Project Management Body of Knowledge
Project management body of knowledge areas (PMBoK) entangles a collection of various areas of knowledge and processes that comprise of the best-accepted practices within the province of project management. In this context, a project refers to “a temporary endeavour with a defined beginning and an end constrained by funding and time derivable, usually undertaken to meet unique goals and objectives typically to bring about beneficial change or added value” (Whitman & Mattord, 2010, p.12).
On the other hand, project management refers to “the discipline of planning, leading, controlling, sequencing, organising, managing, securing, and monitoring of various resources to ensure that specific goals are achieved within the constraints of cost and time” (Whitman & Mattord 2010, p.21). To attain the concerns of project management, managers deserve an ample knowledge of the project management body comprising of nine essential areas.
These areas are project integration management, project risk management, project quality management, project cost management, project scope management, project human resource management, project communications management, project procurement management, and project time management. Project integration management embraces the “processes that are crucial in an endeavour to coordinate various components of a project” (Whitman & Mattord, 2010, p.29).
The components that demand integration encompass elements such as initial plan of the project, plan execution progress monitoring, plan control coupled with plan revision, and control of various alterations that are made to myriads of resource allocations. In particular, making provisions for alterations on the initial project plan is critical since “measured performance causes adjustments to the project” (Whitman & Mattord, 2010, p.27).
Opposed to project integration management, project scope management ensures that a project plan only encompasses the activities that are critical for the completion of the entire project. Scope here implies both the quality and quantity of various projects’ delivarables. The main processes are initialisation, planning of the scope, scope definition, verification and more importantly, scope change and control (Whitman & Mattord, 2010, p.45).
The sphere of project time management ensures that the project under execution is completed within the anticipated time constraints while still ensuring that all the objectives of the project are met precisely.
Apparently, one of the prominent project failures is the failure to meet the project time deadlines. Arguably, these failures emanate from poor planning. Whitman and Mattord (2010, p. 67) outline “…activity definition, activity sequencing, activity duration estimating, schedule development, and schedule control” as the main tasks of project time management.
Project cost management ensures that projects are completed to meet the preset specifications and within the resource constraints. Indeed, some projects are normally planned based on financial budget.
This means that procurement of all the vital resources for use in the project must be done based on this budget. The whole discipline of cost management entangles “resource planning, cost estimating, costs budgeting and costs control” (Whitman & Mattord, 2010, p.72).
Another essential variable that is taken into consideration while executing a project is quality management. This fosters the realisation of the measures deployed to enhance precise conformance of projects to specifications.
While conducting project quality management, the key goal is to achieve the set assignment necessities in the general project arrangement. For this purpose, it is vital for the plan of a good project quality management to define all the deliverables in unambiguous terms. The whole umbrella of quality management entangles “quality planning, quality assurance, and quality control” (Whitman & Mattord, 2010, p.74).
Another project management body of knowledge area is project human resource management. It entails staffing of the project and encompasses “organisational planning, staff acquisition and team development” (Whitman & Mattord, 2010, p.64). This ensures that project tasks are allocated to persons who are best suited to do them to the preset specifications.
Project communication management entangles conveying the details and activities of a project to the requisite personnel. It includes “creation, distribution, classification, storage, and distribution of documents, messages and other associated information of a project” (Whitman & Mattord, 2010, p.43).
During the process of execution of projects, many risks are normally inevitable. Consequently, it is crucial for these risks to be assessed, managed, mitigated, and where possible, reduce the impacts of exposure to risky situations that may hinder performance of a project.
This is the concern of project risks management. According to Whitman and Mattord (2010, p.28), it encompasses “risk identification, risk quantification, risk response development and risk response control”. Lastly, another essential projects management body of knowledge is project procurement.
This entails acquisition of all essential resources that are required for the execution of the project. This includes but not limited to “procurement planning, solicitation planning, solicitation, source selection, contract administration and contract closeout” (Whitman & Mattord, 2010, p.33).
In the application of these nine-project management areas of knowledge in information security management, it is critical to note that the discipline of information security management is not ideally a conventional project. This argument arises from the fact that a project can be broken down into constituent elements that make a whole.
SecDLC, Its Major Steps and Objectives in the Context of Information Security
Security systems development life cycle (SecDLC) is “a methodology engineered to design besides facilitating the implementation of information systems within an organisation particularly in the information technology sector” (Whitman & Mattord, 2010, p.12). The process of SecDLC entails identifying particular threats coupled with risks represented by such threats.
Primary objective
The primary objective of SecDLC is to ensure that information security systems developed by an organisation are both effective and efficient in mitigating potential risks. This is vital to ensure that an organisation operating in IT sector is secure and free from constant danger both internally and externally.
It also encompasses subsequent design coupled with implementation of particular controls to aid in countering threats besides assisting in the management of myriads of risks. SecDLC is accomplished in a number of phases including investigation, analysis, logical design, physical design, implementation, and maintenance.
Phases and their objectives
The first step of SecDLC is investigation. A directive from the top management initiates this step. The directive makes the specifications for the necessary process, goals of the project due, outcomes, the target budget, and other project constraints.
The main goal of this phase is to foster “affirmation or creation of security policies on which the security program of an organisation is or will be founded” (Whitman & Mattord, 2010, p.21). In this phase, various team managers, contractors and the requisite employees comes together to conduct an analysis of the system security problem demanding solutions.
Additionally, they also provide a clear and concise definition of the scope make specifications for objectives, goals besides identifying the myriads of constraints that are not taken care of by the security policy of the enterprise in question.
Later in this step, feasibility analysis is conducted with the endeavour of coming up with a decision as to whether an organisation “has the vital resources that it can commit to enhance subsequent design and security analysis phases” (Whitman & Mattord, 2010, p.32).
In the second step, the analysis, “the development team brought into existence by the policies developed in the investigation phase conducts preliminary analysis of security policies and or programs” (Whitman & Mattord, 2010, p.27) adopted in the investigation phase. In this phase, appropriate legal issues that may affect the security interventions design phase are also discussed and clarified.
In relation to security systems, the main goal of the analysis stage is to identify “risks facing the organisation, specifically the threats to organisation’s security and to the information stored and processed by the organisation” (Whitman & Mattord, 2010, p.45).
This helps to minimise the degree of vulnerability of an organisation to security attacks and threats. In the context of information systems, a threat embraces “persons, objects or other entities that pose constant dangers to information systems assets” (Whitman & Mattord, 2010, p.54). The main threats to these systems include mail bombing, malicious codes, passwords cracking, hoaxes, social engineering, and spam among others.
In the analysis phase, an endeavour is also done to “identify and assess the value of your information assets through classifications and categorisation of all of the elements of an organisation’s systems: people, procedures, data and information, software, hardware and networking elements” (Whitman & Mattord, 2010, p.67).
This is what is termed as risk management. It helps in identification of vulnerabilities of an organisation’s systems of information. The third phase of SecDLC is the design phase. It comprises of “two main sub-phases: physical design and logical design” (Whitman & Mattord, 2010, p.65).
Design team members implement the chief polices, which may influence later decisions after critically examining them. An evaluation and design of the requisite technology to support the information security blue prints developed in the logical design are developed in the physical design step.
This “generates alternative solutions that agree upon a final design” (Whitman & Mattord, 2010, p.61). Central to the design phase also is the organisations’ information security policies. Additionally, education coupled with the training program is a critical element of the design phase.
In the fourth phase, implementation, the main objective is to ensure documentation of the designed and evaluated information security program. At this phase, it is necessary for the implemented program to profile precisely the established policies in the investigation phase.
The last phase of SecDLC is the maintenance phase. In this phase, after implementation of the program for information security, the main tasks encompass ensuring that the system is operated and managed in the right way. It helps in ensuring that the system is kept up to date by deploying the right procedures as established in the preceding phases.
In this endeavour, concepts of fault management, security management, accounting management, name, configuration management, and performance management are critical and essential requisite credentials for staff charged with the tasks of information systems maintenance.
Although all phases of SecDLC are distinct, at the end of every phase, a critical review is conducted to determine the threshold to which the concerns of each phase have been accomplished. Where loopholes are identified, a revision is considered before proceeding to the next phase. This ensures that the entire security system developed by an organisation is compliant and consistent with organisation’s information security systems policies.
Contingency Planning Guide for Information Technology Systems
In an IT organisation, information system is critical in enhancing realisation of the organisation’s business processes, the mission, and goals. For this purpose, it is necessary that the information system is capable to run without extensive interruption.
This means that the system needs to be highly reliable. In this context, reliability refers to the probability that a system would be available for use to perform information security checks at any time whenever such a need arises. This is the idea developed and implied by Whitman and Mattord in their prescribed “contingency planning guide for federal information systems” (2010, p.42).
This is evidenced by their claim, “contingency planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption” (Whitman & Mattord, 2010, p.45).
Comparatively, in the discipline of information security management, contingency planning is arguably similar to the analysis phase of the SecDLC. This argument stems from the idea that a contingency plan seeks to enhance the availability of an information security system.
On the other hand, at the analysis phase of the SecDLC, the main concern is to conduct a thorough analysis of various risks that an organisation may face when a security system is implemented. This analysis seeks to alleviate an organisation from being susceptible to threats.
These threats are the ones that may cause a system to get out operation. This is where contingency planning comes in to help restore the system to operation upon being ejected out of operation by threats.
In a more similar way to the analysis phase of SecDLC, contingency planning aims at “providing preventive measures, recovery strategies, and technical considerations appropriate to the system’s information confidentiality, integrity, availability requirements, and the system impact level” (Whitman & Mattord, 2010, p.78).
While this is crucial to ensure the safety of an organisation’s security systems, the redundant system advocated by the authors is arguably not consistent with the demand of the technologically sophisticated globe. The contingency plan includes several approaches that aim at restoring system performance upon interruption.
This entangles deployment of alternative systems and or equipments. Disrupted service may also be restored by an approach such as “performing some or all of the affected business process using alternate processing (manual) means (typically acceptable for only shorter disruptions” (Whitman & Mattord, 2010, p.89).
While this may be a reasonable way of enhancing and ensuring a means of mitigating risks arising from exposure of any information security system to threats when the norm system is out of operation, it is crucial to note that the modern information system handles a large amount of information.
Consequently, conducting manual security checks may require an increasingly large number of human resources. Although, the contingency plan guidelines, as argued before, have some potholes, the paper appreciates that the guidelines have particular limits of applicably.
These limits are evident based on the scope of the guidelines. In particular, the paper argues out, “given the broad range of information system designs and configurations, as well as the rapid development and obsolescence of products and capabilities, the scope of the discussion is not intended to be comprehensive” (Whitman & Mattord, 2010, p.51).
In addition to this limitation, it is also important to note that information systems security management techniques are largely dependent on the current technology capabilities. It is also crucial for any cutely developed contingency plan not to overlook minor issues that may cause disruption of information systems from operation.
In this regard, the guidelines also provide mechanisms of developing a contingency plan for dealing with situations involving short-term disruption of an organisation’s security system.
An Example of an Enterprise Information Security Policy
While organisations conduct their businesses, they act as custodians and controllers of some sensitive information belonging to their clients that needs never to be publicised. For the case of Lowa state, this discussion uses the policy of enterprise information security.
The policy “helps to create an environment within the sate of Lowa agencies that maintains system security and availability, data integrity and individual privacy by preventing unauthorised access to information and information systems by preventing misuse, damage or loss of data” (Whitman & Mattord, 2010, p.53).
In the Lowa enterprise security policy, enterprise process, standards and procedures are described to aid in providing clear and concise ways of implementing them. The implementation is done by various agencies that develop some policies, procedures, standards, and processes that aid in meeting the requirements of the policy.
As Whitman and Mattord (2010, p.12) note, “If it is determined that more stringent measures are needed, the agency is responsible for developing the policies, standards processes, and procedures to meet that higher level of security”.
Lowa enterprise security policy has a number of aspects. However, in this section, only consideration of only four aspects is made. One of the aspects that get ample consideration in the security policy is risk management. Arguably, this is crucial since the main purpose of any information security system is to help an organisation prevent, and in the event of occurrence, help to mitigate risks.
In the enterprise security policy, Lowa appreciates, “it is impossible to eliminate all risks though security measures are used to mitigate risks to acceptable levels, and all security decisions should be made with risk management in mind” (Whitman & Mattord, 2010, p.59).
In the context of risk management, Lowa can implement its enterprise security policy by ensuring that all the agencies conduct an assessment on risk vulnerability in all their information systems periodically. Where potential to exposure is found, appropriate effective and efficient security measures can be engaged.
Assessment is critical since it aids in identification, planning, prioritisation, and implementation of various security measures besides ensuring that risk assessment procedures are maintained up to date. Availability, confidentiality, and integrity are yet other critical aspects of the Lowa enterprise security policy.
In this end, Lowa holds that it is her policy to ensure that “each agency shall not jeopardise the confidentiality, integrity or availability of the state enterprise or the information stored, processed and transmitted by any state information systems” (Whitman & Mattord, 2010, p.94).
This policy can be implemented by ensuring that agencies follow precisely the set out security policies deemed by Lowa as having the capacity to foster and reinforce the necessity of upholding the virtues of confidentiality, and integrity among all agencies.
As part of enterprise information security policy, Lowa also establishes various security programs. For this purpose, “each agency implements a security awareness, training and education program for all staff including both technical and non-technical staff” (Whitman & Mattord, 2010, p.69).
This aspect can be used at Lowa to offer an on-going systematic-oriented and system-wide program for training. This is to ensure that all employees become well acquitted with fundamental information pertaining to security of information systems early enough upon employment.
Another aspect of Lowa enterprise security policy focuses on evaluation and monitoring. Lowa provides “monitoring of information system usage for malicious activity and misuse of government resources that will be conducted by agencies or their established policies, the department of administrative services, the Lowa communications, or other party at the request of the agency” (Whitman & Mattord, 2010, p.77).
Lowa may use this policy to ensure compliance to the established standards, processes and procedures of security information systems. Where the relevant agencies are found to be non-complaint, engagement of appropriate steps to rectify the situation may be incorporated.
Recent Information Security Breaches
In the rapidly evolving technological world, organisations remain susceptible to information security threats. In California, according to Whitman and Mattord (2010, p.12), “the personal details of over 700,000 people involved in California’s home supportive services are reported to have gone missing in the mail”.
An application used to manage workers’ payroll data sent a data, which was in the format of microfiche through the US postal services. However, the data arrived to the destination incomplete and damaged.
The main details that were interfered with were “salary details, social security numbers, names, and details for California department of social services dating back to October to December 2011” (Whitman & Mattord, 2010, p.19).
In another situation, with reference to Whitman and Mattord (2010, p.28), the UK’s channel 4news, conducted a research that revealed “customers using contactless credit cards issued by the Barclays bank could have their data stolen without their knowledge by criminals using standardscard readers built into many phones”.
A contactless credit card functions by deploying an inbuilt chip in the credit card. According to channel 4news, on scanning the chip over a reader, it is possible to conduct payment transaction without PIN inputs.
In the words of Whitman and Mattord (2010, p.38), in tests “channel 4news was able to extract information from contactless credit card, which included the long card number, the expiry date and the name of the card holder”.
Information security breaches target both small and large organisations. This argument is evident based on the alarming and increasing concerns of personal information security in various social networks.
In this end, twitter has claimed that it spends millions of dollars to counter fraudulent hacking activities into their system. In particular, Facebook users remain susceptible to breach of confidentiality right of their information.
This is the case discussed by Whitman and Mattord (2010, p.39) where “a man from the UK is spending one year in prison for hacking another person’s Facebook account. Other situations pertaining to information security breach are mainly concerned with conducting online financial fraud.
The extent to which an organisation or an industry may be targeted may also depend on the degree of its perceived levels of deployment of hacking risks management policies and programs to mitigate them.
Consistent to this line of thought, “A recent survey of 108 global companies conducted by the Carnegie Mellon University CyLab and sponsored by RSA and Forbes found that those in the financial sector have the best cyber and information risk management practices, while companies in the energy and utility industries have the worst” (Whitman & Mattord, 2010, p.50).
From a different perspective, as Whitman & Mattord (2010, p.12) argue, “Breaches at smaller companies are just as likely to occur but not as likely to make the news”. The reasoning behind this argument is that, depending on the size of an organisation, companies have differing resource endowment.
Consequently, small companies may find it expensive to design systems to counter malicious software affecting their systems. Rather, they would consider developing alternative means of handling the tasks of information transmission including considering manual means.
Reference
Whitman, E., & Mattord, J. (2010). Management of Information Security. Boston, MA: Corse Technology.