I have participated in numerous security conferences in recent years and at every conference I hear repeatedly how important information security is in the planning and requirements analysis phase of the Software Development Life Cycle (SDLC). I agree – this is very important.
But there is one issue that doesn’t get that much attention. the need to ensure that a security review is carried out in the early stages of any business project that could have a potential impact on security, privacy, or compliance.
Many corporate projects fail or face significant setbacks because the security team has no visibility into the project details or they are not given time for input or instructions. I believe it is important to conduct a security review of all corporate projects within an organization. I’ll be sharing a process for including this review that has worked for me in the past.
Project initiation phase
The Project Management Institute (PMI) framework that many project managers use today consists of five phases (process groups). You are:
1st initiation
2. Planning
3. Execution
4. Monitoring and
5. Close.
In the project initiation phase, supplier selection, scope details, business goals, objectives, project feasibility assessment, stakeholder identification and the project charter are created. These activities are typically repeated throughout a project to ensure that the project stays within its original scope and vision. This phase is critical to the success of a project.
It is important for companies to consider security for all company projects during the project initiation phase.
I have observed that many project teams only consider security after the project is over. Also, the security team often doesn’t know the details of the project until a change control meeting is held to approve the necessary changes to a production environment.
Waiting so long for the security team to be involved is risky because organizations may find that the changes to the project don’t survive an audit or create security holes. This can lead to the need to rework project tasks or make costly changes to their environment to ensure compliance and security.
Security check
To reduce the likelihood of security or compliance issues in later stages of project management or after the project ends, companies should consider creating a security review questionnaire that must be completed before a project enters the planning or execution phase of project management transforms. A security review questionnaire can help ensure that any factors that have an impact on security, privacy or environmental compliance are considered before moving on to the next phase of the project.
The security review questionnaire consists of security and compliance questions created by the security team that the project manager or members of the project team must answer. There should be different questions for different project categories.
For example, a separate questionnaire can be created to open a new office versus expanding an existing office. Different questions should be asked for incorporating new applications into the environment, and additional questions should be asked for incorporating a new cloud environment.
Having these bespoke security clearance questionnaires in place for different project categories makes it less time consuming for the project team to follow them and the organization can handle this process more seamlessly.
One size doesn’t fit everyone when it comes to security issues, and you don’t want a long checklist where 90% of the project team’s answers don’t apply. This leads the project team to try to ignore the process and see it as irrelevant.
Here are some examples of questions that might be included on a security clearance questionnaire for a new application deployment:
• Does this application / tool need an internet connection?
• Does this application contain confidential information (PHI, PII, proprietary information, etc.)?
• Do third party providers need access to this application? What level of access do you need?
• Who has access to this application (administrator and user)?
• What compliance / regulatory requirements does this application fall under?
• Is it an open source, standard, or custom application?
• Where would you like to deploy this application in the network / in the cloud?
• Does this application require a security scan? Which scanning level is required? How often is it necessary?
• Do customers have direct access to this application? What level of access will you have?
CIS Top 20 and regulatory requirements in the checklist
The Center for Internet Security (CIS) Top 20 Control System gives a detailed look at what an organization should do to defend itself against threats. This includes various controls such as security awareness, inventory, data recovery, vulnerability management, border controls, etc. Each of the twenty controls is then broken down into sub-controls that provide even greater granularity. Many organizations use these controls to measure the maturity of their security program.
Using the twenty CIS controls as a basis for creating security clearance questions is very helpful. By creating a series of questions for each CIS control and assigning those questions to each project category, your questions can become more relevant to each specific project.
For example, a project that involves a major application version upgrade may fall into the CIS category of Continuous Vulnerability Management, Application Software Security and Penetration Testing, and Red Team Exercises. Following these controls would form your basic list of questions, and you can start creating additional questions from that point on.
It’s also important to include important regulatory compliance issues in your questions.
The European Union GDPR regulations now apply to an increasing number of e-commerce projects that collect user data and place stringent requirements on organizations. All project managers and security professionals working on e-commerce projects need to be aware of these legal requirements to avoid fines or data exposure. Any project that collects data covered by these regulations should be checked by security to ensure compliance.
Another example is if an organization needs a Level 1 Payment Card Industry (PCI) exam, security issues could focus on mapping it. The point is that questions designed for a security clearance should be tailored to the security and compliance concerns of individual organizations and specific projects.
Decision of the security team
After the questionnaire has been completed by the project team, it should be reviewed by the security team. The teams should then work together to resolve any inconsistencies. The security team now has the information they need to provide valuable information and ensure that appropriate security controls are in place throughout the project. This could also be the perfect time to acquire new security technology or features, or to change existing security processes and procedures.
Each completed questionnaire should be checked and signed by the security team. The project manager should list this as a required task in the project plan.
This ensures that the security team has visibility into any changes that are required in the early stages of a project and can be a valuable tool in helping to resolve a vulnerability or vulnerability as early as possible. This prevents the security team from being seen as an obstacle to the end of a project and instead as a collaborative participant trying to ensure the success of project activities.
The security department should review the questions created at least quarterly to ensure that they are still relevant to the category of projects to which they are applied. This is important as the threat and compliance landscapes are constantly changing and the need to change the information needed to keep up with these threats must keep pace.
Project management training
Project managers should be trained in the basic concepts of application security and the steps required to complete a security clearance questionnaire. This training should be ongoing and highlight the potential negative consequences of not addressing security vulnerabilities in application development.
This will help project managers support the new process and encourage them to make valuable contributions to ensure that the safety questionnaire is completed correctly.
Implementing a security clearance in project management workflows should be a consistent process in the early stages of any business project. While this proactive, systematic approach requires more time and resources, it allows organizations to have a clearer understanding of the security challenges they may face in later stages of project development, execution, or completion.
This approach can also help justify investments in specific security solutions. It is important that this process be straightforward and easy to follow, and that everyone understands how implementation can help lower costs and reduce risks and vulnerabilities due to changes in the environment.