Title: MANAGEMENT of
1MANAGEMENT of INFORMATION SECURITY Second Edition
2Learning Objectives
- Upon completion of this chapter, you should be
able to - Understand basic project management
- Apply project management principles to an
information security program - Evaluate available project management tools
3Introduction
- Information security is a process, not a project
however, each element of an information security
program must be managed as a project, even if it
is an ongoing one since information security is a
continuous series, or chain, of projects - Some aspects of information security are not
project based rather, they are managed processes
(operations) - Employers are seeking individuals that couple
their information security focus and skills with
strong project management skills
4Figure 12-1Position Posting
5Figure 12-2The Information Security Program Chain
6Project Management
- The Guide to the Project Management Body of
Knowledge defines project management as - The application of knowledge, skills, tools, and
techniques to project activities to meet project
requirements - Project management is accomplished through the
use of processes such as initiating, planning,
executing, controlling, and closing - Project management involves the temporary
assemblage resources to complete a project - Some projects are iterative, and occur regularly
7Project Management (continued)
- Benefits for organizations that make project
management skills a priority include - Implementation of a methodology
- Improved planning
- Less ambiguity about roles
- Simplified project monitoring
- Early identification of deviations in quality,
time, or budget - In general, a project is deemed a success when
- It is completed on time or early as compared to
the baseline project plan - It comes in at or below the expenditures planned
for in the baseline budget - It meets all specifications as outlined in the
approved project definition, and the deliverables
are accepted by the end user and/or assigning
entity
8Applying Project Management to Security
- In order to apply project management to
information security, you must first identify an
established project management methodology - While other project management approaches exist,
the PMBoK is considered the industry best practice
9Table 12-1PMBoK Knowledge Areas
10Table 12-1PMBoK Knowledge Areas (continued)
11Project Integration Management
- Project integration management includes the
processes required to ensure that effective
coordination occurs within and between the
projects many components, including personnel - The major elements of the project management
effort that require integration include - Development of the initial project plan
- Monitoring of progress as the project plan is
executed - Control of the revisions to the project plan
- Control of the changes made to resource
allocations as measured performance causes
adjustments to the project plan
12Project Plan Development
- Project plan development is the process of
integrating all of the project elements into a
cohesive plan with the goal of completing the
project within the allotted work time, using no
more than the allotted project resources - These three elementswork time, resources, and
project deliverablesare core components used in
the creation of the project plan - Changing any one element usually affects the
accuracy and reliability of the estimates of the
other two, and likely means that the project plan
must be revised
13Figure 12-3Project Plan Inputs
14Project Plan Development (continued)
- When integrating the disparate elements of a
complex information security project,
complications are likely to arise - Among these complications are
- Conflicts among communities of interest
- Far-reaching impact
- New technology
15Project Scope Management
- Project scope management ensures that the project
plan includes only those activities necessary to
complete it - Scope is the quantity or quality of project
deliverables expanding from the original plan - Includes
- Initiation
- Scope planning
- Scope definition
- Scope verification
- Scope change control
16Project Time Management
- Project time management ensures that the project
is finished by the identified completion date
while meeting objectives - The failure to meet project deadlines is among
the most frequently cited failures in project
management - Many missed deadlines are rooted in poor planning
- Includes the following processes
- Activity definition
- Activity sequencing
- Activity duration estimating
- Schedule development
- Schedule control
17Project Cost Management
- Project cost management ensures that a project is
completed within the resource constraints - Some projects are planned using only a financial
budget from which all resources must be procured - Includes the following processes
- Resource planning
- Cost estimating
- Cost budgeting
- Cost control
18Project Quality Management
- Project quality management ensures that the
project adequately meets project specifications - If project deliverables meet requirements
specified in the project plan, the project has
met its quality objective - A good plan defines project deliverables in
unambiguous terms against which actual results
are easily compared - Includes
- Quality planning
- Quality assurance
- Quality control
19Project Human Resource Management
- Project human resource management ensures
personnel assigned to project are effectively
employed - Staffing a project requires careful estimates of
effort required - In information security projects, human resource
management has unique complexities, including - Extended clearances
- Deploying technology new to the organization
- Includes
- Organizational planning
- Staff acquisition
- Team development
20Project Communications Management
- Project communications conveys details of
activities associated with the project to all
involved - Includes the creation, distribution,
classification, storage, and ultimately
destruction of documents, messages, and other
associated project information - Includes
- Communications planning
- Information distribution
- Performance reporting
- Administrative closure
21Project Risk Management
- Project risk management assesses, mitigates,
manages, and reduces the impact of adverse
occurrences on the project - Information security projects do face risks that
may be different from other types of projects - Includes
- Risk identification
- Risk quantification
- Risk response development
- Risk response control
22Project Procurement Management
- Project procurement acquires needed resources to
complete the project - Depending on common practices of organization,
project managers may simply requisition resources
from organization, or they may have to purchase - Includes
- Procurement planning
- Solicitation planning
- Solicitation
- Source selection
- Contract administration
- Contract closeout
23Additional Project Planning Considerations
- Financial considerations
- Regardless of the information security needs
within the organization, the effort that can be
expended depends on the funds available - Priority considerations
- In general, the most important information
security controls in the project plan should be
scheduled first - Time and scheduling considerations
- Time can affect a project plan at dozens of
points in its development
24Additional Project Planning Considerations
(continued)
- Staffing considerations
- The lack of qualified, trained, and available
personnel also constrains the project plan - Scope considerations
- In addition to the difficulty of handling so many
complex tasks at one time, there are interrelated
conflicts between the installation of information
security controls and the daily operations of the
organization - Organizational feasibility considerations
- Another consideration is the ability of the
organization to adapt to change
25Additional Project Planning Considerations
(continued)
- Procurement considerations
- There are a number of constraints on the
selection process of equipment and services in
most organizations, specifically in the selection
of certain service vendors or products from
manufacturers and suppliers - Training and indoctrination considerations
- The size of the organization and the normal
conduct of business may preclude a single large
training program covering new security procedures
or technologies
26Additional Project Planning Considerations
(continued)
- Technology governance and change control
considerations - Technology governance is a complex process that
organizations use to manage the effects and costs
of technology implementation, innovation, and
obsolescence - By managing the process of change, the
organization can - Improve communication about change across the
organization - Enhance coordination among groups within the
organization as change is scheduled and completed
27Additional Project Planning Considerations
(continued)
- By managing the process of change, the
organization can (continued) - Reduce unintended consequences by having a
process to resolve potential conflicts and
disruptions that uncoordinated change can
introduce - Improve quality of service as potential failures
are eliminated and groups work together - Assure management that all groups are complying
with the organizations policies regarding
technology governance, procurement, accounting,
and information security
28Controlling the Project
- Once a project plan has been defined and all of
the preparatory actions are complete, the project
gets underway - Supervising implementation
- The optimal approach is usually to designate a
suitable person from the information security
community of interest, because the focus is on
the information security needs of the organization
29Executing the Plan
- Once a project is underway, it is managed using a
process known as a negative feedback loop or
cybernetic loop, which ensures that progress is
measured periodically - Corrective action is required in two basic
situations the estimate is flawed or performance
has lagged - When an estimate is flawed, as when an incorrect
estimate of effort-hours is made, the plan should
be corrected and downstream tasks should be
updated to reflect the change - When performance has lagged, correction is
accomplished by adding resources, lengthening the
schedule, or reducing the quality or quantity of
the deliverable
30Figure 12-4Negative Feedback Loop
31Executing the Plan
- Often a project manager can adjust one of the
three following planning parameters for the task
being corrected - Effort and money allocated
- Elapsed time or scheduling impact
- Quality or quantity of the deliverable
32Wrap-Up
- Project wrap-up is usually a procedural task
assigned to a mid-level IT or information
security manager - These managers collect documentation, finalize
status reports, and deliver a final report and a
presentation at a wrap-up meeting - The goal of the wrap-up is to resolve any pending
issues, critique the overall effort, and draw
conclusions about how to improve the process in
future projects
33Conversion Strategies
- Direct changeover also known as going cold
turkey, a direct changeover involves stopping
the old method and beginning the new - Phased implementation is the most common approach
and involves rolling out a piece of the system
across the entire organization - Pilot implementation involves implementing all
security improvements in a single office,
department, or division, and resolving issues
within that group before expanding to the rest of
the organization - Parallel operation involves running the new
methods alongside the old methods
34To Outsource or Not
- Just as some organizations outsource part of or
all of their IT operations, so too can
organizations outsource part of or all of their
information security programs, especially
developmental projects - The expense and time it takes to develop
effective information security project management
skills may be beyond the reachas well as the
needsof some organizations, and it is in their
best interest to hire competent professional
services - Because of the complex nature of outsourcing,
organizations should hire the best available
specialists, and then obtain capable legal
counsel to negotiate and verify the legal and
technical intricacies of the contract
35Dealing with Change
- The prospect of change can cause employees to be
unconsciously or consciously resistant - By understanding and applying change management,
you can lower the resistance to change, and even
build resilience for change - One of the oldest models of change management is
the Lewin change model, which consists of - Unfreezing - the thawing of hard and fast habits
and established procedures - Moving - the transition between the old and new
ways - Refreezing - the integration of the new methods
into the organizational culture
36Unfreezing Phases
- Disconfirmation
- Induction of survival guilt or survival anxiety
- Creation of psychological safety or overcoming
learning anxiety
37Moving Phases
- Cognitive redefinition
- Imitation and positive or defensive
identification with a role model - Scanning (also called insight, or trial-and-error
learning)
38Refreezing
- Personal refreezing occurs when each individual
employee comes to an understanding that the new
way of doing things is the best way - Relational refreezing occurs when a group comes
to a similar decision
39Considerations for Organizational Change
- Steps can be taken to make an organization more
amenable to change - Reducing resistance to change from the start
- Communication is the first and most crucial step
- The updates should also educate employees on
exactly how the proposed changes will affect
them, both individually and across the
organization - Involvement means getting key representatives
from user groups to serve as members of the
process
40Developing a Culture that Supports Change
- An ideal organization fosters resilience to
change - This resilience means the organization accepts
that change is a necessary part of the culture,
and that embracing change is more productive than
fighting it - To develop such a culture, the organization must
successfully accomplish many projects that
require change - A resilient culture can be either cultivated or
undermined by managements approach
41Project Management Tools
- There are many tools that support the management
of the diverse resources in complex projects - Most project managers combine software tools that
implement one or more of the dominant modeling
approaches - The most successful project managers gain
sufficient skill and experience to earn a
certificate in project management - The Project Management Institute (PMI) is project
managements leading global professional
association, and sponsors two certificate
programs - The Project Management Professional (PMP)
- Certified Associate in Project Management (CAPM)
42Project Management Tools (continued)
- Most project managers engaged in the execution of
project plans that are nontrivial in scope use
tools to facilitate scheduling and execution of
the project - Using complex project management tools often
results in a complication called projectitis,
which occurs when the project manager spends more
time documenting project tasks, collecting
performance measurements, recording project task
information, and updating project completion
forecasts than accomplishing meaningful project
work - The development of an overly elegant,
microscopically detailed plan before gaining
consensus for the work and related coordinated
activities that it requires may be a precursor to
projectitis
43Work Breakdown Structure
- A project plan can be created using a very simple
planning tool, such as the work breakdown
structure (WBS) - In the WBS approach, the project plan is first
broken down into a few major tasks - Each of these major tasks is placed on the WBS
task list
44Work Breakdown Structure (continued)
- The minimum attributes that should be determined
for each task are - The work to be accomplished (activities and
deliverables) - Estimated amount of effort required for
completion in hours or workdays - The common or specialty skills needed to perform
the task - Task interdependencies
45Work Breakdown Structure (continued)
- As the project plan develops, additional
attributes can be added, including - Estimated capital expenses for the task
- Estimated noncapital expenses for the task
- Task assignment according to specific skills
- Start and end dates
- Work to be accomplished
- Amount of effort
- Skill sets/human resources
- Task dependencies
46Work Phase
- Once the project manager has completed the WBS by
breaking tasks into subtasks, estimating effort,
and forecasting the necessary resources, the work
phaseduring which the project deliverables are
preparedmay begin
47Table 12-2Early Draft WBS
48Table 12-2Early Draft WBS (continued)
49Table 12-3Later Draft WBS
50Task-Sequencing Approaches
- Once a project reaches even a relatively modest
size, say a few dozen tasks, there can be almost
innumerable possibilities for task assignment and
scheduling - A number of approaches are available to assist
the project manager in this sequencing effort
51Network Scheduling
- One method for sequencing tasks and subtasks in a
project plan is known as network scheduling - Network refers to the web of possible pathways to
project completion from the beginning task to the
ending task
52Figure 12-5Simple Network Dependency
53Figure 12-6Complex Network Dependency
54Program Evaluation and Review Technique (PERT)
- PERT, the most popular networking dependency
diagramming techniques, was originally developed
in the late 1950s to meet the needs of rapidly
expanding government-driven engineering projects - About the same time, a similar project, called
the Critical Path Method, was being developed in
industry - It is possible to take a very complex operation
and diagram it in PERT if you can answer three
key questions about each activity - How long will this activity take?
- What activity occurs immediately before this
activity can take place? - What activity occurs immediately after this
activity?
55Program Evaluation and Review Technique (PERT)
(continued)
- By determining the path through the various
activities, you can determine the critical path - As each possible path through the project is
analyzed, the difference in time between the
critical path and any other path is the slack
time - An indication of how much time is available for
starting a noncritical task without delaying the
project as a whole - Should a delay be introduced, due to poor
estimation of time, unexpected events, or the
need to reassign resources to other paths such as
the critical path, the tasks with slack time are
the logical candidates for delay
56PERT Advantages
- There are several advantages to the PERT method
- Makes planning large projects easier by
facilitating the identification of pre- and
post-activities - Allows planning to determine the probability of
meeting requirements - Anticipates the impact of changes on the system
- Presents information in a straightforward format
that both technical and nontechnical managers can
understand and refer to in planning discussions - Requires no formal training
57PERT Disadvantages
- Disadvantages of the PERT method include
- Diagrams can become awkward and cumbersome,
especially in very large projects - Diagrams can become expensive to develop and
maintain, due to the complexities of some project
development processes - Can be difficult to place an accurate time to
complete on some tasks, especially in the
initial construction of a project inaccurate
estimates invalidate any close critical path
calculations
58Figure 12-7PERT Example
59Gantt Chart
- Another popular project management tool is the
bar or Gantt chart, named for Henry Gantt, who
developed this method in the early 1900s - Like network diagrams, Gantt charts are easy to
read and understand, and thus easy to present to
management - These simple bar charts are even easier to design
and implement than the PERT diagrams, and yield
much of the same information - The Gantt chart lists activities on the vertical
axis of a bar chart, and provides a simple time
line on the horizontal axis
60Figure 12-8Project Gantt Chart
61Automated Project Tools
- Microsoft Project is a widely used project
management tool - If youre considering using an automated project
management tool, keep the following in mind - A software program cannot take the place of a
skilled and experienced project manager who
understands how to define tasks, allocate scarce
resources, and manage the resources that are
assigned - A software tool can get in the way of the work
- Choose a tool that you can use effectively
62Summary
- Introduction
- Project Management
- Applying Project Management to Security
- Project Management Tools