Date post: | 12-Aug-2015 |
Category: |
Business |
Upload: | dr-kaali-dass-pmp-phd |
View: | 391 times |
Download: | 1 times |
Embedding Security in IT Projects
Dr. Kaali Dass, PMP, PhD.
Program Manager
Cisco Systems, Inc.
June 2015
© 2014-2015 Dr. Kaali Dass
Enterprise IT Security & Maturity…!
To Be Hacked!!!
Ref: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014
24 Large
Organizations
Hacked in 2014
Enterprise Wide IT Projects
Large number of Stakeholders
Complex Dependencies
Multiple Tier Architecture
Diverse Technologies
In-house development and Vendor Products
Open Source Products
Lack of Security Awareness
Image Ref: http://www.carnegiemuseums.org/
PMI Process
Initiation Planning Execution Monitoring and
Controlling Closing
About PMI Knowledge Areas
Reference: PMBOK Guide 5th Edition
Integration
Management
Cost Management
Time Management
Scope Management
Risk Management
Human Resource Management
Stakeholder Management
Communications Management
Quality Management
Procurement Management
Project Structure
Organization’s Initiatives
(Portfolio)
Programs Projects 1…N
Programs Project 1…N
Programs Projects 1..N
Strategy and Planning
Programs and Initiatives
Projects & Dev Teams
IT Security: Organization
IT Security: Projects
Initiation Planning Execution Monitoring and
Controlling Closing
Enterprise Level
Review
Business and IT
Review
Infra / Network / Data /
Third-party
Code and Access
Vulnerabilities
Lessons Learned
Waterfall
Requirements
Design
Development
Testing
Implementation
Support
Delivery Time: Many Months to Years
Agile Manifesto - Values
Individuals and Interactions over process and tools
Working Software over Comprehensive Documentation
Customer Collaboration over Contract Negotiation
Responding to Change over Following a Plan
Reference: http://agilemanifesto.org/
Agile
Product Owner + Scrum Master + Scrum Team
Plan and Commit
Sprint(s) Demo and
Deliver Inspect
and Adapt
Incremental
Capability
Continuous
Integration Delivered in
Weeks
Accept Changes
Fail Fast, Learn,
and Improve
IT Security Layer: IT and Business
Http / XHR
Business
Roles
Responsibilities
Access Policies
Data Retention
PCI Compliance
SOX and other Privacy Laws
Audits
& More…
IT
ACL
AuthC / AuthZ
Encryption
Mobility & IOT
Social Media
Data Classification
Data Access
Data at Rest & Transit
Virus / Malware
Business Continuity
& More…
IT Ecosystems, Agility, and Security
IAAS / PAAS
Semi Automated,
Orchestrated, Public / Private Cloud
Public Cloud
Automated, Elastic,
Scalable, Orchestrated
Apps / Services
PaaS
DB
VMs
Services
SaaS
Data Centers / Servers
Manual
Discrete Process
Discrete to Continuous Simple to Complex Manual to Automated
Enabling Security in Waterfall Projects
Requirements
Design
Development
Testing
Implementation
Support
Project Plan with Security Focus
Evaluate Third-party Products
Identify and document Security Risks
Business and IT, Internal and External
Security Architecture and design review
Code Review – Automated / Deep Dive
Monitor Risks closely throughout the SDLC and Project life cycle
Enabling Security in Agile Projects
Security Review during Product backlog, and Sprint planning
Definition of Done for Security (Compliance and Security)
Create Security Awareness and training
Automated Code Scan for Security Vulnerabilities
Standardized and Secured Platform
Retrospective after every Sprint specifically for Security
Key Takeaways: Org Level
Plan: IT Leadership, IT Security Strategies
Prepare: Governance and Policies
Predict: Analyze and Predict
Prevent: Real time Monitoring, Alerts
Security at Project Planning
Business & IT collaboration
Focus on People, Process, and Technology
Security awareness and training
Key Takeaways: Project Level
IT Security - Future
Plan
Predict
Prepare
Prevent