Project Management

Previous page
Table of content
Next page


As previously discussed, there are two basic types of work performed by the ISSO and staff: (1) level of effort (LOE) and (2) projects. We have discussed LOE and have provided some examples of process and metrics flowcharts relative to LOE.

It has been stated several times, but bears repeating: Projects are established where some tasks related to the CIAPP and/or InfoSec functions must be completed but they are not ongoing tasks. It is imperative that the ISSO be intimately familiar with and experienced in project management—as well as time management.

Remember that whether or not some task should be a project depends on whether it has the following:

  • A stated objective (generally in one clear, concise and complete sentence);

  • A beginning date;

  • An ending date;

  • Specific tasks to be performed to successfully meet that objective;

  • A project leader; and

  • Specific personnel to complete each task and the time period when the task will be completed.

Let's assume that the CIO sent a memo to the ISSO based on a conversation that the CIO had with the Director of IT. It seems that they had a meeting and during the meeting the discussion turned to IT projects related to their projects of upgrading systems, such as hardware, software, and their general maintenance. The CIAPP policy called for such upgrades and maintenance efforts to ensure that the information environment is maintained in compliance with the requirements set forth in the CIAPP. The Director stated that the IT staff didn't know if that was always the case when they made changes to systems. Consequently, the Director suggested that members of the ISSO's organization be part of the IT project teams with responsibility for determining whether the changes kept IWC's information environment secure. The CIO agreed and sent the ISSO a letter to that effect. When the ISSO received the memo, the ISSO discussed the matter with the Senior Systems Security Engineer. It was decided that a project be developed in order to establish a process and function to comply with the request from the CIO and Director of IT.

As an ISSO, you should be able to identify several issues that the ISSO must resolve apart from initiating this project. First, the Director of IT and the ISSO should be working closely together, and by doing so, they could have dealt with this matter without involving their boss, the CIO. In addition, the fact that the CIO sent a memo to the ISSO, instead of calling or meeting personally with the ISSO, indicates that the communication and working relationship between the CIO and ISSO must be improved. The ISSO must take action to immediately begin improving the communication and relationship with the Director and CIO.

That aside, using Figure 9.20 as an example, let's develop a project and fill in the blanks for major portions of the chart:

  • SUBJECT: The project name: Security Test & Evaluation Function Development

  • RESPONSIBILITY: The name of the project leader: John Doe, InfoSec Senior Systems Security Engineer.

  • ACTION ITEM: What is to be accomplished: IT requires ISSO support to ensure that information and systems protection are integrated into IT systems' integration, maintenance, and update processes.

  • REFERENCES: What caused this project to be initiated. For example: "See memo to ISSO from CIO, dated November 2, 2002."

  • OBJECTIVE(S): State the objective of the project: Maintain a secure information environment.

  • RISK/STATUS: State the risk of not meeting the objective(s) of this project: Because of limited staffing and multiple customer projects being supported, this project may experience delays as higher priority LOE and projects take precedence.

  • ACTIVITY/EVENT: State the tasks to be performed, such as "Meet with IT project leads."

  • RESPONSIBILITY: Identify the person responsible for each task. In this case, it is the Senior Systems Security Engineer, John Doe.

  • CALENDAR: The calendar could be a year-long, monthly, quarterly or 6-month calendar with vertical lines identifying individual weeks. Using the 6-month calendar, the Project Lead and assigned project team members would decide what tasks had to be accomplished to meet the objective. The arrows and diamonds identified in the legend would be used to mark the beginning and ending dates of each task. The arrows are filled in when the task is started and when the task is completed; the diamonds are used to show deviations from the original dates.

  • RISK—LVL: In this space, each task is associated with the potential risk that it may be delayed or cost more than allocated in the budget for the task. Using "High," "Medium" or "Low" or "H," "M" or "L," the Project Lead, in concert with the person responsible for the task, assigns a level of risk.

  • RISK—DESCRIPTION: A short description of the risk is stated in this block. If it requires a detailed explanation, that explanation is attached to the project plan. In this block the Project Lead, who is also responsible for ensuring that the project plan is updated weekly, states "See Attachment 1."

  • ISSUE DATE: The date the project began and the chart initiated goes in this block.

  • STATUS DATE: The most current project chart date is placed here. This is important because anyone looking at the project chart will know how current the project chart is.

click to expand
Figure 9.20: A basic project management chart that can be used to track CIAPP and InfoSec functional projects.

Other types of charts can also be developed to show project costs in terms of labor, materials, and the like. A good, automated project plan software program is well worth the costs for managing projects.

In the case of project charts, the ISSO uses them to brief management relative to the ongoing work of the InfoSec organization and states of the CIAPP. The ISSO receives weekly updates on Friday morning in a meeting with all the ISSO's project leaders, where each project lead is given 5 minutes to explain the status of the project—for example, "The project is still on schedule" or "Task #2 will be delayed because the person assigned the task is out sick for a week; however, it is expected that the project completion date will not be delayed because of it."

The ISSO holds an expanded staff meeting the last Friday of each month. All assigned InfoSec personnel attend these meetings, which last 2 to 3 hours. At these meetings, 1 hour is taken for all project leads and InfoSec functional leads to brief the status of their LOE and projects to the entire staff. The ISSO does this so that everyone in the organization knows what is going on—a vital communications tool. Also during this time, other matters are briefed and discussed, such as the latest risk management techniques, conferences, and training available.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Network Security Architectures
The Complete Cisco VPN Configuration Guide
C++ How to Program (5th Edition)
GO! with Microsoft Office 2003 Brief (2nd Edition)
PMP Practice Questions Exam Cram 2
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy