Answer yes if you include information security in your planning and delivery of projects (for example, by conducting a security risk assessment of each project and implementing project controls).
What is it?
Any new project can potentially introduce new risks or change the risk landscape within an organisation. It’s therefore important for those responsible for information security to be involved so that they can guide the project around best security practices, be made aware of the project and how risks to the organisation may change as a result, and plan for any additional or changes to controls.
The failure to involve security can allow for dangerous levels of risk to be introduced in projects. Dealing with risks retroactively after the project is delivered is virtually always significantly more expensive and less effective.
Why should I have it?
Implementing security as early as possible in projects helps ensure secure outcomes, this means the security and quality of your products and services is also positively affected.
This not only helps improve the security of your platforms, services, and products, but also provides customers assurance that your products have been engineered with security in mind, and that information shared with you or stored/processed on your platforms is also safe.
The business should support information security involvement in projects, the best way of doing this is to ensure a formal requirement to do so from senior management. It is one of the key tenets for sustainable information security.
It is recommended to achieve this level of support by specifically prescribing it in an executive charter (or similar document formally outlining the overall security function in your organisation) which should be signed off at the most senior levels of your organisation.
Once approved at senior management level, the security organisation must work with the PMO or your equivalent to create project frameworks and processes that include security input and approval gates as needed.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.