Project Management

An organization can either incorporate security guidance into its general project management processes or react to security failures. It is increasingly difficult to respond to new threats by simply adding new security controls. Security control is no longer centralized at the perimeter.

Build Your Self-Defending Network with BII Compliance today. Holistic security combines best-of-breed security in a systems approach to solve business-relevant security problems. Create a powerful response to emerging threats.

Meeting security requirements now depends on the coordinated actions of multiple security devices, applications and supporting infrastructure, end users, and system operations. Reengineering a system to incorporate security is a time consuming and expensive alternative.

Cyber attacks take advantage of software errors, such as not properly validating user input, inconsistencies in the design assumptions among system components, and unanticipated user and operator actions. Software errors can be introduced by disconnects and miscommunications during the planning, development, testing, and maintenance of the components. Although an application development team may be expert in the required business functionality, that team usually has limited or no applicable security expertise.

The likelihood of disconnects and miscommunications increases as more system components have to satisfy security requirements. The necessary communications and linkages among the life-cycle activities, among multiple development teams, and between the system development and eventual usage should be reflected in project management. Project managers should consider the additional communications requirements, linkage among life-cycle activities, and the potential usage environment as these items relate to security needs.

Clearly system security affects many of the “knowledge areas” of project management: specifically, scoping, human resources, communications, risk management, procurement, quality, and integration.

Providing the necessary level of security assurance requires more than the development of what is usually called the security architecture: perimeter defenses (firewalls), proxies, authentication, and access controls. An objective for the Chief Information Security Officer of one Wall Street investment house is to empty that security architecture (i.e., avoid treating security as an add-on) and instead to “raise the bar” for component software assurance by integrating assurance into the development processes. Such integration has to be reflected in project management.

Activities such as an architectural risk assessment, threat analysis, and static analysis for the source code provide checkpoints for specific development phases. Development controls and change management are essential development tools. However, the software assurance issues during development are dynamic, and project management must maintain linkages between business and technical perspectives, among life-cycle phases, and among development teams. The production of an assurance case can serve as an integrating mechanism by identifying threats and desired responses and then tracing and refining the threats and responses during development.

A change in the level of assurance required can significantly affect the management of a project. Does the development staff have the requisite skills? How can that assurance be demonstrated? Can the existing software practices provide that level of assurance? This site provides a starting point for a discussion of best practices with respect to software assurance.