Embedding Security in IT Projects

Dr. Kaali Dass, PMP, PhD.

Program Manager

Cisco Systems, Inc.

June 2015

© 2014-2015 Dr. Kaali Dass

Enterprise IT Security & Maturity…!

To Be Hacked!!!

Ref: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

24 Large

Organizations

Hacked in 2014

Enterprise Wide IT Projects

Large number of Stakeholders

Complex Dependencies

Multiple Tier Architecture

Diverse Technologies

In-house development and Vendor Products

Open Source Products

Lack of Security Awareness

Image Ref: http://www.carnegiemuseums.org/

PMI Process

Initiation Planning Execution Monitoring and

Controlling Closing

About PMI Knowledge Areas

Reference: PMBOK Guide 5th Edition

Integration

Management

Cost Management

Time Management

Scope Management

Risk Management

Human Resource Management

Stakeholder Management

Communications Management

Quality Management

Procurement Management

Project Structure

Organization’s Initiatives

(Portfolio)

Programs Projects 1…N

Programs Project 1…N

Programs Projects 1..N

Strategy and Planning

Programs and Initiatives

Projects & Dev Teams

IT Security: Organization

IT Security: Projects

Initiation Planning Execution Monitoring and

Controlling Closing

Enterprise Level

Review

Business and IT

Review

Infra / Network / Data /

Third-party

Code and Access

Vulnerabilities

Lessons Learned

Waterfall

Requirements

Design

Development

Testing

Implementation

Support

Delivery Time: Many Months to Years

Agile Manifesto - Values

Individuals and Interactions over process and tools

Working Software over Comprehensive Documentation

Customer Collaboration over Contract Negotiation

Responding to Change over Following a Plan

Reference: http://agilemanifesto.org/

Agile

Product Owner + Scrum Master + Scrum Team

Plan and Commit

Sprint(s) Demo and

Deliver Inspect

and Adapt

Incremental

Capability

Continuous

Integration Delivered in

Weeks

Accept Changes

Fail Fast, Learn,

and Improve

IT Security Layer: IT and Business

Http / XHR

Business

Roles

Responsibilities

Access Policies

Data Retention

PCI Compliance

SOX and other Privacy Laws

Audits

& More…

IT

ACL

AuthC / AuthZ

Encryption

Mobility & IOT

Social Media

Data Classification

Data Access

Data at Rest & Transit

Virus / Malware

Business Continuity

& More…

IT Ecosystems, Agility, and Security

IAAS / PAAS

Semi Automated,

Orchestrated, Public / Private Cloud

Public Cloud

Automated, Elastic,

Scalable, Orchestrated

Apps / Services

PaaS

DB

VMs

Services

SaaS

Data Centers / Servers

Manual

Discrete Process

Discrete to Continuous Simple to Complex Manual to Automated

Enabling Security in Waterfall Projects

Requirements

Design

Development

Testing

Implementation

Support

Project Plan with Security Focus

Evaluate Third-party Products

Identify and document Security Risks

Business and IT, Internal and External

Security Architecture and design review

Code Review – Automated / Deep Dive

Monitor Risks closely throughout the SDLC and Project life cycle

Enabling Security in Agile Projects

Security Review during Product backlog, and Sprint planning

Definition of Done for Security (Compliance and Security)

Create Security Awareness and training

Automated Code Scan for Security Vulnerabilities

Standardized and Secured Platform

Retrospective after every Sprint specifically for Security

Key Takeaways: Org Level

Plan: IT Leadership, IT Security Strategies

Prepare: Governance and Policies

Predict: Analyze and Predict

Prevent: Real time Monitoring, Alerts

Security at Project Planning

Business & IT collaboration

Focus on People, Process, and Technology

Security awareness and training

Key Takeaways: Project Level

IT Security - Future

Plan

Predict

Prepare

Prevent

kdass@cisco.comdassconnect@gmail.com

https://www.linkedin.com/in/kaalidass