for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other...

97
Amalia Barthel, Raluca Blidaru, Carlos Chalico September 29 th 2018 PM Toolbox 2.0: Managing Information Risk for Agile & DevOps

Transcript of for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other...

Page 1: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Amalia Barthel, Raluca Blidaru, Carlos ChalicoSeptember 29th 2018

PM Toolbox 2.0: Managing Information Risk for Agile & DevOps

Page 2: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

WELCOME!

Page 3: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

3

Agenda

Section Presenter Time

Breakfast 8:00-8:30 am

Welcome and Introductions PMI 8:30am

Overview of Information Security Key Concepts Carlos Chalico 8:45 – 9:05

Information Security Alignment with IT Governance Carlos Chalico 9:05 – 9:35

Break 10 min

Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00

DevOps and Traditional Project Management Amalia Barthel 10:00 – 10:25

Overview of Integrated Cybersecurity Risk Management Carlos Chalico 10:25 – 10:50

Break 10 min

Cybersecurity and Project Risk Management Amalia Barthel 11:00 - 11:15

Putting All Together - Security DevOps and Risk Management Raluca Blidaru 11:15 – 11:30

Break 10 min

Key Take - Aways Amalia Barthel 11:40 – 12:05

Q&A All 12:05 - 12:20

Closing PMI 12:20-12:30

Page 4: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Amalia Barthel

20+years

CISMCISM

CRISC

PMP

LSigma

CIPTCIPM

Page 5: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Raluca Blidaru

10+years

CISACRISCCISM

GSEC

CISSPCIPTPMP

Page 6: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Carlos Chalico

20+years

CISACISSPCISM

ISO27001LA

CGEITCRISCPbDA

@carloschalico

Page 7: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

OVERVIEW OF INFORMATION SECURITY KEY CONCEPTS

Page 8: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Data Vs. Information

Knowledge

Information

Data

Intelligence

Lowest level of abstraction from which information and then knowledge are derived

Sequence of symbols, data, that can be

interpreted as a message

Acquaintance with facts, truths or

principles;

Page 9: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Why?

Page 10: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Automated data processing is growing

Page 11: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Things are getting connected

Source: CISCO, 2011

Page 12: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What?

Page 13: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What to protect?

Information Governance

Nonrepudiation

Authentication

Availability

Information Security

Cybersecurity(Electronic)

InformationProtection

Confidentiality

Integrity

Privacy

Page 14: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Security Gap

Security Gap

Page 15: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

IT is important!

Page 16: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

How?

Page 17: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Related Frameworks

TARA

COSO

ValIT RiskIT

NIST

ISO 38500

COBIT

Page 18: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

INFORMATION SECURITY ALIGNMENT WITH INFORMATION GOVERNANCE

Page 19: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Information Governance

Page 20: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

ISACA, where COBIT comes from• Founded in 1969, as the EDP Auditors Association

• Evolved to the Information Systems Audit and Control Association

• More than 140,000 members in over 180 countries

• Over 200 chapters worldwide

• Toronto Chapter has over 2,800 members, largest in Canada

• Developed COBIT and Cybersecurity Nexus

• Four industry-leading certifications:

Page 21: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

COBIT History

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

A business framework from ISACA, at www.isaca.org/cobit

Audit

COBIT1

2005/7

20001998

Evo

lutio

n of

sc

ope

1996 2012

Val IT 2.0(2008)

Risk IT(2009)

© 2012 ISACA® All rights reserved.

Page 22: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

COBIT 5

Page 23: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

COBIT 5

Page 24: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

COBIT 5Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced,agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making;and monitoring performance and compliance against agreed-on direction and objectives.

Management plans, builds, runs and monitors activities in alignment with the direction set by the governancebody to achieve the enterprise objectives.

Page 25: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

COBIT 5

Page 26: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

COBIT 5

Page 27: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What´s the challenge now?

Page 28: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

INTRODUCTION TO DEVOPS

Page 29: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What is DevOps?

“Devs are from Venus. Ops are from Mars” - Steve Haines

Page 30: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

From Waterfall to Agile, to DevOps

Page 31: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

“Growing” from Agile to DevOps

https://en.wikipedia.org/wiki/DevOps

https://bikeshsrivastava.blogspot.com/2017/01/part-43what-is-agile-methodology.html

Page 32: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Why DevOps?

Page 33: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Goals of DevOps

Page 34: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

How does DevOps work?

DEV

OPS

(+ UX)

Page 35: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Where does Risk fit in DevOps?

● Security built-in ● Risk management frameworks● Compliance audit processes

Page 36: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Break – 10 minutes

Page 37: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

DEVOPS AND TRADITIONAL PROJECT MANAGEMENT

Page 38: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

38

OK: WHY DevOps?

• IT Enterprises need to compete – who has time for regular development?

• Agility vs. Stability : Customers are demanding : better products, more features,

RIGHT NOW!!!

• Information is the new GOLD which enables products on the market

• Applications are a highway for information exchanges and business gains

• Strategic IT Leaders win but their budgets are shrinking: shared infrastructure!

• IT Leaders are pressured to better align IT with Business Goals & support

revenue generation

• Information Governance: know what data you have, where, who has access to

it, who needs to have access to it, how do we monetize it?

CONFIDENTIAL

Page 39: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

39

Project Managers

• Manage projects which produce a product or a result IN SUPPORT of a Business objective

• Understand application development, QA, testing, release into production

• Practice Risk Management

• Motivate Teams

• Facilitate learning and exchange of information between team members

• Are great communicators

Page 40: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

40

Does DevOps mean?• No planning? ADAPTIVE LEARNING

• No change control? ADAPTIVE PLANNING

• No documentation? Code documentation requirements

• No meetings? SHORT AND FOCUSED MEETINGS

• No process? VERY WELL DEFINED PROCESS

• Bullet proof? INTEGRATE & FAIL OFTEN

• Just need to know how to code? DEVELOPER SECURITY TRAINING

• No project manager? Developers run amock???

Page 41: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

41

Project Manager Strengths ….and Opportunites

• Need to create a CULTURE of DevOps (what does “culture” mean?)

• Focus on software development delivery success

• Integrate Quality into delivery

• Ability to react rapidly and adjust to a fast pace

• Understanding Regulatory requirements (for security & privacy)

• Be conversant with “Availability” as a parameter/attribute in rapid development: performance is directly linked with availability

• Management Reports …. How are the DevOps Teams prepared to support SecDevOps* (security testing tools to act as Acceptance Testing)

• Security Tools Integration

Page 42: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

42

A Culture of DevOps• Developers need to be trained on security for DevOps

• Culture of learning (kinda’ like Lessons Learned but Postmortems)

• NO SILOS : Share the learning (blameless Postmortems)

• Proactive Product Managers : look at the history, at what you know (vulnerabilities) and push training (update the training)

• Adapting to change – the 3 Part Framework (Larry Maccherone) DevSecOps Manifesto :

»Build Security in (*by design, not afterthought)»Empowered Engineer Teams (*not security specialists)»Implement features securely (*not security features)»Build on a Culture of Change (*rather than Policy Enforc)

Page 43: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

43

The DevOps Continuum

Page 44: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

44

Just one example……

Page 45: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

But…..Traditional vs. Agile

⇥ Predictability, stability⇥ Heavy bureaucracy, rigid procedures ⇥ Process driven ⇥ Upfront, extensive design & planning⇥ Sequential⇥ Hierarchical, top to bottom approach⇥ Large teams, multi-tasking⇥ Perfection focused⇥ Change process to follow

Traditional Project Management Agile Project Management

⇥ Acceptance of unpredictability, adjustment to reality⇥ Minimal Bureaucracy, follows principles⇥ Activity driven⇥ Design & Plan as needed⇥ Iterative and Incremental ⇥ Flat, lean structure⇥ Small, empowered teams⇥ Just enough focused⇥ Quick to respond change

CONFIDENTIAL

Page 46: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Agile ….. Or DevOps?• Agile works in “sprints” which is considered 1 unit of code

• DevOps cannot assess the security of the application with 1 unit of code at the time = it works with chunks of code

• Chunks can be evaluated in production to understand if the functionality and security of code was achieved

• When Agile sprints include “shippable code” – this can be evaluated for security

• Not handy to have “shippable code” – you also need a “ready” environment to try out the code = DevOps

Page 47: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

DevOps Roles and Responsibilities

• Project Manager or Product Manager

• Application Developers

• Risk Management (Infrastructure Security, Code/ Application security)

• Reporting?

• Budget Tracking?

• Schedule Tracking?

• Quality Tracking?

• ?????Facilitate learning and exchange of information between team members

Page 48: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

DevOps Roles and ResponsibilitiesBusiness Objectives

Business capability

PLATFORM

Application environment

Infrastructure

Quality + Availability +Performance

Information Security/ IT Risk Management

Page 49: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

49

Roles….cont’d

CONFIDENTIAL

Page 50: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

50

Page 51: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

51

Waterfall vs. Agile vs. DevOps

Page 52: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

52

Page 53: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

OVERVIEW OF INTEGRATED CYBERSECURITY RISK MANAGEMENT

Page 54: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Why is risk management important?

Organization

Stakeholders Customers

Risk Management

$

Page 55: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What is risk?

“The possibility of an event occurring that will have an impact on the achievement of

objectives, and it is typically measured in terms of likelihood and impact”

Possibility Threat

Vulnerability Asset

Likelihood Impact

Source: CGEIT Review Manual 2015 ISACA

Page 56: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What to do with a risk?

Risk

Control Ideal Scenario

Source: EY Mexico

Page 57: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What to do with a risk?

Risk Control

Over-Controlling

Source: EY Mexico

Page 58: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What to do with a risk?

Risk

Control

Residual or Remanent Risk

MitigateEliminateTransferAssume

Source: EY Mexico

Page 59: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

How?

Page 60: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

NIST Cybersecurity Framework

Source: NIST Cybersecurity Framework

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdfhttp://www.nist.gov/itl/csd/the-stakeholders-have-spoken-nist-to-refine-cybersecurity-framework.cfm

Page 61: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Using COBIT 5 to implement NIST CSFNIST Steps to use the CSF to implement a new cybersecurity program or maintain an existing one:

• Prioritize and scope

• Orient

• Create a current profile

• Conduct a risk assessment

• Create a target profile

• Determine, analyze and prioritize gaps

• Implement action plan

Page 62: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Using COBIT 5 to implement NIST CSF

Page 63: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Using COBIT 5 to implement NIST CSF

Page 64: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Going beyond the CSF

Page 65: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Going beyond the CSF

• Prioritize and scope

• Orient

• Create a current profile

• Conduct a risk assessment

• Create a target profile

• Determine, analyze and prioritize gaps

• Implement action plan

Page 66: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Going beyond the CSF

Page 67: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Summarizing

• There are valuable frameworks to help implement an effective cybersecurity risk management program.

• There are effective frameworks to integrate the cybersecurity risk management program into a broader ERM program.

• You can decide which frameworks to use.

• The most important exercise includes.

– Understanding risk appetite and tolerance.– Organization’s current and future state.– Gaps.– How to close them.

• DevOps can be part of that current or future state.

Page 68: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Break – 10 minutes

Page 69: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

CYBERSECURITY RISK AND PROJECT RISK

Page 70: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

70

History of Risk

According to Peter L. Bernstein dividing line between what we should call ancient

times and modern times is mastering risk!*

• Earliest concept of managing risk arose because of gaming

• Gaming gave rise to probability theory

• First actuaries worked in England as early as the 1700s

• The modern terms for managing risk rose after World War II (Risk

Management: History, Definition, and Critique by Georges Dionne)

• 1950s to the 1970s, risk discipline began to expand to alternatives

* Against the Gods: The Remarkable Story of RiskCONFIDENTIAL

Page 71: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

71

Risks vs. Issues

Uncertain Certain

Futuristic Current

May impact objectives Has/will impact objectives

Unknown impact value Known impact value

Risks vs. Issues

CONFIDENTIAL

Page 72: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Organisational Risk Management

Strategic

Programmes

Projects

Operational

Long term

Medium term

Short term

CONFIDENTIAL

Page 73: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

73

Risk Management Overview

Project Risk is when an uncertain event, or condition occurs, that has a positive or negative effect on one or more project objectives, such as; Scope, Schedule, Cost and Quality.

Objective of Risk Management is to increase the likelihood of positive events, and decrease the likelihood of negative events that will impact the project.

CONFIDENTIAL

Page 74: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

74

Risk Management Overview

Page 75: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

75

Projects, Programs & Portfolios in the IT Organization (COBIT 5)

Projects

Page 76: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

76

Page 77: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

77

Residual Risk in DevOps

Page 78: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

78

Project Management Risk• Inherent in every Project Management process & activities

• Residual risk needs to be reviewed and stays in the Risk Register

Page 79: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

79

DevOps Risk Management

Page 80: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

80

Empowered DevOps Teams….• Developers will know to balance out the business risk vs.

security/privacy risks → they are closer to the business

• They need to feel they are trusted– the Team knows they will do the right thing!

• Security Team needs to provide tools and knowledge resources to help the Empowered Developer Team

• Security Team is no longer the Gate Keeper but trusted Advisors

• Development team needs to trust the Security Team to provide the right tools at the right cost/effort ratio

• Security Team to guide the Development Team on preventative security practices and assist assist assist with security incidents!

Page 81: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

81

DevSecOps Self Assessment

• More mature practices : green belt training, security architecture review (threat modelling?), security POC for components of the app, etc.

• DevSecOps Tools: Policies will stop the development unless scans are clean, use OWASP and set targets

Page 82: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

PUTTING ALL TOGETHER – SECURITY, DEVOPS AND RISK MANAGEMENT

Page 83: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Today’s story is ...

Page 84: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

84

Let’s remember how everything started ...

• “The Problem”: Delivery time was too long.

• Testing a platform software enabling faster deployments• Infrastructure• Code

• Dev&Ops in a “platform”• Configuring resources in a programmatically manner• Pipelines for development lifecycle• Automated testing (security, functional)• Reporting bugs automatically• Promotion of the code to the next environment

Page 85: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

PoC - Continuous Deployments

Champion Team:• Project Managers• Developers• System Administrators• Integrators• 3rd party Consultants

R&D

MVP

Scope:• Test the platform• Develop one Minimal Viable

Product• Reengineer processes

Page 86: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

The result: a Minimum Viable Product

Page 88: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

88

What Could Have Gone Wrong?

• Security is not turned on “by default”• Encryption, High Availability• Hardening, Patching, Vulnerability Management• Segregation of duties• …

• Skills are not transferred automatically

• Architects, Developers, QA, DBAs, System Admins, …

• Project Managers, Project Coordinators, ….

• Automating the solution delivery ≠ the automation of compliance

One solution: updated Risk Management framework

Page 89: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

What happened next?

Page 90: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

90

Organizational Changes

Page 91: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

91

Building the future state

Page 92: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

92

Updating Risk Management methodology• risk assessments are part of the Agile

processes• roles and responsibilities were

assigned: Developers/Engineers (risk owners), Risk Officers (risk controls implementation, L1), Risk Bench Team (risk governance, L2)

• developed Security Stories• created Risk adjusted

Backlog • documented accepted risks

Page 93: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

93

And not only ...

• Cross functional domains training:– Info Risk team is trained about Agile Frameworks– Developers, Engineers, Architects take Security training– Product Managers learn about Information Risk Management

• Train the Trainer:– Project managers become Scrum Master Certified

Page 94: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

94

Why? To go SecDevOps.

To change this…. into this:

Page 95: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

95

Questions?

Page 96: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

96

References• ISACA COBIT 5 & COBIT 5 for Risk www.isaca.org

• https://medium.com/@cote/roles-and-responsibilities-for-devops-and-agile-teams-fdacbffb4cb4 Tbd

• http://www.isaca.org/Education/Conferences/Documents/COBIT/2.3.pdf

• COBIT 5 for Information Security

• Bright Talk Webcast :How to Achieve a DevSecOps Culture Using a Lean-Agile Approach (https://www.brighttalk.com/webcast/15811/330332?utm_campaign=viewing-history&utm_source=brighttalk-portal&utm_medium=web)

• https://resources.whitesourcesoftware.com/white-papers-datasheets/the-main-pillars-of-the-devops-2

Page 97: for Agile & DevOps PM Toolbox 2.0: Managing …...Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00 DevOps and Traditional

Thank you!

& SPECIAL THANKS TO UNIVERSITY OF TORONTO FOR THE VENUE

Email: Contact Us, Questions about this presentationAmalia Barthel: [email protected]; [email protected] Blidaru: [email protected] Chalico: [email protected]; [email protected]

WEBSITE: http://www.soc.pmi.on.ca/ ➢ PDUs: 2.0 Technical, 1.0 Leadership, 1.0 Strategic

➢ Interested in IT Risk Management & Cybersecurity?➢ Visit School of Continuous Studies – course SCS_3373