A project is producing a lot of the information wanted by the hackers: Concepts, architecture, technologies used, processes, organization, security levels and directives are gold for those people. Some of them are very sensitive and can compromise the solution. Imagine the following scenario: the White House opening a project for an Air Force One new generation, and there’s no security in the project. This means you’ll find the plans of the plane on the Internet black market, and so, Air Force One turned to vulnerable and become and easy and favorite target.
The goal of the security is to classify and protect at the right security level on information against leaking and destruction. Information can be a document, a mail, a recording (audio or video), minutes, directory of the project, photos, etc. So as projects produce a lot of information, security start at that point.
It belongs to each company to identify the accurate number of levels of security needed, and implement the security policies in the project. Security in the Project impacts the recruitment, the organization, the processes, the communication channels, the Project Information System, the right management, i.e. the culture of the company. All of this should be described in the Project Security Management Plan (PSMP). The PSMP is not connected to a project in particular but to a class of project. It proves that the company integrate the security in its culture and so, the PSMP becomes and input during an audit.
It becomes also interesting for a provider company to add to bid answers the PSMP as an annex, to show their clients that now security is a reality in their company.
Each level of security should be defined regarding a risk. The cost of a security policy must be less than the cost of the risk if it occurs. So the level of security can go from “unclassified” to “Top Secret” 1.
Regarding the PMP, security is transversal and affect some of the knowledge area. So each level of security should be decline in the following PMP knowledge areas. Here’s some questions that should be asked when designing the project.
Project Human Resource Management
n Does the position needs a clearance? Which one?
n Is there some exclusion criteria? For example, is American citizenship needed?
Project Communication Management
n Regarding the information and who should exchange it, should it be encrypted?
n If so with which tools? Only the attachment or the whole mail?
n Which category of people can see which information? And Why? Does this category of people can change the information (access to write) or only to read it? Can they forward it? To whom?
Project Risk management
n Do I have some threats, vulnerabilities on my project? Which ones?
Project Procurement Management
n Which level of project security does it have?
n Is the level enough regarding our rules?
n How to exchange information between us in a secure way? With which Interface? Theirs, ours?
n Who is the Security Project Officer? Does he have one?
Project Stakeholder Management
n Does the identified stakeholder have the right clearance to receive communication, information about the project?
n Which information, communication about the project can receive a stakeholder?
n Is a stakeholder a security threat on the project?
Project Scope Management
Another point should be onboard on this subject: The Project Information System (PIS). The PIS centralized, concentrate almost all the information about the project. It’s a target for hackers to get information on the deliverables. Here too some question should be asked:
n Should I use the IS of the company or one specific for the project?
n Should I encrypt files, if so which ones?
n Who can access to the PIS? to a specific directory or file
n Are my backup encrypted? Where are they store?
n Do I have a right management plan? Adequate processes to manage them?
On another side, the PIS should be structured to easily apply the right management, and profiles should be defined to apply the Role based Access Control. Process should also be defined and implement to turn on or off this rights.
Backups of the PIS must be integrated in the security perimeter under the view of stealing them. They can be the weak link. Their encryption is their only protection against stealing and so this option should be decided.
All of this should be managed by a new position: the Project Security Officer (PSO). The PSO is a member of the project. It can be a role of a member regarding the size of the project, but it can not be the project manager. Security and project driving should be confronted.
The missions of the Project Security are the following :
n Check that the security policies are applied,
n Aware each member of the project team to the security policies and the cyberthreats,
n Produce the security dashboard and security indicators,
n Identify security risk and manage them,
n Identify security incident and manage them,
n Support the team about security matters,
n He reports to the CISO of the company
Security is not anymore a dream or an option in a project. It’s now a reality. It must be taken in consideration in every project to be sure to not to have bad surprise (especially on the dark web) and have our efforts ruined… in a second.
1 Security Clearances - United States Department of State