Information Security in Project
Management: Information
security shall be addressed in project management regardless of the type of the
project.
This is NEW control in 2013 version of ISO27001. However I have my own
perspective with respect to this control.
According to me ISO27001:2005 A.6.1.4 (Authorization process for
information processing facility) has been broaden in ISO27001:2013 A.6.1.5 (Information
security in project management).
ISO/IEC 27001:2005
|
ISO/IEC 27001:2015
|
A.6.1.4 Authorization process for information processing facility
|
A.6.1.5 Information security in project management
|
|
|
While interacting with many people, I have observed common challenge
with respect to this control; the challenge is “How to implement this control”?
This has become challenge for many security organizations and professionals as
SCOPE has been widen from “End Point” to “Project Management”.
Let’s start breaking jargons:
- Understand
what is “PROJECT” for your organization: if you ask me, simple examples
could be:
- Implementation
of DLP, Anti-Virus, Firewall, BYOD or any technology solutions
- Buying new
office location
- Develop or
procure new business application
- Adding a
new client or new process (depend upon size and complexity)
- Understand
the business & security purpose of the PROJECT: You cannot start the
project unless you know the Value (Benefits) project is going to
contribute to organization
- Understand
end to end project flow from respective owner. This could be data flow
diagram, application architecture, network diagram, input-process-output
etc
- Define security baseline for a
particular project -> Complete the Project -> verify security
baseline (project risk management)
I know this theory is very boring. Let’s take an example of “Implementation
of DLP”
Purpose:
- Prevent organization’s IPR and customer’s information from
information leakage.
Project
Understanding:
- Organization has developed / customized an internal application for processing customer’s information. Protection of application source code and customer information is utmost important
- Customer sends input file through FTP, project user downloads file from FTP and upload on application to process. There are 50 users working on this project and has access to FTP and application. Once processing is completed, project user sends and output file back to customer through FTP.
Proposed
Project Design
Security Baseline for DLP Project
·
Data stored on Code Repository shall not go out
of the organization (through any medium E-mail, FTP, internet, file upload etc)
·
Any data stored on “DB and App Server” shall not
go out the organization.
·
User shall be able to send data with file
extension .xml only
·
Any attempt to information leakage shall be
logged in DLP server
·
Any attempt to Source code leakage shall be
alerted to management immediately through email or SMS
I have listed few baseline checks; this could be much more
in detail. This can be prepared with the help of product vendor and security
professionals. These checks are depending upon organization’s requirement.
Verification of baseline
·
Security professional to verify the compliance
of each and every security baseline, in case there is any non compliance; same
shall be documented in risk management methodology.
For example in this example,
customer data (input and output file) can be leaked through FTP as FTP is
accessible from anywhere