cybersecurity: engineering a secure information technology organization, 1st edition

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 4Project Processes

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Understand the purpose and benefit of processes in the project processes area

• Structure and run an effective project planning process

• Conduct effective, ongoing risk management• Control critical project activities such as configuration

management and knowledge management


Overview of Project Processes

• The project processes involve all the control activities that ensure ICT work meets business, technology, and assurance goals– Control: a specific action or actions taken to ensure

a desired outcome• Project management: oversees the organization’s

ICT acquisition, development, and sustainment processes– Enforces the ICT policies and procedures– Ensures effective coordination and control of the

organization’s everyday work practicesCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Defining and Coordinating the Project

• Project management involves defining and deploying a fully integrated set of activities to achieve a given purpose

• Project definition and subsequent coordination ensure the efficient use of resources

• A project management plan defines the requisite activities and tasks for each project– The plan should always consist of concrete

specifications of the work to be done– The plan is typically reviewed and refined over time



Defining and Coordinating the Project

• The project manager is the person who writes the plan

• The plan specifies the major elements of the project during the planning period– As well as the organizational resources allocated to

support each element• Strategic planning progress: a set of rational

activities that an organization undertakes to accomplish its long-range goals

• Project activities are planned, documented, evaluated, and adjusted when necessary



Building the Project Team

• Project teams are typically composed of an integrated mix of business and information technology (IT) workers

• Questions to ask when building a team:– What is the precise mission of the team?– What organizational competencies are required to

achieve that mission? – Are those competencies available for the particular

project?• Capability: the level of assessed competence of a

processCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Organizing the Project

• Failure to satisfy the business purpose is a frequent cause of overall project failure

• The planned involvement of business stakeholders ensures that all points of view are represented in the final product

• Differences must be resolved for projects to move forward

• It is a challenge to incorporate everyone’s vision and capabilities into project planning– Following the project process of the 12207 standard

ensures best practiceCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The Project Processes of ISO 12207-2008

• The 12207 standard presents the processes in a logical order– Ranging from general best practices for planning,

assessment, and implementation to specific project management and control practices

• The project planning process establishes the generic management function for the given project

• The project assessment and control area deals with all related implementation concerns

• Figure 4-1 on the following slide shows the relationship of these process areas



The Project Planning Process (6.3.1)

• Overall goal of project planning is to develop an effective and realistic set of plans for overall conduct of the project– Decides the scope and purpose of the project as well

as the timeline and activities involved• The project planning process is responsible for

describing the scope of work to be done and evaluating whether the work can be carried out with available resources and known constraints– Seeks to ensure proper alignment between project

goals and reality



Project Initiation

• First step in the project planning process is to establish the scope of the project– Includes defining objectives, motivations, and

boundaries• Boundary: a perimeter that incorporates all items

to be secured• Managers can then establish the feasibility of the

project by confirming that all required personnel, materials, and technology are available– And that the project can be completed on time



Project Initiation

• Project initiation involves ensuring that the actions of all participants are correctly aligned and coordinated with the achievement of project goals

• The initiation activity must ensure that the project’s day-to-day activities and tasks are specified with appropriate detail

• Project initiation must assure that adequate lines of communication have been established among all participants to guarantee effective cooperation



Project Planning

• Plans usually include:– Schedules, milestones, time and resource estimates,

and the assignment of roles, responsibilities, and work tasks

• Might also include:– A detailed risk estimate for each activity and task– Lifecycle measures to assess the quality and

security of each product and process• Security: confidence that a given approach will

produce dependable and intended outcomes



Project Authorization and Launch

• After receiving the appropriate from other managers– The project manager takes steps to launch project

• Projects are established by the creation of a customized management process that establishes:– Visibility– Management control over project activities



The Project Assessment and Control Process (6.3.2)

• The project assessment and control process ensures that events are on schedule, on budget, and fulfill the technical objectives laid out in the project plan

• Quantitative data can be used to evaluate the options and implications of a decision

• Managers cannot exercise control over projects unless they have an objective means of evaluating how well a project is going– Ability to obtain good measurement data is essential




• By collecting standard project performance data managers can ensure project run appropriately and within budget– Project performance measures should be defined

and instituted to support quantitative decision making

• Performance data can also help identify emerging problems so that managers can judge potential risks and rewards of making further investments in an ongoing project– Based on reliable corporate benchmarks




• Many different quantitative measures exist, including basic production metrics such as:– Project productivity measured in lines of code (LOC)

or function points (FP)• The ISO 9126 standard also outlines metrics that

consider the functionality, reliability, usability, efficiency, maintainability, and portability of the product under development



The Project Assessment and Control Activities

• The aim of project assessment and control is to ensure that project objectives are successfully achieved and properly recorded

• This process ensures:– Progress is monitored and reported– Interfaces between project elements are properly

monitored– That managers can correct deviations from the

project plan and prevent them from recurring



Project Monitoring

• Project monitoring is the first formal activity• Ensures the:

– Project is executed correctly– Outcomes of monitoring are reported to all internal

and external project stakeholders• Project monitoring must account for the status of

interfaces between internal project elements and outside interfaces with other relevant projects



Project Control

• Managers must monitor a project in order to control it– Monitoring and control are closely associated

• To enforce proper project control– The project manager must be able to investigate,

analyze, and resolve any deviations from the project’s planned course of action

• The impact from any deviation must be evaluated, authorized, and monitored

• Routine reporting ensures general management oversight



Project Assessment

• Formal assessment activities during ICT product development are an essential part of good management practice

• Goal is to ensure that the work continues to run correctly from beginning to end of a project

• Systematic assessments assure the ICT product requirements and the project’s ongoing activities satisfy the plan’s objectives

• Assessment results can be used to establish steps that prevent future problems



Project Closure

• Projects must be formally terminated– To avoid wasted resources

• Reasons a formal termination procedure is necessary:– An organization must document that all ICT

development activities have been completed as contracted

– Project data has to be archived to preserve a history of the project

• Lessons learned from previous projects can help in planning similar efforts in the future



The Decision Management Process (6.3.3)

• Decision management is a fundamental process of project management– Seeks to ensure the best outcome for any concern

that arises in the project environment– Evaluates all possible directions among a given set

of alternatives and chooses the one that provides the likeliest benefit

• Decision management is initiated by standard operating policies and procedures that are followed when a decision is needed



Decision Management Activities

• A decision management policy allows managers to make quick and rational decisions about issues that arise in the day-to-day execution of a project

• Goal is to record, categorize, and promptly report problems and to develop alternative course of action to resolve those problems

• With standard policies in place:– The project team can ensure decisions made during

the project lifecycle are valuable to organization’s goals



Decision Planning

• A planning process is the first activity in decision management– Involves enumerating and prioritizing all categories

of likely decisions• In addition to identifying the each type of decision:

– Authorization and responsibilities for making it are assigned to the appropriate decision maker

• Policies and procedures are selected to guide decisions in each category– A formal process is defined to address situations

when no policy guidance is available



Decision Analysis

• Overall aim of decision management is to come up with a decision that leads to the best result– Decisions are usually guided by policy

• If there is no policy:– A decision-making strategy or decision protocol must

be in place to ensure the right decision is made• A decision-making strategy includes functions for

gathering information and making trade-offs– Allows for the project team to make the best decision

from a range of alternatives



Decision Tracking

• Each decision should be recorded and its outcomes should be tracked, evaluated, and reported– Ensures that the decision resolved problems or

leads to the desired benefit– If not, knowledge gained can provide guidance

• To track a decision:– Records of problems and decisions must be kept– Actions associated with the decision must be

monitored through reviews, inspections, or audits



The Risk Management Process (6.3.4)

• Risk management: a set of formal organizational processes that are designed to respond appropriately to any identified adverse event– Applies to all types of lifecycle activity

• Goal is to identify, analyze, treat, and monitor all active and latent risks in the project

• Threat: an adversarial action that could produce harm or an undesirable outcome

• Threat assessment ensure that all project risks are identified and categorized



The Risk Management Process (6.3.4)

• Risk analysis: the assessment of the overall likelihood and impact of a threat

• Organizations must institute a targeted risk analysis function– Which facilitates qualitative and quantitative

analyses of any newly identified or emerging risk event

• Once a risk analysis function has been established– The organization must specify formal responses to

correctly address all meaningful risks as they occur



Risk Management Activities

• To determine the scope of the process, organizations must answer two questions:– What is the likelihood that each identified risk will

occur?– What is its anticipated impact?

• Answers are normally expressed as an estimate of loss, harm, failure, or danger for each risk

• After scope is determined, risk management policies are defined and implemented– Organizations should set priorities for applying the

resources needed to mitigate each risk



Risk Management Planning

• Risk management planning goal:– To identify critical risks and then create and maintain

an effective set of formal steps to manage each risk• Risk management planning helps an organization

assign specific roles and responsibilities for the risk management function

• The plan should describe the process for evaluating and improving overall risk management– Including how to use lessons learned

• Acceptable risk: a situation in which the likelihood or impact of an adverse occurrence can be justified



Risk Profile Management

• Risk profile management establishes a link between the risk management process and the project’s environment– By recording specific information for the state of

each risk and its probability, consequences, and risk thresholds

• Provides explicit policy guidance– Priorities established by the risk profile determine the

application of resources for treatment• Risk thresholds dictate the conditions under which

an organization may accept a level of riskCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk Analysis

• Risk analysis: information-gathering function that focuses on understanding the nature of risks– Documents mitigation strategies for every risk that

surpasses its threshold– Defines measures for evaluating potential mitigation

• Risk analysis ensures the most efficient use of security resources

• Likelihood of occurrence: an assessment of the probability that an event will occur

• Anticipated impacts are normally expressed as an estimate of loss, harm, failure, or danger



Risk Treatment

• Risk treatment develops solutions for identified risks

• The scope of coverage and the required level of assurance are primary influences that define this context

• Roles and responsibilities have to be defined to carry out the actions necessary to mitigate risks– Establishes accountability

• Each risk has to be categorized by priority to allow for decisions regarding resource allocation



Risk Monitoring

• Risk monitoring tells decision makers whether risk management objectives are being achieved– And whether risk control performance is in line with

expectations• Qualitative analysis is useful in determining

priorities– One of the main purposes of risk monitoring– Expressed through a set of nominal values, such as

high, medium, and low• A blend of quantitative and qualitative measures is

often used to monitor riskCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk Management Evaluation

• Information should be collected throughout the project lifecycle to help improve risk management

• Data includes identified risks, their sources, their causes, their treatment, and the success of selected treatments

• An important element of risk management is a series of periodic reviews

• Two types of review are commonly used:– Time-based - occur at regular intervals– Event-based - capture information about a particular

aspect of the risk management processCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The Configuration Management Process

• Configuration management: a formal process to ensure the continuing status of ICT products– To ensure the status of every meaningful item in an

ICT product is documented and known at all times• Goal: to establish and maintain the integrity of all

project components by placing them under formal decision making and oversight control

• Configuration management serves as the basis to measure quality by confirming the integrity of changes and ensuring they are verified as correct



Configuration Management Planning

• A configuration management strategy must be planned for each project– Describes how configuration baselines are

established, maintained, and archived for a project– Specifies which staff have the right to authorize,

access, and reintegrate changes to baseline items– Must also specify the level of integrity, security, and

safety for each baseline as well as storage medium• Once established, the project manager must

specify which items are subject to configuration control (known as identification)



Configuration Management Execution

• The recording, retrieval, and maintenance of current and preceding configurations should be kept under management control to:– Assure correctness, timeliness, integrity, and

security• A project baseline represents the status of the

project at a fixed point in time or circumstance• Once the project baseline is established, any

changes are described in the configuration record and maintained throughout the system lifecycle– Audits may be performed as needed



The Information Management Process (6.3.6)

• The information management process is a formal function that records and maintains information needed to manage a project over its lifecycle– Generates, collects, transforms, retains, retrieves,

disseminates, and disposes of all necessary project information

• Goal is to provide relevant, timely, complete, and valid information to decision makers

• Ensures the form and content of all project information is proper and correct



Information Management Planning

• The organization must identify and classify all relevant information and designate which media to use to capture and store information

• The plan must specify the exact procedure used to capture the data kept for each information item– Must stipulate how each item under information

management control is developed, inspected, and modified

• Information management defines the rights, obligations, and commitments of designated parties for retaining and transmitting information



Information Management Planning

• Information management planning also defines individual access rights for each information item under its control

• Other primary drivers of information management planning are:– Legal– Security– Privacy



Information Management Execution

• Once the plan is complete and all responsibilities are assigned:– The project team begins to capture and retain the

information identified in the plan• Stored records are maintained according to

integrity, security, and privacy requirements established by the planning function

• Information can more easily be distributed to all authorized parties by request, by scheduled agreement, or by defined circumstances



Information Management Execution

• To ensure availability:– The medium, location, and protection of information

must be ensured and must be compatible with all storage and retrieval requirements

• Information management ensures that arrangements are in place to retain necessary documentation after a project ends



The Measurement Process (6.3.7)

• The purpose of the measurement process is to collect, analyze, and report data for an organization’s products and processes– To ensure effective management of processes and

to objectively demonstrate product quality– Also ensures all measurement activities are defined

• Ensuring consistency of data is important because managers use it to make decisions about all types of project activity



Measurement Planning• Measurement planning involves the establishment

of a standard schedule for each assessment and a defined process for collecting and reporting results

• Project measurement uses a defined set of criteria to evaluate the performance of project functions

• Outcome of the planning process must be a set of measures for judging elements of a project’s performance– Such as timeliness, security, and fiscal responsibility

• Decision makers use information to review and approve resources for each task



Measurement Performance

• The first step in implementing a project measurement process is to develop a formal means of recording relevant data about events in the organization’s environment

• The project needs to install procedures for data generation, collection, analysis, and reporting within the relevant project processes

• Project measurement involves the collection, storage, and verification of data



Measurement Evaluation

• Measurement evaluation assesses the project and its measurement process– Achieved through benchmark comparisons

• Benchmarks capture and record the performance of a target process over time

• First step in creating a metrics program based on benchmarks:– To confirm all elements of the project measurement

function have been evaluated and document at a certain point in time



Measurement Evaluation

• Documentation should include an overall statement about the standard assessment mechanism for each element under project management control– Should also include a generic testing and review

plan to ensure that procedures retain their effectiveness

• Once the organization understands the status of all activities:– It can track the performance of the measurement

process against prior assessments• Ensures long-term effectiveness of measurements




Summary• Project management ensures alignment of ICT work

with an organization’s goals• Project management integrates a range of

management perspectives as well as coordinates and controls all related functions to do the work of an ICT project

• Project management plans achieve a logically related set of management objectives

• Assessment data supports good decisions, but it is important to know how to provide the proper data to the right people



Summary• Risk management is essentially built around formal

processes to provide information about risk to decision makers

• Every risk process must be designed to fit its specific environment

• Configuration management is built around maintaining baselines composed of relevant elements of the project or product