ISO/IEC 27001:2013 – A.6.1.5 Information security in Project Management

Information Security in Project Management: Information security shall be addressed in project management regardless of the type of the project.

This is NEW control in 2013 version of ISO27001. However I have my own perspective with respect to this control.

According to me ISO27001:2005 A.6.1.4 (Authorization process for information processing facility) has been broaden in ISO27001:2013 A.6.1.5 (Information security in project management).

ISO/IEC 27001:2005	ISO/IEC 27001:2015
A.6.1.4 Authorization process for information processing facility	A.6.1.5 Information security in project management
Limited focus on end point devices e.g. desktop, laptop, personal or hand held devices, software check etc More focused on authorization and less on end to end security	Broaden focus from end point to end to end project implementation Complete focus on security. Identify and address RISKS as a part of project Information Security Risk Management for Project

While interacting with many people, I have observed common challenge with respect to this control; the challenge is “How to implement this control”? This has become challenge for many security organizations and professionals as SCOPE has been widen from “End Point” to “Project Management”.

Let’s start breaking jargons:

• Understand what is “PROJECT” for your organization: if you ask me, simple examples could be:
• Implementation of DLP, Anti-Virus, Firewall, BYOD or any technology solutions
• Buying new office location
• Develop or procure new business application
• Adding a new client or new process (depend upon size and complexity)
• Understand the business & security purpose of the PROJECT: You cannot start the project unless you know the Value (Benefits) project is going to contribute to organization
• Understand end to end project flow from respective owner. This could be data flow diagram, application architecture, network diagram, input-process-output etc


Define security baseline for a particular project -> Complete the Project -> verify security baseline (project risk management)

I know this theory is very boring. Let’s take an example of “Implementation of DLP”

Purpose:

• Prevent organization’s IPR and customer’s information from information leakage.

Project Understanding:

• Organization has developed / customized an internal application for processing customer’s information. Protection of application source code and customer information is utmost important
• Customer sends input file through FTP, project user downloads file from FTP and upload on application to process. There are 50 users working on this project and has access to FTP and application. Once processing is completed, project user sends and output file back to customer through FTP.

Proposed Project Design

Security Baseline for DLP Project

·         Data stored on Code Repository shall not go out of the organization (through any medium E-mail, FTP, internet, file upload etc)

·         Data stored on “File Server” -> Folder Name “Prising” shall not go out of the organization

·         Any data stored on “DB and App Server” shall not go out the organization.

·         User shall be able to send data with file extension .xml only

·         Any attempt to information leakage shall be logged in DLP server

·         Any attempt to Source code leakage shall be alerted to management immediately through email or SMS

I have listed few baseline checks; this could be much more in detail. This can be prepared with the help of product vendor and security professionals. These checks are depending upon organization’s requirement.

Verification of baseline

·         Security professional to verify the compliance of each and every security baseline, in case there is any non compliance; same shall be documented in risk management methodology.

For example in this example, customer data (input and output file) can be leaked through FTP as FTP is accessible from anywhere