Cybersecurity engineering a secure information technology organization 1st edition
This presentation is the property of its rightful owner.
Sponsored Links
1 / 57

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 4 Project Processes. Objectives. Understand the purpose and benefit of processes in the project processes area Structure and run an effective project planning process

Download Presentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Chapter 4

Project Processes


Objectives

Objectives

  • Understand the purpose and benefit of processes in the project processes area

  • Structure and run an effective project planning process

  • Conduct effective, ongoing risk management

  • Control critical project activities such as configuration management and knowledge management

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Overview of project processes

Overview of Project Processes

  • The project processes involve all the control activities that ensure ICT work meets business, technology, and assurance goals

    • Control: a specific action or actions taken to ensure a desired outcome

  • Project management: oversees the organization’s ICT acquisition, development, and sustainment processes

    • Enforces the ICT policies and procedures

    • Ensures effective coordination and control of the organization’s everyday work practices

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Defining and coordinating the project

Defining and Coordinating the Project

  • Project management involves defining and deploying a fully integrated set of activities to achieve a given purpose

  • Project definition and subsequent coordination ensure the efficient use of resources

  • A project management plan defines the requisite activities and tasks for each project

    • The plan should always consist of concrete specifications of the work to be done

    • The plan is typically reviewed and refined over time

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Defining and coordinating the project1

Defining and Coordinating the Project

  • The project manager is the person who writes the plan

  • The plan specifies the major elements of the project during the planning period

    • As well as the organizational resources allocated to support each element

  • Strategic planning progress: a set of rational activities that an organization undertakes to accomplish its long-range goals

  • Project activities are planned, documented, evaluated, and adjusted when necessary

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Building the project team

Building the Project Team

  • Project teams are typically composed of an integrated mix of business and information technology (IT) workers

  • Questions to ask when building a team:

    • What is the precise mission of the team?

    • What organizational competencies are required to achieve that mission?

    • Are those competencies available for the particular project?

  • Capability: the level of assessed competence of a process

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Organizing the project

Organizing the Project

  • Failure to satisfy the business purpose is a frequent cause of overall project failure

  • The planned involvement of business stakeholders ensures that all points of view are represented in the final product

  • Differences must be resolved for projects to move forward

  • It is a challenge to incorporate everyone’s vision and capabilities into project planning

    • Following the project process of the 12207 standard ensures best practice

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The project processes of iso 12207 2008

The Project Processes of ISO 12207-2008

  • The 12207 standard presents the processes in a logical order

    • Ranging from general best practices for planning, assessment, and implementation to specific project management and control practices

  • The project planning process establishes the generic management function for the given project

  • The project assessment and control area deals with all related implementation concerns

  • Figure 4-1 on the following slide shows the relationship of these process areas

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The project planning process 6 3 1

The Project Planning Process (6.3.1)

  • Overall goal of project planning is to develop an effective and realistic set of plans for overall conduct of the project

    • Decides the scope and purpose of the project as well as the timeline and activities involved

  • The project planning process is responsible for describing the scope of work to be done and evaluating whether the work can be carried out with available resources and known constraints

    • Seeks to ensure proper alignment between project goals and reality

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project initiation

Project Initiation

  • First step in the project planning process is to establish the scope of the project

    • Includes defining objectives, motivations, and boundaries

  • Boundary: a perimeter that incorporates all items to be secured

  • Managers can then establish the feasibility of the project by confirming that all required personnel, materials, and technology are available

    • And that the project can be completed on time

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project initiation1

Project Initiation

Project initiation involves ensuring that the actions of all participants are correctly aligned and coordinated with the achievement of project goals

The initiation activity must ensure that the project’s day-to-day activities and tasks are specified with appropriate detail

Project initiation must assure that adequate lines of communication have been established among all participants to guarantee effective cooperation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project planning

Project Planning

  • Plans usually include:

    • Schedules, milestones, time and resource estimates, and the assignment of roles, responsibilities, and work tasks

  • Might also include:

    • A detailed risk estimate for each activity and task

    • Lifecycle measures to assess the quality and security of each product and process

  • Security: confidence that a given approach will produce dependable and intended outcomes

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project authorization and launch

Project Authorization and Launch

  • After receiving the appropriate from other managers

    • The project manager takes steps to launch project

  • Projects are established by the creation of a customized management process that establishes:

    • Visibility

    • Management control over project activities

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The project assessment and control process 6 3 2

The Project Assessment and Control Process (6.3.2)

  • The project assessment and control process ensures that events are on schedule, on budget, and fulfill the technical objectives laid out in the project plan

  • Quantitative data can be used to evaluate the options and implications of a decision

  • Managers cannot exercise control over projects unless they have an objective means of evaluating how well a project is going

    • Ability to obtain good measurement data is essential

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The project assessment and control process 6 3 21

The Project Assessment and Control Process (6.3.2)

  • By collecting standard project performance data managers can ensure project run appropriately and within budget

    • Project performance measures should be defined and instituted to support quantitative decision making

  • Performance data can also help identify emerging problems so that managers can judge potential risks and rewards of making further investments in an ongoing project

    • Based on reliable corporate benchmarks

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The project assessment and control process 6 3 22

The Project Assessment and Control Process (6.3.2)

  • Many different quantitative measures exist, including basic production metrics such as:

    • Project productivity measured in lines of code (LOC)or function points (FP)

  • The ISO 9126 standard also outlines metrics that consider the functionality, reliability, usability, efficiency, maintainability, and portability of the product under development

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The project assessment and control activities

The Project Assessment and Control Activities

  • The aim of project assessment and control is to ensure that project objectives are successfully achieved and properly recorded

  • This process ensures:

    • Progress is monitored and reported

    • Interfaces between project elements are properly monitored

    • That managers can correct deviations from the project plan and prevent them from recurring

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project monitoring

Project Monitoring

  • Project monitoring is the first formal activity

  • Ensures the:

    • Project is executed correctly

    • Outcomes of monitoring are reported to all internal and external project stakeholders

  • Project monitoring must account for the status of interfaces between internal project elements and outside interfaces with other relevant projects

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project control

Project Control

  • Managers must monitor a project in order to control it

    • Monitoring and control are closely associated

  • To enforce proper project control

    • The project manager must be able to investigate, analyze, and resolve any deviations from the project’s planned course of action

  • The impact from any deviation must be evaluated, authorized, and monitored

  • Routine reporting ensures general management oversight

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project assessment

Project Assessment

Formal assessment activities during ICT product development are an essential part of good management practice

Goal is to ensure that the work continues to run correctly from beginning to end of a project

Systematic assessments assure the ICT product requirements and the project’s ongoing activities satisfy the plan’s objectives

Assessment results can be used to establish steps that prevent future problems

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Project closure

Project Closure

  • Projects must be formally terminated

    • To avoid wasted resources

  • Reasons a formal termination procedure is necessary:

    • An organization must document that all ICT development activities have been completed as contracted

    • Project data has to be archived to preserve a history of the project

  • Lessons learned from previous projects can help in planning similar efforts in the future

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The decision management process 6 3 3

The Decision Management Process (6.3.3)

  • Decision management is a fundamental process of project management

    • Seeks to ensure the best outcome for any concern that arises in the project environment

    • Evaluates all possible directions among a given set of alternatives and chooses the one that provides the likeliest benefit

  • Decision management is initiated by standard operating policies and procedures that are followed when a decision is needed

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Decision management activities

Decision Management Activities

  • A decision management policy allows managers to make quick and rational decisions about issues that arise in the day-to-day execution of a project

  • Goal is to record, categorize, and promptly report problems and to develop alternative course of action to resolve those problems

  • With standard policies in place:

    • The project team can ensure decisions made during the project lifecycle are valuable to organization’s goals

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Decision planning

Decision Planning

  • A planning process is the first activity in decision management

    • Involves enumerating and prioritizing all categories of likely decisions

  • In addition to identifying the each type of decision:

    • Authorization and responsibilities for making it are assigned to the appropriate decision maker

  • Policies and procedures are selected to guide decisions in each category

    • A formal process is defined to address situations when no policy guidance is available

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Decision analysis

Decision Analysis

  • Overall aim of decision management is to come up with a decision that leads to the best result

    • Decisions are usually guided by policy

  • If there is no policy:

    • A decision-making strategy or decision protocol must be in place to ensure the right decision is made

  • A decision-making strategy includes functions for gathering information and making trade-offs

    • Allows for the project team to make the best decision from a range of alternatives

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Decision tracking

Decision Tracking

  • Each decision should be recorded and its outcomes should be tracked, evaluated, and reported

    • Ensures that the decision resolved problems or leads to the desired benefit

    • If not, knowledge gained can provide guidance

  • To track a decision:

    • Records of problems and decisions must be kept

    • Actions associated with the decision must be monitored through reviews, inspections, or audits

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The risk management process 6 3 4

The Risk Management Process (6.3.4)

  • Risk management: a set of formal organizational processes that are designed to respond appropriately to any identified adverse event

    • Applies to all types of lifecycle activity

  • Goal is to identify, analyze, treat, and monitor all active and latent risks in the project

  • Threat: an adversarial action that could produce harm or an undesirable outcome

  • Threat assessment ensure that all project risks are identified and categorized

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The risk management process 6 3 41

The Risk Management Process (6.3.4)

  • Risk analysis: the assessment of the overall likelihood and impact of a threat

  • Organizations must institute a targeted risk analysis function

    • Which facilitates qualitative and quantitative analyses of any newly identified or emerging risk event

  • Once a risk analysis function has been established

    • The organization must specify formal responses to correctly address all meaningful risks as they occur

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk management activities

Risk Management Activities

  • To determine the scope of the process, organizations must answer two questions:

    • What is the likelihood that each identified risk will occur?

    • What is its anticipated impact?

  • Answers are normally expressed as an estimate of loss, harm, failure, or danger for each risk

  • After scope is determined, risk management policies are defined and implemented

    • Organizations should set priorities for applying the resources needed to mitigate each risk

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk management planning

Risk Management Planning

  • Risk management planning goal:

    • To identify critical risks and then create and maintain an effective set of formal steps to manage each risk

  • Risk management planning helps an organization assign specific roles and responsibilities for the risk management function

  • The plan should describe the process for evaluating and improving overall risk management

    • Including how to use lessons learned

  • Acceptable risk: a situation in which the likelihood or impact of an adverse occurrence can be justified

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk profile management

Risk Profile Management

  • Risk profile management establishes a link between the risk management process and the project’s environment

    • By recording specific information for the state of each risk and its probability, consequences, and risk thresholds

  • Provides explicit policy guidance

    • Priorities established by the risk profile determine the application of resources for treatment

  • Risk thresholds dictate the conditions under which an organization may accept a level of risk

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk analysis

Risk Analysis

  • Risk analysis: information-gathering function that focuses on understanding the nature of risks

    • Documents mitigation strategies for every risk that surpasses its threshold

    • Defines measures for evaluating potential mitigation

  • Risk analysis ensures the most efficient use of security resources

  • Likelihood of occurrence: an assessment of the probability that an event will occur

  • Anticipated impacts are normally expressed as an estimate of loss, harm, failure, or danger

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk treatment

Risk Treatment

  • Risk treatment develops solutions for identified risks

  • The scope of coverage and the required level of assurance are primary influences that define this context

  • Roles and responsibilities have to be defined to carry out the actions necessary to mitigate risks

    • Establishes accountability

  • Each risk has to be categorized by priority to allow for decisions regarding resource allocation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk monitoring

Risk Monitoring

  • Risk monitoring tells decision makers whether risk management objectives are being achieved

    • And whether risk control performance is in line with expectations

  • Qualitative analysis is useful in determining priorities

    • One of the main purposes of risk monitoring

    • Expressed through a set of nominal values, such as high, medium, and low

  • A blend of quantitative and qualitative measures is often used to monitor risk

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Risk management evaluation

Risk Management Evaluation

  • Information should be collected throughout the project lifecycle to help improve risk management

  • Data includes identified risks, their sources, their causes, their treatment, and the success of selected treatments

  • An important element of risk management is a series of periodic reviews

  • Two types of review are commonly used:

    • Time-based - occur at regular intervals

    • Event-based - capture information about a particular aspect of the risk management process

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The configuration management process

The Configuration Management Process

  • Configuration management: a formal process to ensure the continuing status of ICT products

    • To ensure the status of every meaningful item in an ICT product is documented and known at all times

  • Goal: to establish and maintain the integrity of all project components by placing them under formal decision making and oversight control

  • Configuration management serves as the basis to measure quality by confirming the integrity of changes and ensuring they are verified as correct

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Configuration management planning

Configuration Management Planning

  • A configuration management strategy must be planned for each project

    • Describes how configuration baselines are established, maintained, and archived for a project

    • Specifies which staff have the right to authorize, access, and reintegrate changes to baseline items

    • Must also specify the level of integrity, security, and safety for each baseline as well as storage medium

  • Once established, the project manager must specify which items are subject to configuration control (known as identification)

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Configuration management execution

Configuration Management Execution

  • The recording, retrieval, and maintenance of current and preceding configurations should be kept under management control to:

    • Assure correctness, timeliness, integrity, and security

  • A project baseline represents the status of the project at a fixed point in time or circumstance

  • Once the project baseline is established, any changes are described in the configuration record and maintained throughout the system lifecycle

    • Audits may be performed as needed

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The information management process 6 3 6

The Information Management Process (6.3.6)

  • The information management process is a formal function that records and maintains information needed to manage a project over its lifecycle

    • Generates, collects, transforms, retains, retrieves, disseminates, and disposes of all necessary project information

  • Goal is to provide relevant, timely, complete, and valid information to decision makers

  • Ensures the form and content of all project information is proper and correct

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Information management planning

Information Management Planning

  • The organization must identify and classify all relevant information and designate which media to use to capture and store information

  • The plan must specify the exact procedure used to capture the data kept for each information item

    • Must stipulate how each item under information management control is developed, inspected, and modified

  • Information management defines the rights, obligations, and commitments of designated parties for retaining and transmitting information

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Information management planning1

Information Management Planning

  • Information management planning also defines individual access rights for each information item under its control

  • Other primary drivers of information management planning are:

    • Legal

    • Security

    • Privacy

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Information management execution

Information Management Execution

  • Once the plan is complete and all responsibilities are assigned:

    • The project team begins to capture and retain the information identified in the plan

  • Stored records are maintained according to integrity, security, and privacy requirements established by the planning function

  • Information can more easily be distributed to all authorized parties by request, by scheduled agreement, or by defined circumstances

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Information management execution1

Information Management Execution

  • To ensure availability:

    • The medium, location, and protection of information must be ensured and must be compatible with all storage and retrieval requirements

  • Information management ensures that arrangements are in place to retain necessary documentation after a project ends

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


The measurement process 6 3 7

The Measurement Process (6.3.7)

  • The purpose of the measurement process is to collect, analyze, and report data for an organization’s products and processes

    • To ensure effective management of processes and to objectively demonstrate product quality

    • Also ensures all measurement activities are defined

  • Ensuring consistency of data is important because managers use it to make decisions about all types of project activity

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Cybersecurity engineering a secure information technology organization 1st edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Measurement planning

Measurement Planning

  • Measurement planning involves the establishment of a standard schedule for each assessment and a defined process for collecting and reporting results

  • Project measurement uses a defined set of criteria to evaluate the performance of project functions

  • Outcome of the planning process must be a set of measures for judging elements of a project’s performance

    • Such as timeliness, security, and fiscal responsibility

  • Decision makers use information to review and approve resources for each task

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Measurement performance

Measurement Performance

The first step in implementing a project measurement process is to develop a formal means of recording relevant data about events in the organization’s environment

The project needs to install procedures for data generation, collection, analysis, and reporting within the relevant project processes

Project measurement involves the collection, storage, and verification of data

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Measurement evaluation

Measurement Evaluation

  • Measurement evaluation assesses the project and its measurement process

    • Achieved through benchmark comparisons

  • Benchmarks capture and record the performance of a target process over time

  • First step in creating a metrics program based on benchmarks:

    • To confirm all elements of the project measurement function have been evaluated and document at a certain point in time

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Measurement evaluation1

Measurement Evaluation

  • Documentation should include an overall statement about the standard assessment mechanism for each element under project management control

    • Should also include a generic testing and review plan to ensure that procedures retain their effectiveness

  • Once the organization understands the status of all activities:

    • It can track the performance of the measurement process against prior assessments

  • Ensures long-term effectiveness of measurements

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Summary

Summary

  • Project management ensures alignment of ICT work with an organization’s goals

  • Project management integrates a range of management perspectives as well as coordinates and controls all related functions to do the work of an ICT project

  • Project management plans achieve a logically related set of management objectives

  • Assessment data supports good decisions, but it is important to know how to provide the proper data to the right people

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Summary1

Summary

  • Risk management is essentially built around formal processes to provide information about risk to decision makers

  • Every risk process must be designed to fit its specific environment

  • Configuration management is built around maintaining baselines composed of relevant elements of the project or product

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


  • Login