Project Security Top Ten
This list is designed as a cheat sheet for any project manager that wants to manage their projects securely. Additionally, incorporating these tips will ensure that your projects are not only secure but also are delivered on time, on budget and to specification.
1. Include at least one person on every project that possesses a strong security skill-set. This is critical to providing you the ability to identify security risks early in your project. If you do not have one available, document this as a project risk and forward this on to your project sponsor.
2. Involve security personnel early in your project development lifecycle. The best time to address security is before a security risk ever exists. It is quicker and less expensive to address security before a widget is built then to retrofit it after it is in production.
3. Document a formal role and responsibility document for everyone involved in the project. Since security will touch all the aspects of your project, this helps the security personnel know who they need to talk to collect more information or ask questions. It also lets others on the team understand the role of the security personnel on the project.
4. Ensure that you fully document all the business, functional, and technical requirements for every project. You can not secure something unless you know what it is. Documented requirements let security personnel understand what you are building so they can aid you in securing it.
5. Build security requirements into your overall requirements framework. This ensures that your solution will be built securely from the start.
6. Involve security personnel in solution design meetings. Security personnel can often provide design options to address security issues that a specific configuration may produce.
7. Take the time to understand the security policies, standards, procedures, and guidelines that are in force at your organization. A strong understanding of the security laws of the land will enable your to identify issues that may go against policy very quickly. This will keep you in good graces with the security office by bringing issues up early rather than having them discovered after the fact.
8. Identify and document security risks early and push the accountability for them up to your project sponsor. It is not your job to be accountable for the security risks of your solution, only to identify risks and communicate them to your project sponsor.
9. Use security checklists to speed up the security review process on your projects. These checklists can often be provided by the security office at your organization. If you do not have one, send us an e-mail and we can provide some for you.
10. Do not be afraid to use the resources of the security office at your organization. Security personnel are used to be treated like the police. Because of this they will be refreshed if you make an effort to take a proactive relationship with them. Additionally, in organizations that possess multiple business units yet one security office, the security team at your organization has probably seen your project in another business unit and can often provide valuable insights.