepared. Does this ring a bell? Now, you and your spouse are standing out for not adhering to the code. Your boss wanted to introduce the company's super PM to the CEO, but you are now hiding, very conscious and sad. You missed this opportunity, just because you did not comply with the dress code. There is always a downside to not complying. Let’s talk about our example project. “My Health” app will undoubtedly have to comply with HIPAA. While your team is implementing the compliance items, there is a chance that some item is overlooked. What happens in that situation? Your company's reputation may suffer, and you may be paying hefty fines. Your project may be subject to additional scrutiny. A significant delay. Based on the industry you and the country you
are in; you may have to comply with additional regulations. We will cover those in detail in subsequent chapters. As a PM, you must make sure that your products comply with the regulations. MALWARE
What is Malware? Have you ever looked through the ‘Junk E-mail' folder? There is a slew of emails with misspelled words and a plethora of emails with attachments. It may happen that you open an attachment, and some software is installed on your computer. Has it ever happened to you? Not yet, lucky you. Don’t even try it. As previously stated, it may install software that transfers data from your computer to the mail sender. It could be ransomware. If it is, you will see a pop-up message on your screen stating that all of your documents, including sensitive information, photographs, and videos, will be deleted unless you immediately transfer $100,000 into the mail sender's account. At work, you or your team members may visit some websites that install similar malicious software on work on computers. This Malicious software is called Malware. It infects the machine and may spread from one computer to another on the network. Some examples of Malware include viruses, worms, and
ransomware. How are viruses, worms, and ransomware different? The viruses spread from one program to another on a machine. worms spread from one machine to another on a network. Ransomware can block access to your computer systems until a sum of money is paid online. Ransomware is very common these days. According to Infosecurity magazine, ransomware attacks increased by 485 percent in 2020. Do you remember the Colonial Pipeline Ransomware attack? They ended up paying about $5 million as ransom. As a PM, you should be aware of various types of malwares, and how you can protect your systems and networks from these.
PHISHING Have you ever received an email from your boss that said, "I need you to transfer funds to XYZ"? or an email from a friend with the subject "I'm stuck in Costa Rica, need funds"? Do you recognize any of these?
During the COVID pandemic, we received several emails requesting that we schedule COVID vaccination appointments, even though we were not eligible at that time. In your project, your team members may receive emails instructing them to click on malware-infected links. They may also receive emails requesting confidential project information. These emails are called phishing emails. Phishing is a method of spreading malware. Emails are the source of all malwares for 46% of organizations. (Report on Verizon 2020 Data Breach Investigations). Phone calls can also be used to commit phishing. This is referred to as voice phishing or vishing. SMS or Text messages used for phishing are called Smishing. Phishing attacks are the top security threat, according to 56% of IT decision-makers. As per Varonis.com, phishing was used in 32% of breaches.
APPLICATION VULNERABILITY In 2017, The personal information of approximately 15 million people was stolen from the American credit reporting agency Equifax in 2017. Why? There was a vulnerability in open-source software used by Equifax. You may be one of those who were affected. Now, imagine there is an issue in the ‘My Health’ app, and one patient can see the health information of another patient. This could be due to a flaw in the design or coding. What will be the result of this? The private patient data will be exposed. Also, the application will be non-compliant with HIPAA. This is one example but security flaws in the applications may go undetected. Cybercriminals can steal sensitive data by exploiting software, hardware, and design vulnerabilities.
PEOPLE In 2020, Twitter employees got messages to reset their passwords, when they clicked on the link to change the password, they were sent to a hacker's website. Message senders posed themselves as consumer service and tech support professionals. Twitter employees did not realize it and entered their old and new passwords. The criminals obtained these employees' credentials and used these credentials to target 130 Twitter accounts, including former US President Barack Obama's and Kanye West's. Mike Bloomberg and Jeff Bezos.
The year 2020 saw a significant shift in the way we work, learn, and socialize online. The number of employees working remotely has increased significantly. Because more people are now working from home, your team is vulnerable to new threats. Your team could be working from home, a hotel, or a public WIFI hotspot. They may be on social media while working remotely. Malicious WIFI and social media are the source of many attacks. There may be children and babysitters at home while they work from home, which is also a risk. As per Forbes, Often the weakest link are the customers and employees who may pose a risk due to lack of knowledge, lack of training or just carelessness. There may be some employees who have the malicious intent to cause harm or help
OUTDATED HARDWARE OR SOFTWARE
In 2017 WannaCry outbreak happened which was a global epidemic. It happened because Windows Systems were not updated. User’s files were held hostage, and hackers demanded bitcoin as ransom money. In your projects, your team members will install various software on their machines, but they may not update it regularly. Through software and hardware upgrades, any identified security issues are addressed. If your hardware and software are out of date, your applications may be vulnerable to attacks.
THIRD-PARTY EXPOSURE
In 2013, Cybercriminals sent a phishing mail to an employee of a thirdparty vendor for the retail giant ‘Target’. When the employee opened the email, malware was installed on his computer, which sent the credentials of this third-party employee to the criminals. There was not enough monitoring on this computer as it was running a free version of antivirus software. Using these credentials, hackers accessed the systems in Target infrastructure. The hackers stole sensitive records of 40 million customers which included the credit card numbers, names, addresses, and even the security codes at the back of the credit cards. It was a disaster for Target. As a project manager, you will interact with a variety of vendors. You could hire a vendor to do the software development work for you. Also, you may use 3rd party software. This third party may have their own partners, maybe a 4th party for you. As a Project Manager, Security and compliance are your responsibility; they are not delegated to a third-party vendor.
CLOUD RISKS
Let’s quickly understand what Cloud computing is. As per NIST, “Cloud Computing is a model for enabling convenient, on-demand access to shared computing resources (networks, servers etc.) that can be rapidly provisioned and released with minimal effort” If your application stores data on the cloud, it's critical that you understand the implications. Every year, thousands of cloud-related breaches occur. The “My Health” application could be hosted in the cloud. Cloud configuration specialists in your company may not be knowledgeable about cloud security setup. According to a Gartner study, misconfigurations cause 95% of Cloud breaches. DENIAL OF SERVICE ATTACK A Denial-of-Service attack may be launched against “My Health”
application. What exactly is a Denial-of-Service attack? The goal of a Denial of Service (DoS) attack is to make a website, application, or server inaccessible for the purpose for which it was intended. If a website gets an unusually high volume of requests, it may become unavailable to genuine users. (OWASP.org) Assume that the “My Health” application is no longer available to patients, physicians, and hospital personnel. This will have an effect on patient care, which is the primary purpose for the hospital's existence. According to a NetScout study on threat intelligence, DDoS assault frequency increased by 15% in the first half of 2020, the most intensive time of worldwide lockdowns, compared to the same period in 2019. IGNORANCE OF DATA COLLECTION & SHARING
Do you know what data you are collecting in your projects? What data are you sharing with the vendors and third parties? And how are you sharing this data? In one of the healthcare organizations, a PM from one of the vendor companies sent the patient’s PHI to one of the team members over an unencrypted email. When the organization learned of this, it took disciplinary action against the vendor company. Our example “My Health” application will collect personal information about the user. Some of the data will be confidential and some will be not. It is critical for a project manager to understand what data is being collected, and also which data is confidential, and which is not. We covered some risks you should be aware of as a Project Manager. In upcoming chapters, we will discuss how to manage these risks. Review your understanding 1.
The risk of a project missing a compliance item is called
1. 2. 3. 4.
Risk of non-compliance Application Vulnerabilities Phishing Malware
2.
A malware that can block access to a computer until a sum of money is paid online is called 1. Phishing 2. Virus 3. Ransomware 4. Application Vulnerabilities
3.
Emails with urgent subject lines that prompt to provide some critical confidential information is a classic example of 1. Virus 2. Malware 3. Risk of non-compliance 4. Phishing
4.
________________ software will make your application vulnerable to attacks. 1. Software purchased outside the organization 2. Software download via the internet 3. Outdated software 4. Personal Software that employees use Summary
We discussed some potential risks to the product like Risk of noncompliance, Malware, Phishing, Employees, Application Vulnerabilities, and the risk of outdated hardware or software. We then discussed some ways to mitigate such risks such as proper training of employees, periodic unannounced security Drills, planned security testing, Updating Hardware &
Software, malware detection and prevention plan, Training team on data and encryption and finally, Third party security management. Answers 1a 2c 3d 4c
CHAPTER 4: INITIATION In the previous chapters, we covered the fundamental concepts of security and privacy, essential terms to know, as well as the risks you need to watch out for. Now that you have the basic knowledge needed to get started, it’s time to start implementing what you’ve learned. From this chapter onwards, we'll go through "the actionable steps" you and your team must take to create secure and compliant products. Assume you are the new project manager for the “My Health” project we introduced in Chapter 2. In the “My Health” project, your end goal is to develop self-service applications that aid patients in the recovery process following surgeries or other major medical procedures. We will walk you through the entire project lifecycle. Let’s get through this journey together. Are you ready?
Firstly, we’ll walk you through the 'Initiation Processes.' In this chapter, we will cover: 1. 2. 3. 4.
Business Case Project & Product Objectives Stakeholders Identification Security & Compliance Frameworks
5. 6. 7. 8.
Organizational Policies & Procedures Historical Information on security and compliance issues High-Level Scope, Time & Budget Project Charter BUSINESS CASE
Projects generally begin with a 'business case,'. A business case addresses the fundamental question, "Why is the project needed?" The purpose of the “My Health” project is to address the issue of patients forgetting medications and being unable to follow the doctor's guidelines after the surgery. Far too often, projects and product development begin without initially addressing security, which may have serious consequences for the project and products down the line. If your senior leadership recognizes the importance of security right from the initial phases, that’s fantastic. If they don't, you may need to convince the project driver and other executives that incorporating security right from the beginning is critical and that the repercussions of failing to do so can be costly. The process of securing your product will undoubtedly cost more time and money, but you can't put a value on something as necessary as security. Including security, privacy, and compliance in the business case will help you get started on the right foot. Let's investigate how this can be accomplished. A business case comprises a cost-benefit analysis to estimate the project's ROI (Return on Investment). The expenses of implementing security, privacy, and compliance must be accounted for in the total project cost. A business case also includes high-level risks. For example, there are risks of not complying with the regulations. There are also risks of potential breaches during and after the project, as well as when the product goes live. Such risks may arise because of the vulnerabilities introduced during the product development.
There are some known vulnerabilities, which every team should plan for, but there are also unknown vulnerabilities that can catch teams by surprise. Being proactive and prepared, your teams can identify, reduce and fix the vulnerabilities. PRODUCT & PROJECT OBJECTIVES The product objective is the overarching goal the project is aiming for. Let’s look at the product objective for the My Health project, Is it to build a Product that will help the patients recover after surgery? or is it to build a secure and compliant product that will help the patients recover after surgery? What do you think? We are sure that you’ve picked the latter objective. By ensuring security and compliance are part of the business case and the product/project objectives, you and your organization are on the right track right from the beginning. STAKEHOLDERS
After you've created a compelling business case, it's time to identify your stakeholders. A Stakeholder is someone whose interest may be impacted by the project or its product. They will be directly impacted by the success or failure of your projects. Stakeholders can also be external to the organization including regulatory agencies. Make sure that you identify the appropriate stakeholders and their relevant roles. From security, privacy, and compliance perspective, this can include the Legal, Information, Security, Internal Audit, Privacy, Risk, and other departments. Depending on the size of your business, you may have five distinct teams or simply one. However, just including them is insufficient. Determine if the teams have made a time commitment and if they have the bandwidth to dedicate hours to your project.
Meet with their managers and ensure that they are committed to your project. Look to receive the following information from these teams: policies, standards, and guidelines for security, privacy, and compliance Your project’s deliverables for security, legal, audit, privacy, and risk teams/professionals in your organization The artifacts where you need signoffs from them The time duration that should be factored in for the signoffs Another important stakeholder to involve is the production support team or Operations team. Getting their inputs early on will help you avoid surprises during hand-offs. Having the right stakeholders on board will set you on the right path. Stakeholder identification is an ongoing process, which will happen throughout the project. In your stakeholder engagement plan, ensure regular touchpoints with the security professionals.
(PMBOK 6th Edition) SECURITY & COMPLIANCE FRAMEWORKS Frameworks guide stakeholders on the actions to take in pursuit of mitigating the risk of cybercrime. Project managers would benefit from being aware of the most available and applicable security frameworks and standards. The most widely used security frameworks are:
ISO NIST Cybersecurity Framework HIPAA PCI-DSS CIS GDPR CCPA
ISO: International Organization of Standards (ISO) and The International Electrotechnical Commission (IEC) established an ISO 27001 standard in 2005 to: safeguard customer personal information and organization’s sensitive information Identify all possible risks Tools to manage them The standard has become the globally recognized foundation for businesses worldwide to maintain their information security management systems (ISMS). ISO certifications add value and credibility to organizations by demonstrating that products and services meet the national regulations. NIST: NIST stands for ‘National Institute of Standards and Technology. It’s the most well-known risk reduction framework. It's the most universally applicable in nature and has become the de-facto standard for implementing cybersecurity. The NIST framework assists organizations in understanding, structuring, managing, and reducing cybersecurity risks. The core functions of this framework are: Identify: It's finding out what you have. In other words, identifying
systems, people, assets, data, capabilities, and risks in your organization. i Protect: To protect is to have adequate safeguards in place to protect assets and information. As a PM, maintaining a risk register helps you project the assets. Detect: function is responsible for detecting the occurrence of a cybersecurity event. #TODO: Detect the cybersecurity event. PM utilizes OPUS / Lessons learned /Risk register to minimize the detect ##
Respond function is tailored to act in response to a detected cybersecurity incident. Recover function identifies activities to maintain resilience plans and restore any capabilities or services that have been compromised as a result of a cybersecurity incident. PM: Create or review the recovery plan. HIPAA: The Healthcare industry like any other industry adopts technologies very fast and, therefore, is constantly exposed to many security risks. There were around 550 data security breaches with more than 22 million individuals affected in 2020. (planet9security.com) HIPAA (Health Insurance Portability and Accountability Act) governs how healthcare organizations and those who deal with protected health information must safeguard their systems in order to protect such information. HIPAA's framework outlines the security measures that businesses must use in order to stay in compliance with the rules. Failure to comply with these rules may result in fines and other consequences. PCI-DSS: The companies that deal with credit card data must comply with PCI DSS (Payment Card Industry Data Security Standard). Compliance with PCI DSS helps companies prevent data breaches. It is a set of requirements for merchants who process, transmit, or store credit card data. GDPR: General Data Protection Regulation, for collection and processing of
personal information from people who live in the European Union. CCPA: California Consumer Protection Act- privacy law to protect the data of California residents. These were some most widely used frameworks. There are various other frameworks your organization may use. As a Project Manager, it’s important to be aware of what frameworks are being used in your organization. ORGANIZATIONAL POLICIES & PROCEDURES Over time, organizations develop policies and procedures that have proven to be best practices. Every organization has different policies and procedures when it comes to security and privacy? In some companies, it is enforced that employees change their passwords in 5-6 weeks. In some companies, accessing personal email accounts is not allowed. If you are new to the organization, find out the organizational policies and procedures for security and compliance. (Source: RM) Here are some questions to ask: Is a BYOD policy implemented i.e., can employees bring their personal devices and use that to access work networks? What is the Password Policy? How often are password changes enforced? Is (Multi-Factor Authentication) in place? (#TO DO What is MFA?). What are the requirements for the employees working from home? Also, what are the requirements for employees working from another country? How often are software updates/backups needed? How are the resources given access to IT systems? Are they granted the least amount of “privilege” on a “need-to-know” basis?
HISTORICAL INFORMATION One of my clients told me that a third-party platform they used had a security vulnerability that caused a production incident. The incident was identified, detected, and fixed promptly. With this information at hand, the PMs were very cautious and exercised due diligence when using that platform or any other third-party platform in that company. If your organization has had breaches and major attacks in the past, get that information as it will help you avoid the same mistakes. You should be able to get this information from the Production Support Team. Another important piece of information you should have is ‘Lessons Learned’ from past projects similar to yours. Look for security and compliance issues in these documents. HIGH-LEVEL SCOPE, TIME & BUDGET The Initiation phase addresses high-level scope, time, and budget. Ensure that scope includes building products that meet security, privacy, and compliance requirements. The additional activities will have cost and time frame associated with them. Make sure they are included in your budget and schedule. We will go over the details of tasks to be included in the next phase. VENDOR SELECTION: You may not have enough employees and may have to rely on vendors to develop some components of the application. If your team adheres to security best practices but the vendor’s team is not, the risk remains high. All it takes is one oversight and that can cost your company a lot of money and its reputation. Let’s divide these questions into three categories: History
Location Expertise Let’s review these categories in detail... History. The question would be: Who are the other clients of the vendor? Has your company worked with this vendor before? Has ‘your’ client worked with this vendor before? What is the vendor's experience with clients in your industry? What’s their track record of keeping information secure? Are there any testimonials and references available? Have they experienced any data breaches? Do they keep track of their customer data? How do they store their data? Do they have a proven record in developing secure and compliant applications? Location Is the vendor in your country? Or outside your country? Will the vendor be on-site or off-site? If vendor resources are offsite, you may not be able to monitor if they are following security best practices. Expertise Does the vendor have security and privacy expertise? Is the vendor following NIST Framework, HIPAA, or PCI-DSS? Does the vendor have certain compliance and certifications (e.g., SOC 2 Type II, HITRUST, ISO 27001)? What tools and technologies is the vendor using to ensure security and compliance? What is the vendor’s plan and strategy to respond to any incident? What is the turnaround time if security or privacy defects are
logged in various environments? Work with your team and security professionals to Interview the vendors, research about them. Compare the answers to these questions for various vendors and get feedback from the security professionals. You may be working with several vendors and vendor selection will be an ongoing process.
PROJECT CHARTER The Project Charter is the major deliverable produced in this Phase, and it includes the business case, stakeholders, scope, budget, and vendor, highlevel schedule, and high-level risks discussed in this module. Like every other aspect of project management, security foundations for a project should be laid strongly in the initiation phase. It would be preferable for them to be done right when the project charter is created and signed to document all possible risks, threats, security loopholes, and they should also include conceivable remediation measures for every possible threat.
Review your understanding 1. Security, privacy, and compliance should be included in what processes of project management? 1. 2. 3. 4. 5.
Test/QA Initiation/Envision Delivery Assessment All of the above
2.
3.
This is because 1. Costs of security, privacy, and compliance have to be factored into the overall cost before computing the ROI 2. The risks of non-compliance including the risks of potential breaches during the project, and after the project is completed, and when the product goes live should be included in the business case. 3. This will help improve the profit margin of the product. 4. A and B 5. A and C
Building a secure and compliant product should be included in the products.
1. 2. 3. 4.
The Business Case Project Title Product Vision A and C
4.
As a product manager, you should ensure
1. 2.
3. 4. 5.
The stakeholders have the bandwidth to devote hours to your project Collect important information like policies, standards, and guidelines for security, privacy, and compliance, Your project’s Deliverables, Time Duration Etc Each of the stakeholding teams is separate and does not mix up. A and B All of the above
5. When Hiring to build a secure and compliant team, which of the following should you avoid? 1. 2. 3. 4.
Run a background test on the candidates Ensure that Knowledge of Security and Compliance is tested, trained, and retrained in the prospective tea, Enforce strict process for full-time hires only. Ensure that team members know security and privacy knowledge specific to their responsibilities. 6. An ideal product team member would
1. 2. 3. 4. 5.
Have some idea on security and compliance. Has a good understanding of security and compliance, especially specific to their responsibilities. is trained and restrained over a period of time A and C B and C 7. When considering a vendor for your project, you should consider which of these
1. 2. 3. 4. 5.
History Location Expertise A and C All of the above 8. When looking into the history of the client, which of the following is important
1. 2. 3. 4. 5.
Proven Record Past Experience/Testimonials/References/Data breaches Size of their company/Team A and B A, B, and C
9. Why is the location of the vendor important? 1. 2. 3. 4.
Working on-site is more productive It is difficult to manage remote teams There are regulatory compliances that have geographic restrictions To monitor if the vendor is meeting security and compliance protocols Options
1. 2. 3. 4. 5.
All of the above A and D B and C C and D None of the above 10.
1. 2. 3. 4.
The Business Case The Product Vision The Project Charter The stakeholder identification 11.
5. 1.
What is the major deliverable as a project manager in the initiation phase?
High-level scope includes which of the following activities Security & Privacy Training and Risk Assessment Security Scans and Testing, Infrastructure Security & Monitoring
2. 3. 4.
Code Reviews B and C All of the above
12. Why do we emphasize including high-level risks and scope in the initiation phase? 1. 2. 3. 4.
It is part of compliance needs. It is a part of the agile process. High level scope gives the product manager a better picture of the product. High-level risks and scope help us identify the security needs and the associated cost and time associated with it.
Summary At the outset of this Chapter, we addressed how security and compliance must be integrated into the product development cycle beginning with the Initiation phase. The business case and total cost of the project should account for security and compliance requirements. In the future, we should also expect fees connected with noncompliance or any security or privacy breaches. As a result, developing a secure and compliant solution should be part of the product vision. As a project manager, we must identify the stakeholders once we have established the business case and the product vision. Information Security, Legal, Internal Audit, Privacy, and Risk are some examples. Ensure that these teams have the time to commit to your project. Collect important information from stakeholders, such as security, privacy, and compliance policies, standards, and guidelines. Deliverables for your project's security, legal, audit, privacy, and risk teams The time length that should be included in for the signoffs on the artifacts where you require sign-offs from them Keep in mind that identifying stakeholders is an ongoing effort. After that, it's time to assemble the team. We must assure a few criteria while selecting your project team. Conduct a background check on the candidates. Ensure that the new staff is well-versed in security and compliance, particularly as it relates to their unique duties. Include security training in your onboarding process. Include retraining for current staff as well. Ensure that everyone participating in the project, whether full-time employees or contractors, do not fall through the gaps.
When choosing a provider, look into their history, location, and expertise. Check to see whether they have a history of dealing with security and preventing data leaks. Check with your compliance requirements to ensure that the vendor's location is not an impediment to your product. Finally, make sure they have appropriate procedures and mechanisms in place to protect the product's security and to deal with any vulnerabilities or problems. Finally, ensure that activities like security and privacy training, risk assessments, security scans, and testing, infrastructure security and monitoring, code reviews with security and privacy in mind, and so on are budgeted for and accounted for. Answers 1. e 2. d 3. d 4. d 5. c 6. e 7. e 8. d 9. d 10. c 11. e 12. d
CHAPTER 5: PLANNING In the previous chapter, we covered the Initiation phase of the project and the steps you should take from a security and compliance perspective. Now, let’s move on to the next one, the Planning Phase.
A robust plan can help mitigate and manage the risks. In this Chapter, we will cover various plans. Security, privacy, and compliance must all be addressed in some way in every plan. The plans are progressively elaborated over the entire project. We will also cover security and compliance in High-level requirements, architecture, design, and test cases. In this chapter, we will cover: Requirements, Architecture & Design Team Communication Procurement Scope, Time & Cost Quality Risk Requirements: In the planning process group, your team will define what the high-level
requirements are. These requirements are detailed out throughout the project in the BRD (Business Requirements Document) or product backlog. Make sure security, privacy, and compliance requirements are a part of the high-level requirements. The requirements should address the Laws, Regulations & Frameworks the project has to comply with. Laws and regulations are meant to safeguard user’s personal information. We covered various frameworks such as ISO, NIST, HIPAA, PCI-DSS in the last chapter. Countries have their compliance-specific requirements. Find out about the compliance requirements in various countries that will impact your project. Ensure your product team is working with security and compliance professionals to capture these requirements. The BRD or the product backlog should also have security requirements like: Login requirements password requirements I remember in one of the projects, my team was building an application for Cancer patients. We wanted passwords to be secure but not very complex and difficult to remember. The product manager worked with the security team to ensure that there were options so that users could create easy to remember passwords. There can also be organization-specific regulations. For example, there can be a company-wide requirement not to show data that is more than 3 years old to the user unless explicitly requested. Make sure that you get sign-off on the requirements from security and compliance professionals. The developers will build the application based on these requirements, but these will need to be tested. Test cases will be needed to test these requirements, which will also need to be signed off by security and compliance professionals. Architecture & High-level Design will also be done in the planning phase. TEAM IDENTIFICATION MANAGEMENT)
(HUMAN
RESOURCE
We are in the Planning Phase of the Project. It’s time to build your team.
Isn’t it? You’ll need the following people on your team: Architect, Designer, Developers, Testers, Product Managers, Business analysts Did we forget to include someone? If you think we did, you can add more people. Your project may already have team members allocated, but if they aren’t, you may need to build a team from scratch. If your budget allows, you should hire a dedicated security engineer. If not, your team members should be well-versed and knowledgeable about Cyber Security. Regardless of your situation, while choosing your project team, you must have answers to these questions: What is the hiring process? Is the knowledge of security and privacy tested during an interview? Do the candidates know the fundamental terms and metrics such as PII and PHI? Do they know how to use approved tools while handling sensitive data? Should the new hires have specific certifications? Collaborate with your project and security teams to include this into the interview process. Almost every company does a background check on prospective employees prior to hiring. That should be the case at your company as well; nevertheless, it is always a good idea to double-check that this step is not missed. But what about contracts vs full-time hires? Is it common to have contractors assigned to these types of projects? If so, are there ever situations where full-time hires go through the necessary steps you outline, but contract hires things slip through the cracks? What’s the onboarding process? Are security and privacy training a part of onboarding? If it’s not, make the training mandatory. Do existing employees need security and privacy refresher
training? Have re-training as a part of project on-boarding plan. Make it fun. In some companies, friendly competitions and gamification are used to engage employees. Training and retraining are included in annual performance goals. Emphasize the importance of training, also talk about the recent incidents and breaches that have happened. The team members will also need security and privacy knowledge specific to their responsibilities. For example: Developers must know secure coding practices. Product owners and business analysts must understand and define security and privacy requirements. Testers must know the test for these requirements. Work with your respective teams to make sure there are training and resources for every role and ensure that they are made available to each team member. How can you ensure this happens? Discuss this with the security and the HR teams. COMMUNICATION PLAN As we all know, communication is the key to success in project management. As per PMI (Project Management Institute), About 75-90% of the time in a project is spent on communication by the project manager. The importance of security in project communications cannot be overstated. Let us look at the why, what, and how of secure communications. Why should the communication be secured? Members of Legacy Community Health Services were notified of a compromise involving their sensitive health information in 2020. How did this happen? An unauthorized individual accessed patient information stored in an email account. Would you like something similar happening in your project? Of Course not. We do not want sensitive information reaching the attackers
What communication should be secured? Find out what is confidential and sensitive information in your project that absolutely needs to be secured. As mentioned in earlier chapters, the personal information of customers is sensitive and must be secured. Also, some organizational information which may include trade secrets, new product plans, supplier information, financial data is confidential and sensitive. How can the communication be secured? Your organization may have some guidelines for securing internal and external communication. Find out the following:
What is the agreed channel for communication? What are the tools used in your company for securing communication? How are the meetings secured? Do meetings have passwords? Is there any information that must be encrypted? For example, in healthcare companies, it’s required to encrypt PHI Find out what are the security standards to address the elements of communication and socialize them with your team members. The best way is to engage the security team early on. Have someone from the Security team talk about securing communications in the kick-off meeting. Many organizations have this information on places like the notice boards, coffee rooms and scrum rooms to remind everyone of the secure communication protocols. An important piece of the Communication Plan is to keep communications with vendors secure especially when you are dealing with sensitive data. This is also laid out in the PROCUREMENT PLAN, which we will cover in the next section.
PROCUREMENT
You may be securing your communications, but your vendor may not. Your organization may be making sure that the employees are trained on security, but the vendor may not. Also, in event of an occurrence of a breach, you may be prepared but your vendor may not be prepared. In the past few years, several breaches have happened because of lack of appropriate security measures at vendors. It is critical to manage vendors and ensure that they take security seriously. Here are some elements of the Procurement plan: - Contract - Training - Incident Response
Contract The Contract must make sure that the vendor is accountable for the security and compliance of the product and communications. The contract must include security requirements and standards for vendors. And the standards must be enforced With regular audits in place. The contract should mention the frameworks and laws the vendor should adhere to. Training It’s important that vendor employees are adequately trained. Make sure the vendor employees go through the training you have in place for your employees. Figure out a way with the security team where some gamification and quizzes can be put in place to test the knowledge of all team members including vendors. Incident response Ensure that incident response mechanisms are in place. The vendor should already understand what to do when a cybersecurity breach is suspected. Work with the security professional and the vendor to ensure that there is a process in place to deal with the suspected breach.
SCOPE, TIME & BUDGET Check that the following activities have been included in the high-level scope: Security & Privacy Training, “My Health” project team will require HIPAA Training because it’s in the healthcare industry. Developers may need secure coding practices training Risk assessments Security Scans and Testing: This is done on the code and finished product. Infrastructure Security & Monitoring: The servers where the product will be deployed will need to be secure Audits These tasks will have a cost and a time frame associated with them. You will also require tools for scanning and testing. Make sure they are included in your budget and schedule. QUALITY A lack of attention to quality means more rework and defects. A lack of attention on security and compliance has more severe consequences. The quality engineers in your project may not be skilled to test for security and compliance issues. This may result in security defects not getting reported and fixed. Make sure there is a plan to test the security, privacy and requirements. As we mentioned earlier, there should be test cases to test these requirements. The defects are reported in the same tool used to report other defects. These are prioritized and worked on. Have security professionals in your organization sign off on the test cases and resolution. In some companies, security testing is performed by third party companies.
PHYSICAL RESOURCES
Your team will get the laptops to work on. Also, some mobile and IoT devices will be provided to them if needed. Work with IT Support to ensure antivirus/anti-malware are installed in the machines. Also find out the answer to these questions: For project managers, a generally ignored problem is buying a unit to install (router, switch, WiFi, etc.), but forgetting to customize it. In such a case, default passwords remain in force, which a thief can easily exploit.
Also while setting up the Cloud Environment , default configuration is not the most secure configuration. Ensure the cloud specialists know how to make secure configuration. As a Project Manager, your job is to make sure your team members get trained on how to secure their work computers, their home office, and how to keep applications secure in the cloud . RISK MANAGEMENT PLAN In Chapter 3, we covered the risks you should watch out for. What should your risk management plan have to mitigate these risks? First and foremost, it should have Training - We have covered in the previous modules that Training can help Mitigate the risks. All the risks we covered, can be prevented with Training to some extent. For example: Training the employees to be wary of look-alike domains, for malware and phishing domains, makes spotting the fake domains easier. The domain can be spelled as domian in the phishing email, but because of training, we know that this is an intentional misspelling to trap us. Drills: periodic unannounced exercises like intentional phishing campaigns, can help employees stay aware and observant. These phishing emails are sent by the security team to find out if the employees are careful. Many organizations are doing periodic drills to make sure the employees who are remote are careful, Next is Testing: Make sure your team has planned security testing like static, dynamic, and penetration testing in place to catch any vulnerabilities. We’ll cover these tests in detail in the next chapter. Another item your plan should have is Updating Hardware, Firmware & Software: Ensure your infrastructure team is on point to install any security patches. Make sure that the software and hardware versions used in your project are approved by the security team. As a project manager, you must be on top of it. Keep checking with your System administrators for any new
patches or updates that are necessary. We cannot leave it to other team, otherwise WannaCry would have never happened. The plan should also consider Tools for malware detection and prevention if not already taken care of in the Initiation Phase. There will be some organization-wide tools for this. Plan for the installation of these tools on employees’ and contractors’ machines. This will be an ongoing process as new team members join your project. Also, ensure that vendor employees have the malware detection tools installed. The infamous Target Breach of 2013 happened because the vendor employee did not have a malware detection tool installed. Understanding of data and encryption. Your team is expected to understand which type of data is stored whereas it helps maintain the safety of the data. Find out what is sensitive data that needs to be encrypted. Ensure your plan has the tools and resources required to encrypt data. Third-party management: Ensure there is due diligence and security screenings and audits in place to avoid any risks due to third parties. I’ll say this again, Ensure that training of the vendor employees is in your risk management plan. Ascertain that your team is working with cloud configuration specialists who are knowledgeable about cloud security setup. And customize it to the particular needs of the company.
Review your understanding 1.
Guidelines from the security team for secure communication should include which of the following 1. Agreed Channel for Communication 2. Tools used in your company for securing
communication 3.
Securing/ Encrypting Meetings
1. 2. 3. 4.
A and B B and C A and C All of the above
2.
From a security and compliance perspective, the Procurement plan includes which of the following. 1. Contract 2. Training 3. Product Vision 4. Incident Response
1. 2. 3. 4.
A and B A, B, and C A,B, and D A, C, and D
3.
When creating a contract, from a security perspective, one must ensure
1.
The vendor is accountable for security and compliance of the product and communications, and includes security requirements, and standards for vendors.
2. 3. 4.
The vendor is accountable for service delivery only. Vendors have incident response systems in place. Vendors go through the same security training that you have in place for your team.
1. 2. 3. 4.
A and D B A, C & D None of the above
4.
High-Level Requirements are documented in
1. 2. 3. 4.
Functional Specification Document Business requirements Document Support documentation Project overview
5.
The High-Level Requirements should include
1. 2. 3. 4.
The Laws and Regulations The security Team Details Location Specific Compliance Requirements Security Requirements
1. 2. 3. 4.
A, B, and D A, C, and D A and C All of the above
6.
The risk of a project missing a compliance item is called
1. 2. 3. 4.
Risk of non-compliance Application Vulnerabilities Phishing Malware
7.
A malware that can block access to a computer until a sum of money is paid online is called
1. 2. 3. 4.
Phishing Virus Ransomware Application Vulnerabilities
8.
Emails with urgent subject lines that prompt to provide some critical confidential information is a classic example of
1. 2. 3. 4.
Virus Malware Risk of non-compliance Phishing
9.
________________ software will make your application vulnerable to attacks.
1.
Software purchased outside the organization
2. 3. 4.
10.
1. 2. 3. 4.
Software download via the internet Outdated software Personal Software that employees use
____________ helps employees to be wary of look-alike domains, for malware and phishing domains make spotting the fake domains easier. Testing Training Updating Hardware & Software Third-party management
11.
Outdated software is mitigated by
1. 2. 3. 4.
Periodic unannounced Security Drills Testing Updating Hardware and Software Malware detection and prevention Plan
12. 1. 2. 3. 4.
Drills are One time unannounced SecurityExercises One time announced Security Exercises Periodic announced Security Exercises Periodic unannounced Security Exercises
Summary
In this chapter, we covered the Planning Phase of the project. It consisted of 3 plans. In the Communication plan, as a project manager, ensure to have a set of guidelines set by the security team on what is the agreed channel for communication, what are the tools uses in your company for securing communication and if needed, how can we encrypt the meetings. Socialize this with your team. The Procurement plan includes Contract, Training, and Incident Response. When drafting the contract, make sure that the vendor is accountable for the security and compliance of the product and communications. The contract must include security requirements and standards for vendors. Make sure the vendor employees go through the training you have in place for your employees. Verify that vendors have systems in place to deal with a security incident. In the Planning phase, we also define what the high-level requirements are. These should be recorded in the BRD (Business Requirements Document). The requirements should address the Laws and Regulations the project must comply with, location-specific compliance requirements (if any), other security requirements like password requirements, and organizationspecific regulations. Make sure you sign these off, along with the Test Cases, and Architecture and Design by the Security and Compliance team. We also discussed some potential risks to the product like the Risk of noncompliance, Malware, Phishing, Employees, Application Vulnerabilities, and the risk of outdated hardware or software. We then discussed some ways to mitigate such risks such as proper training of employees, periodic unannounced security Drills, planned security testing, Updating Hardware & Software, malware detection and prevention plan, Training team on data and encryption, and finally, Third party security management.
ANSWERS
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
d c c b b a c d c b c d
CHAPTER 6: EXECUTION In this module, we will cover the execution processes of the project. Project deliverables are created in the Execution phase. The plan we created in the planning phase, will be executed in this phase.
This is the process group in which the team will perform activities to meet the project objectives. In software projects, Architecture and Detailed Design will take place. Requirements will be fleshed out. Code Development and testing will happen, and the application will be deployed to production.
In this Chapter, we will cover: Requirements Architecture & Design Development & Testing Production Deployment
Knowledge Management Requirements As Requirements are fleshed out in this phase, make sure that the security, privacy & Compliance requirements with the security and compliance teams. In some projects, the security professionals are engaged very late in the project. I have seen that some project managers think that going to security professionals will delay the project. They say “The functionality has to be developed and launched soon”. Also, “Deadlines will be missed”. Sometimes, Security requirements are documented. They are in the backlog and keep sitting in the backlog for a long time. Why? Because these requirements are not prioritized. What happens if a requirement or a user story is not prioritized? It's never worked upon. As a PM, ensure that these requirements are prioritized and worked upon by the developers. Architecture & Design: Make sure the architecture is built with implementation and production deployment in mind. Architects should work closely with the Security Architects and build the architecture that ensures confidentiality, integrity and availability of information.
The architecture should address following: Securing data in transit and at rest. Encryption of data Security of Encryption Keys. store the keys at a secure place Network architecture, firewalls, tools Design of passwords (strong password management)
When it comes to designing the application, ensure security, privacy, and compliance are designed into the software. Have the designers trained in security? Ask the question, “What can go wrong?” For example, when a house is designed, theft, earthquake, fire and other calamities are kept in mind. Similarly, make sure designers consider various threats, and risks while designing all products and its components. IEEE Center for Secure Design. Has published secure design principles “Avoid the Top 10 Security Design Flaws”. Make sure your team is digs deep into ensuring Data Security Knowledge of data elements: Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding the likelihood and impact of these risks Accepting a level of risk (projectmanagementacademy.com) Ask these questions to your team: Que 1: Is the input validation done before writing to the Database? Que 2: Which people or systems have access to the database? Que 3: Is the data encrypted while at rest? Que 4: Is the data encrypted while in transit Que 5: What is the Audit Process? Que 6: Is the data Backup in place regularly? In agile projects, architecture and design happen throughout the project, make sure regular reviews are scheduled with the security architect. Development & Testing Developing software with security in mind is far more effective than trying to validate security through testing. For development, ensure your
team follows the best practices for secure code development, - make sure any new developer joining the team is trained on secure coding practices. Get peer code reviews done and get security sensitive code modules reviewed by security professionals. These days Continuous integration and continuous deployment are employed to build products quickly. DevOps is being leveraged for fast development. To ensure that quick development is not at the cost of security. Many Organizations are integrating Security unit tests, Static Testing, and Dynamic Testing into code development. We’ll go over the definitions of these terms: What is Static testing? It is to find vulnerabilities in the source code without even running the code. The lines of code that have vulnerabilities can be identified. SCA (Software Composition Analysis) is to identify the usage of thirdparty code that could have security vulnerabilities. Code Reviews: By peers and by external experts. Especially the code that is for security functions. Automated and Manual code reviews (Big Breaches) Dynamic Testing is to execute automated test cases against running code. It’s performed in an integration environment. Interactive Application Security testing is a combination of both human and automated tests. Testing and Quality Control are also a part of Monitoring and Control Processes. It is critical to test the software components that are ready and provide quick feedback. Next, When the set of code enters the formal testing phase, ensure that penetration testing is performed in addition to functional, user, and performance testing. It is carried out by security professionals to find vulnerabilities in the application. Which can be fixed during the development
phase. Penetration testers are often referred to ‘red teams’ and are responsible for finding vulnerabilities that can be exploited. “Blue Teams” refers to security professionals that fix the vulnerabilities. Before deployment to production, the applications will be tested in various environments. Make sure the applications are tested thoroughly in environments close to production. If there are any IoT devices, make sure the configuration is secure. Also, cloud configuration specialists are keeping security in mind. Production Deployment: Finally, the application will be deployed to the production environment. Make sure the security team signs off on the production environment setup and ensures that the tools for security scans and monitoring are in place. Make sure there are tools in place to identify and block any attacks. Knowledge Management Ensure all the steps taken for security are documented in a repository so that it is visible as what steps are being taken to ensure security. You may be asked to present to the board. These were some things to consider in the execution phase. Bypassing any of this will cause security and compliance issues which are very costly and can damage reputation if detected later.
Review your understanding 1.
Which of the following is NOT an activity in the execution phase?
1. 2. 3. 4.
2.
Architecture and Detailed Design will take place Security requirements are listed Code Development, and testing Application is deployed to production
Finding vulnerabilities in the source code without even running the code is called
1. 2. 3. 4.
3. 1. 2. 3. 4.
Vulnerability Scanning Penetration Testing Ethical Hacking Static Testing
Execution of automated test cases against running code Dynamic Testing Static Testing Penetration Testing Vulnerability Scanning Summary
In the last module, we covered the execution and control phases of the project. In the Execution phase, Architecture and Detailed Designing takes place, Requirements are fleshed out, we develop the code, test the product and deploy it to the application. In agile methodology, architecture and design happen throughout the project, make sure regular reviews are scheduled with the security architect. When the requirements are being fleshed out, don’t forget to prioritize security requirements. Quick Development should not be
at the cost of security. You can use tools like static testing, dynamic testing, etc. Make sure the security team signs off on the production environment and ensures that the tools for security monitoring are in place before you deploy to production. Answers 1.b 2.d 3.a
CHAPTER 7: MONITORING & CONTROLLING In this Chapter, we’ll cover the Monitoring & Controlling phase of the project.
Monitoring & Controlling are about ensuring that what you intended to do, and what you planned, is what you’ve implemented. It is about tracking, reviewing and regulating the performance and progress of the project. Monitoring & controlling should be done throughout the project. In the Planning phase of the project, we talked about including security and compliance in the project plan. But how can you make sure that your team is following the plan from a security and compliance perspective?
Regular Reminders to the team
Remind the team to be proactive throughout the project. In one of the programs I managed, I put pictures of end-users on the wall. Those end-users were patients seeking care and doctors providing care. The picture reminded us that any breach or attack would impact patients and doctors whom we intended to serve. As you must have experienced, reminders may or may not change the behavior. Inviting security professionals to some team meetings or team lunch sometimes and talking about the recent attacks may help. You may also have to use a carrot or stick i.e., reward or penalize the team members.
Reward
Most of your team will follow best practices. However, You may have some team members who don't follow those, for example, you may have team members who scribe passwords on post-it notes. What should you do in this scenario? Give them warnings. But If their behavior does not change after these warnings, I would recommend informing the security professionals in your organization. We had the practice to Incentivize the team members who were themselves following best practices and helping others follow those. Audits: Conduct audits with the security team. Remember auditors are your friend. Monitor engagement from Security Team
If at any point of time, you feel that you are not getting the attention you need from the security team. Raise it as a red flag.
Quality Control:
In the execution phase, we covered testing. Make sure Any new user stories or business requirements follow the guidelines. “A penetration test that is conducted on a product in development before its launch may uncover a critical vulnerability that may take some time to fix.” - Big Breaches Hence, make sure the tests are scheduled in such a way that there is enough time to fix the issues and retest. Drills & Simulation
There are project deadlines to meet. Your team members may not retain and apply what they learned in the training. Make sure you work with the security team to schedule drills and simulation exercises. If the team members fall prey to phishing emails, you will get an idea how vigilant they are. Continuous Monitoring of software and hardware Ensure there is monitoring in place for detecting any vulnerabilities or threats.
Continuous monitoring of communication Your team will be sharing project related information amongst each other and with the vendors. Make sure there are no exceptions made for secure communications. Vendor Management Get audits scheduled: for the products, and vendors Regular reviews with the vendors - also review access Monitor the access level of the team members Monitor Risks and Vulnerabilities I’ll re-iterate that monitoring and controlling happen throughout the project. It will enable you and your team to build great products that will only meet the users’ needs but will also be secure and compliant. Before we move on to the Closing phase of the project, Let’s do a small exercise.
Find out what tools are being used to monitor phishing emails.
Review your understanding 1.
As a project manager, what is a recommended course of action when you find some team members not following the best security practices?
1. 2. 3. 4.
Incentivize them Fire them Give warnings, if it still continues, inform Security Team Ignore, but continue to educate the team.
2.
What are some recommended actions as a product manager to ensure that your team is following the plan from a security and compliance perspective?
1.
Place reminders that will remind you and the team of who any breach or attack would impact. Incentivize the team members who were themselves following best practices and helping others follow those. Take special attention to people who aren’t following best security practices All of the above
2. 3. 4.
Summary
This chapter was about Monitoring & Controlling processes of the project. This is about ensuring that what you intended to do, and what you planned, is what you’ve implemented. You should do this throughout the project. Take actions to ensure that the team is following all the security guidelines and plans you made in the planning phase. Some actions could include Place reminders that will remind you and the team of who any breach or attack would impact
incentivize the team members who were themselves following best practices and helping others follow those Taking special attention to people who aren’t following best security practices Next, we move on to the closing phase in the next module.
Answers : 1c 2d
CHAPTER 8: CLOSING In the last chapter, we covered the Monitoring & Controlling phases of the project. Now, we are in the last phase which is the closing phase.
In this phase, Here are the things you should do: Lessons Learned Handoff project deliverables Storing Documents Access Management Celebration Let’s review these items in details. Lessons Learned Organize Lessons learned sessions with all relevant stakeholders. This will help you and your team identify the actions that they can take forward in future projects. In the Lessons Learned sessions, invite the security and compliance professionals who were involved in your project. Brainstorm and Document following: what went right, what went wrong,
what were the challenges, what could have been done better. Some of the questions to ask: Was the security training provided to the team enough? Or there should be something else incorporated in it? Were any specific challenges faced in implementing compliance requirements? What were the audit findings? How were the issues remediated? Handoff project deliverables Your team will be handing off the product to the operations and production-support team. Make sure that all the security and compliance items are listed, and included in the hand-off documents. Assume for your project, the cloud environment where the application was deployed had a configuration which was not mentioned in the hand-off documents. If your project has implemented regulations - HIPAA, GDPR, CCPA, or any other regulations, highlight those specifically in the documents. The project team should shadow the operations team. Store Documents At the beginning of the project, you were able to access the Lessons Learned documents. Make sure the future projects can learn from your project. Make sure all project documents are stored in secure locations. Your company will have guidelines for the secure repository to store the documents. Check with your security team as to where the repository is and who should have access to all the artifacts of the project. Your company may have specific folders for certain things, follow that so that documents are grouped logically.
Access Management If your team members had any additional access that was granted during the project development, make sure it is revoked. Work with the IT teams to ensure that any additional hardware granted to your team for the duration of the project is also returned. Also, vendor employees may need to be terminated if they were hired only for your project. The access they had will need to be revoked, including the badge access to the building. Make sure you follow the process your company has for terminating vendor employees’ access. Ticket is created, worked upon and verified.
Celebration
Celebrate with all your stakeholders including the security and compliance professionals. This will also be an opportunity to recognize and thank your team for following security and compliance best practices. We do not mean to have a separate party for security success but keep in mind we celebrate the security efforts as well.
This brings us to the end of the Closing phase.
Review your understanding 1.Which of the following is to be highlighted when you hand off the deliverables from a cybersecurity perspective? 1. 2. 3. 4.
2.
The product vision Vendors used in the project building process Any regulations you implemented in the project The Cybersecurity Professionals involved in the project
What happens to team members' access to a project once the deliverables are handed over? 1. No change 2. Access is revoked for al members who no longer work for the project 3. Access is restricted to key contributors 4. None of the above
3. 1. 2. 3. 4.
What does the Lessons Learned session entail? Brainstorm and document what went right or wrong Document lessons learned Document challenges faced throughout the project. None of the above
Summary: Now that the project has had a successful conversion and the project is ready to close, the project manager should commit to completing the tasks outlined in the project closure phase. All documents should be saved and stored; this is helpful with future projects and contract disputes (McLaughlin & Olson, 2017, p. 127). Lessons learned session held with the project team and key stakeholders to identify what went right and what could have been
done better in relation to implementing an information security-centric project. Doing this will help reinforce the right behaviors needed for project success. Other important closure activities include modifying vendor access to reflect an operational state – network and badge access. Congratulations! You have successfully reached the end of the project. Answers 1c 2b 3b
CHAPTER 9: TAKEAWAYS In this book, we have covered the actionable steps for you to take in every phase of the project. The knowledge you gained in this book will help keep your organizations secure and help you position yourself as a cybersecurity savvy manager and executive, which is the need of the hour. The course has covered the actionable steps for you to take in every phase of the project as a Cybersecurity savvy manager and executive! All the best! Be proactive In the beginning of the project, find out various policies, procedures the organization has in place. Also, various frameworks your project will have to comply with. Ask questions. Engage security teams early on. Be prepared Get yourself trained. Make sure that your team and especially your vendors’ teams are trained. Build security and privacy in Keep a security mindset from the beginning. Ask yourself and your team what can go wrong. Be cautious Watch out for malicious activities Watch out for phishing attacks, your team member’s behaviors Monitor Monitor software, and hardware. Make sure monitoring is automated Make security and compliance fun
Add gamification and rewards to make the security activities fun. The change of mindset will be sustainable only if it is fun. Be curious As per Lakeidra Smith, have the attitude of curiosity always
Next Steps 1. 2. 3. 4.
Follow security news Discuss security breaches and the root causes with your teams. Meet regularly with security professionals. If you have any questions, reach out to us at cyberedx.com
[1] https://www.pmi.org/pmbok-guide-standards/foundational/PMBOK [2] century.html
https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-
Acknowledgement We would like to thank David Leighton for his support and encouragement in writing this book. Ashish, Alka & Sharanya Agarwal helped us design the cover page and reviewed the content. Tanuja Singh for reviewing the content and providing feedback. Enfa George for helping us create the quizzes. Pauline Disch for reviewing the content. Soumita Das for helping with the graphics. Akul Saxena for reviewing and editing the book.
About The Author Niharika Srivastav
Niharika Srivastav is the Senior Vice President - Executive Programs & Events at Women In Technology International, a global organization helping companies hire and develop women in technology and engineering. She pursued Engineering from Delhi College of Engineering, M.B.A from Delhi
School of Economics and Executive Leadership Program from Stanford Graduate School of Business. Niharika has 25+ years of experience in business and technology. She is associated with various non-profit organizations in the Bay area that work towards the education of underprivileged children.
About The Author Sanjay Saxena
Sanjay Saxena, CISSP (Certified Information Systems Security Professional) and Harvard Alumnus is the Chief Executive Officer of Sanovatech Corp and founder of CyberEDX, a platform focused on simplifying cybersecurity for non-techies, business managers, and executives. He pursued Engineering from Samrat Ashok Technological Institute, India and Program in Leadership Development from Harvard Business School. Sanjay has 25+ years of experience in enterprise architecture, technology program delivery, security, sales, and marketing. He is a Radio Host who hosts a radio show on Cricket which is aired in 5 major cities in the USA. In the past, he has hosted radio shows on technology.
References 1. 2. 3.
Moudy, Elbayadi, Daswani, Neil. Big Breaches: Cybersecurity Lessons for Everyone. Apress, February 2021 Sobers, Rob. https://www.varonis.com/blog/cybersecurity-statistics/. March 2021 Hospelhorn, Sara. https://www.varonis.com/blog/cybersecurityskills-shortage/ March 2021
4. 5. 6. 7. 8.
Smith, Lakeidra. Cyber Curiosity. New Degree Press. 2021 Radichel, Teri. Cybersecurity for Executives in the age of cloud. 2020 Schober, Scott N., Schober, Craig W. Cybersecurity is everybody’s business, ScottSchober.com, 2019 Morgan, Steve. https://cybersecurityventures.com/jobs/.Cybersecurity Ventures. 2021 Security Expert. https://securityboulevard.com/2021/03/cybercrime-to-cost-over-10trillion-by-2025/. 2021
9. 10.
Project Management Institute. PMBOK Guide 6th Edition. PMI.2021 Hill, Michael, Swinhoe, Dan. https://www.csoonline.com/article/2130877/the-biggest-data-breachesof-the-21st-century.html CSO Online. 202