InfoSec Reviews in Project Management Workflows

I have attended numerous security conferences over the past several years, and at each one, I repeatedly hear about the importance of information security being incorporated within project management planning and requirement analysis phase of the software development life cycle (SDLC). I agree – this is very important.

But there’s one topic that does not get as much attention; the need to ensure that a security review is incorporated during the early phases of all enterprise projects that could have a potential security, privacy or compliance impact.

Many enterprise projects fail or face significant setbacks because the security team lacks visibility into the project’s details, or they’re not given time to provide input or direction. I believe it’s important to complete a security review for all enterprise projects within an organization. I’ll share a process for incorporating this review that has worked for me in the past.

Project Initiation Phase

The Project Management Institute (PMI) framework that many project managers use today consists of five phases (process groups). They are:

1. Initiation
2. Planning
3. Execution
4. Monitoring and
5. Closing.

The project initiation phase is where vendor selection, scope details, business objectives, goals, project feasibility evaluation, stakeholder identification and the project charter are created. These activities are typically revisited throughout a project as an ongoing effort to ensure the project remains within its initial scope and vision. This phase is critical to the success of a project.

It is essential for organizations to incorporate security during the project initiation phase for all enterprise projects.

I have observed many project teams take security into consideration only after the project has ended; often, too, the security team isn’t aware of the details of the project until a change control meeting takes place to approve the required changes to a production environment.

Waiting this long to involve the security team is risky, because organizations can find that the project’s changes will not survive an audit or create security vulnerabilities. This can cause them to have to rework project tasks, or add costly changes to their environment to ensure compliance and security.

Security Review 

To reduce the likelihood of security or compliance problems at later phases of project management, or after a project ends, organizations should consider creating a security review questionnaire that must be completed before any project moves forward to the planning or execution phases of project management. A security review questionnaire can help ensure that all factors that impact the security, privacy or compliance of the environment are considered before moving on to the next phase of the project.

The security review questionnaire consists of security and compliance questions, created by the security team, that the project manager or project team members are required to answer. There should be different questions for different project categories.

For example, a separate questionnaire can be created for opening a new office versus expanding an existing office. A different set of questions should be asked for incorporating new applications in the environment, and another set of questions for incorporating a new cloud environment.

Having these tailor-made security review questionnaires for different project categories will make it less time-consuming for the project team to follow, and will help the organization adopt this process in a more seamless fashion.

One size does not fit all when it comes to security questions, and you don’t want a long checklist where 90% of the project team’s answers are not applicable. This will cause the project team to attempt to ignore the process, and consider it irrelevant.

Here are some examples of questions that could be included in a security review questionnaire for a new application deployment:

• Will this application/tool require an Internet connection?
• Is there sensitive information within this application (PHI, PII, company proprietary, etc.)?
• Will third-party vendors require access to this application? What level of access will they require?
• Who will be allowed access to this application (admin and users)?
• What compliance/regulatory requirements does this application fall under?
• Is this an open source, off-the-shelf or custom-coded application?
• Where do you plan to deploy this application within the network/cloud?
• Is security scanning required for this application? What level of scanning is required? How often is this required?
• Will clients have direct access to this application? What level of access will they have?

CIS Top 20 and Regulatory Requirements in the Checklist

The Center for Internet Security (CIS) Top 20 Framework of Controls gives a detailed account of what an organization should do to defend itself against threats. This includes various controls such as security awareness, inventory, data recovery, vulnerability management, boundary controls, etc. Each of the twenty controls are then broken down into sub controls, which provide even more granularity. Many organizations use these controls to measure the maturity level of their security program.

Using the twenty CIS controls as a baseline for creating security review questions is very helpful. Creating a set of questions to ask for each CIS control and mapping those to each project category can help your questions be more relevant to every specific project.

For example, a project that involves a significant, major application version upgrade may fall into the CIS category of continuous vulnerability management, application software security and penetration tests and red team exercises. Adherence to those controls would make up your baseline list of questions, and you can build out additional questions from that point.
It also is essential to include key regulatory compliance items in your questions.

The European Union’s GDPR regulations now apply to an increasing number of e-commerce projects that collect users’ data, enforcing strict demands for organizations. All project managers and security professionals working on e-commerce projects need to be aware of these regulatory requirements to avoid punitive fines or data exposure, and any project that collects data that falls under these regulations should be reviewed by security to ensure compliance.

Another example is if an organization requires a Level 1 Payment Card Industry (PCI) audit, security questions could focus on mapping to that. The point is, questions developed for a security review should be customized to the security and compliance concerns of individual organizations and specific projects.

Security Team Decision

After the questionnaire is completed by the project team, it should be reviewed by security team. Then, teams should collaborate to address any inconsistencies.  The security team now has the information needed to provide valuable input and ensure that proper security controls are applied during the project. This could also be the perfect time to consider procuring new security technologies or features or modifying existing security processes and procedures.

Every completed questionnaire should be reviewed and signed off on by the security team; the project manager should list this as a required task in the project plan.

This ensures that the security team has visibility into any changes needed in the early stages of a project, and can provide valuable input in ensuring that a vulnerability or security loophole will be addressed as early as possible. This prevents the security team from being viewed as a roadblock holding up the end of a project, and instead as a collaborative participant who wants to ensure the success of project activities.

The security department should review the created questions on a quarterly basis, at least, to ensure that they are still relevant to the category of projects to which they are applied. This is essential, because the threat and compliance landscapes are continually changing, and the need to change what information is required to keep up with those threats must keep pace.

Project Management Training

Project managers should be trained on the basic concepts of application security, and on the steps required to complete a security review questionnaire. This training should be ongoing, and should emphasize the potential negative outcomes of having security vulnerabilities unaddressed in application development.

This will help project managers support the new process and encourage them to provide valuable input to ensure the security questionnaire is completed accurately.

Implementing a security review in project management workflows should be a consistent process at the early stages of all enterprise projects. While this proactive, systematic approach requires more time and resources, it empowers organizations with a clearer understanding of any security challenges they may face during the later stages of developing, executing or closing projects.

This approach can also aid in justifying investments on specific security solutions. It is essential that this process is straightforward and easy to follow, and that everyone understands how implementation can aid in driving costs down and reducing risk and vulnerabilities from changes in the environment.

Avatar photo

Mark Dargin

Mark Dargin is an experienced security and network architect/leader. He has over 20 years of experience designing, managing, and securing complex WAN and LAN infrastructures for large and medium-sized organizations. Mark’s experience includes leading and managing large scale compliance and risk management initiatives and programs. He is a member of the Michigan Cybersecurity Civilian Corps., a rapid response team of experienced IT security volunteers who will assist the state and industries during major cybersecurity incidents. Mark holds a bachelor’s degree in Business Management and Communications from the University of Michigan-Dearborn , master’s degree in Business Information Technology from Walsh College in Troy, Michigan and an Advanced Computer Security Certificate from Stanford University. Mark holds various active certifications, including the CISSP (Certified Information Systems Security Professional), PMP (Project Management Professional), GIAC GMON (Continuous Monitoring & Security Operations), GIAC GNFA (Network Forensics Analyst) and many other vendor related certifications.

mark-dargin has 3 posts and counting.See all posts by mark-dargin