System Guides

To evaluate compliance with A.5.8 "Information Security in Project Management," an information security auditor would need to assess how an organization integrates information security practices into its project management processes. Here's a breakdown of the evidence and areas an auditor might review:

1. Policy and Guidelines: Verify the existence of policies and guidelines that outline how information security requirements should be integrated into project management processes.

2. Project Initiation: Assess if information security considerations are addressed during project initiation, including the identification of potential security risks and the establishment of security objectives.

3. Risk Assessment: Evaluate whether project managers conduct risk assessments that identify information security risks associated with the project and develop mitigation strategies.

4. Security Requirements: Review if security requirements are defined and incorporated into project scope, objectives, and deliverables.

5. Security Roles and Responsibilities: Assess if project teams have clear roles and responsibilities related to information security, including security champions, reviewers, and approvers.

6. Communication: Verify if project teams communicate information security requirements effectively among stakeholders, including project sponsors, team members, and external partners.

7. Change Management: Evaluate if changes in project scope, schedule, or requirements are assessed for their potential impact on information security and appropriate adjustments are made.

8. Training and Awareness: Assess if project teams receive adequate training and awareness regarding information security practices relevant to their roles.

9. Integration with SDLC: Review if information security activities are integrated into the software development lifecycle (SDLC) or project management framework used by the organization.

10. Vendor and Third-Party Management: Examine if third-party vendors or contractors working on the project adhere to the organization's information security policies and guidelines.

11. Secure Development Practices: Assess if secure coding practices are followed during software development projects to prevent vulnerabilities and ensure the security of developed applications.

12. Privacy Considerations: Verify if projects that involve personal data consider privacy requirements and incorporate necessary controls to protect sensitive information.

13. Testing and Quality Assurance: Evaluate if security testing, such as vulnerability assessments and penetration testing, is conducted as part of project quality assurance.

14. Documentation and Reporting: Examine if project documentation includes information security-related details, such as security assessments, risk assessments, and security controls implemented.

15. Monitoring and Review: Assess if projects are regularly reviewed for compliance with information security requirements and if deviations are addressed promptly.

16. Incident Response Planning: Verify if project plans include provisions for responding to security incidents that may occur during the project's lifecycle.

17. Lessons Learned: Review if information security-related lessons learned from previous projects are incorporated into current projects to improve practices.

18. Audit Trails: Examine records or logs that demonstrate how information security considerations were integrated into project management activities.

By assessing these areas, an auditor can determine whether the organization effectively incorporates information security practices into its project management processes, thereby ensuring that security risks are identified, addressed, and managed throughout the project lifecycle.

Project managers have special interests in all three components of the CIA triad. IT projects warrant special consideration for maintaining confidentiality. The business case for any IT project will include strategic business goals whether the project delivers an exciting new technology or a mundane but essential upgrade to maintain enterprise productivity. IT project documentation also frequently includes intimate details of network and systems architecture that presents an attractive target for industrial espionage and hackers. Failed changes to IT systems can also impact availability and integrity. Special attention to backups, back-out plans, and security risks early in the project will pay big dividends when project rollout leaves little time to consider how to undo the changes made during a Go-Live or react to an unexpected risk occurrence that may cause systems to go down, or cause data loss, corruption or breach. Project managers should develop plans to mitigate risks to the project documentation and methodology itself.

PMs are not expected to be security experts, but by including security considerations in every phase and process of a project, especially in initiating and planning, communications and deliverables, PMs have the opportunity to deliver more secure systems in a more secure manner.

Project documentation includes information security controls below; Project Planning, Identify Stakeholders, Plan Communications, Develop Project Team, Plan Risk Management, Secure Communications, Authentication and Password Management, Access Management, Encryption, Physical security, Secure Deliverables, Monitor and Control Risks – Change Control, Verify Deliverables, Document Lessons Learned

1. Lessons Learned: Review if information security-related lessons learned from previous projects are incorporated into current projects to improve practices.
2. Audit Trails: Examine records or logs that demonstrate how information security considerations were integrated into project management activities.