Information security management : The role of the information security function varies significantly from one organization to another. In particular, one can observe multiple ways of managing information security and data privacy in IT projects. This article depicts how the information security / data privacy and IT project management functions should interact for optimized efficiency.
First of all, as we have detailed it in this blog post, as well as in our "Three common challenges in information security and data privacy" video, we believe that it makes much sense to address information security and data privacy simultaneously in IT projects.
The data owner defines the confidentiality, integrity and availability requirements for the information assets processed within the IT system being implemented.
A security expert may accompany the project. She issues an information security and data privacy concept (i.e. the list of threats and applicable security controls applying to the system), taking the CIA requirements as an input. She may also provide advice on how to implement the controls listed in the concept, and perform some of the activities requiring technical expertise in the project, for instance architecture reviews, detailed threat model, tests on the project artifacts, etc.
The security expert reports to the project manager who is in charge of coordinating and following-up the implementation of security and privacy controls, using the worksheets provided as part of the ISDP concept.
Applying this methodology in all projects provides detailed information on which controls have been implemented or not. Results may be correlated, allowing to evaluate aggregate security risks based on concrete data from the field. This aggregate data serves as an input to the enterprise risk management function.
In parallel, the security function manages the organisation’s information security management system. This implies delivering action plans as part of a plan-do-check-act continuous improvement process.
It also regularly evaluates the maturity of the ISMS controls through audit. When a control becomes mature enough, it becomes part of the organisation’s security baseline and does not need to be evaluated in each individual project where it is required.
Therefore,it may be filtered in the next ISDP concepts to reduce the necessary information security and data privacy effort in future projects.
Allowing security teams to provide concrete support to IT projects with moderate effort constitutes a change of paradigm in the positioning of the security function, shifting from a pure supervision role towards a more operational one, delivering concrete assistance to project managers and working closely with them. Applying this methodology allows implementing efficient, pragmatic information security and data privacy management.
Our team will get back to you as soon as possible