As startups seek to shorten the time to market (TTM) for their young products, security is most often an afterthought. In some cases, they ignore security considerations just to get code out of the door as quickly as possible.

In 2020 this is no longer an option. With numbers of cyberattacks rising at an unprecedented rate, organizations can no longer afford the luxury of treating security as a second-class citizen in their processes.

As a result, starting from April 2018, we have seen an increasing number of companies being attacked and ending up in bankruptcy, due to massive GDPR fines.

This article explores how (young) companies can integrate information security in their project management lifecycle.

How To Implement Security In Project Management?

Information security can be integrated into project management activities in several ways:

• Render the information security policy an indispensable part of all stages of projects
• Break down the information security policy into tangible objectives relevant to project management stages.
• Include information security objectives in project objectives.
• Perform risk assessment in early stage of projects.
• Implement security measures and apply controls in order to bring risks to acceptable levels.

For engineering teams, we can observe a clear analogy to this via the SecDevOps/DevSecOps/DevOpsSe methodology, which blurs the line between development, security, and operations teams responsibilities.

This approach seeks to implement security practices at the same scale and speed as development and operations. Consequently, organizations pay attention to security considerations throughout the whole development process: from requirements to coding, up to deployment and even maintenance. Automation can be of great assistance here, as it provides quick feedback that helps engineers fix issues as they arise.

Regardless of the size of the organization, it is particularly important to include information security in project activities targeting information confidentiality, integrity or availability.

Benefits Of Introducing Information Security In The Loop

By integrating information security practices in project management, organizations can ensure that their output comes with the highest level of security possible.

It is a well-known fact that cyber-attacks disrupt business operations and result in financial and reputational losses. Certainly, organizations must not ignore these considerations anymore. As companies' programs continue to mature over time, they realize in multiple ways that this will benefit their business operations.

To make security a higher priority, managers should address the following:

Secure Development Policy (SDP)

Secure development is a requirement to build up a secure service, architecture, software and system. This involves introducing security ino all stages of software development. Within a secure development policy, the following aspects should be put into consideration:

• Security requirements (protection of sensitive data, proper authentication)
• Secure Design
• Secure Development (peer reviews, dependency scanning)
• Secure Repositories (version control, access control)
• Secure Testing
• Secure Deployment (easy rollback, smoke tests)
• Secure Maintenance
• Secure Decommissioning (properly removing legacy applications)

Standard Operation Procedures

Operating procedures should be documented and made available to engineers. These procedures should be in place so that project managers know the security requirements for each and every phase during project phases of the life cycle and broadcast them to engineering teams. These should translate into easy to follow step-by-step instructions and be incorporated into the employee’s handbook.

Separation of production from the other environments

Many a time companies get breached because of poor configuration of development or testing environments, leaving organizations uncovered to the simplest of attacks.

This is due to the fact that most of the time development and testing environments do not have the same “production-grade” controls and configurations, such as:

• Default or insecure passwords, or even worse: no passwords
• Absence of firewalls
• Re-use of passwords/keys within multiple environments
• Open public access to dev/test environments for ease of collaboration, especially for remote engineers

Attackers tend to reach for the low-hanging fruit and go for the easy targets. Once these are compromised, it is only a matter of time until production is also compromised if it is not separated from these environments,

Development, testing and production environments should always be separated to reduce risks and threats of unauthorized access or changes to the operational environment.

Change Management

Change is a essential part of the overall PLC (Product Life Cycle) process.

A proper change management process should be documented and followed when making changes to production, as threats may occur when changes are pushed to production without proper testing.

Appropriate controls should be used:

• Configuration Management
• Signing development artefacts
• Security gates and promotions from one environment to the next one

Risk Assessment

Risk assessment explores how a component could be exploited by threats and vulnerabilities and analyzes the possible responses to such attacks in order to reduce their likelihood.

There are 4 actions that can be done on risk:

• Mitigation (reduce the probability of the event or reduce impact)
• Avoidance (change requirements so that the identified risk is removed)
• Transference (insurance, contracted agreements)
• Acceptance (measure of last resort and only for low impact and highly unlikely threats)

Malware protection

Originally created as pranks, malware (malicious software) today is specifically designed to cause harm to computers, due to the ease of monetization upon infection. There are various types of malware including viruses, worms, trojan horses, spyware, adware, keyloggers, ransomware, or any type of malicious code that infiltrates a computer in an unwanted fashion.

Most malware today is created for profit through unwanted advertising (adware), stealing sensitive or confidential information, phishing and email spamming. Various factors can make computers more vulnerable to malware attacks, including flaws in the operating system, installation of outdated, vulnerable or forbidden applications, or giving too many permissions given to non-savvy users.

Detection, prevention and recovery controls must be implemented to protect against malware. Since most of the time successful malware attacks by leveraging human error, the best protection is to start with company-wide security awareness training to prevent (the following list is non-exhaustive:

• Opening emails from suspicious sources
• Downloading and running attachments from unknown sources
• Using weak passwords
• Not keeping systems (OS and installed applications) up to date
• Keeping antivirus up to date

Link Between ISO 27001 And Information Security In Project Management?

When it comes to information security, the ISO 27001 standard even has a dedicated control for integrating information security practices in project management.

Control A.6.1.5 explicitly states:

Information security shall be addressed in project management, regardless of the type of the project.

ISO 27001 - Control A.6.1.5

In layman’s terms, ISO 27001 requires organizations to address information security concerns in every project they undertake. An often wrong interpretation of this control is to adopt a project management methodology in information security-related projects only.