IT security project require well defined processes because omission and errors can leads to huge security holes. There are quite a lot of processes should define to implement a IT security project. These processes are briefly discussed below.
Acceptance criteria - These is predefined results which can be expected during the security project. These results are agreed y discussing with key stakeholders of the IT security project.
Risk management - you conduct a thorough risk assessment and threat assessment to identify the risk associated with the security project and define in which way those risk can be avoided, mitigate or transfer during and after the project.
Change management - Errors and omissions in security project is hard to avoid but keeping proper track of what went wrong, when, where, how and what measures you take should be properly documented to avoid countering or solve the risk and problems that could occur in future.
Communication procedure - Most importantly the communication has to be managing properly. Project’s key stakeholders and sponsors have to keep informed about the milestones of the project throughout the security project. The process of when, how, who to keep update and at what frequency should to known when starting the security project. Otherwise project manager and team will have a tough time what, when and whom to inform when the security project underway.
Quality management - Quality measured through testing and this should be clearly defined in your quality management procedure. What test methodologies to use, what modules to test, when to test, etc have to be defined in advance. Level of testing required for IT security projects is solely depend on the type of the security project and the severity of the impact to the organization.
Status reporting - Status of the project should be updated to project sponsors and key stakeholders when needed. This frequency of reporting can be agreed during the project requirement phase, where you can discuss the report type required and what frequency they needed.
Escalation procedure - If the issues cannot solved through the normal channels, you need to pass the issue to the next level in the escalation hierarchy to reach a solution. These escalation paths have to be identified accurately and defined clearly in case of an emergency to follow without causing any delay for the project.
Documentation - Every aspect of the project should be clearly documented. This documentation will greatly help in future when managing, monitoring and troubleshooting some errors in the project.
Approval procedures - Approval procedure should include who has the authority to approve for changes in the project. Mostly this will be the project sponsor who makes the decision about the security project. You cannot run here and there to see who should approve the changes in urgent situation. If these procedures are clearly defined, the unwanted delays could be avoided.
Deployment - Deployment procedure should include when and how the deployment should happen. Before the deployment all the affected parties must be informed in advance to avoid unwanted systems problems, this can be address in the communication plan.
Operational procedures - How the security system is monitored during the day to day activities and who is responsible for the maintenance and monitoring of the implemented system is mentioned in the operations procedure. It includes how to manage the security system and to whom to contact in case of any emergency, etc.
Training procedure - Users of the security system should be adequately trained to get the maximum use of the implemented security system. Through training you increase the awareness level of the users and make them responsible for the system, where they can report any suspicious activity.
No comments:
Post a Comment