MANAGEMENT of INFORMATION SECURITY Second Edition

Learning Objectives Upon completion of this chapter, you should be able to: Understand basic project management Apply project management principles to an information security program Evaluate available project management tools Learning Objectives: Upon completion of this chapter you should be able to: Understand basic project management Apply project management principles to an information security program Evaluate available project management tools Management of Information Security, 2nd ed. - Chapter 12

Introduction Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one since information security is a continuous series, or chain, of projects Some aspects of information security are not project based; rather, they are managed processes (operations) Employers are seeking individuals that couple their information security focus and skills with strong project management skills Introduction Information security is a process, not a project. However, each element of an information security program must be managed as a project, even if it is an ongoing one, so that all elements of the information security program are completed with quality deliverables, on a timely basis, and within budget. While there is no guarantee that project management and organizational skills will be part of every information security analyst position description, there is much evidence that employers are seeking individuals that couple their information security focus and skills with strong project management skills. Information security is a continuous series, or chain, of projects. As the chain progresses, the security systems development life cycle (SecSDLC) guides the management of each individual project. Some aspects of information security are not project based; rather, they are managed processes (operations) Projects are discrete sequences of activities with starting points and defined completion points. In other words, a “project is a temporary endeavor undertaken to create a unique product or service.” Management of Information Security, 2nd ed. - Chapter 12

Figure 12-1 Position Posting Management of Information Security, 2nd ed. - Chapter 12

Figure 12-2 The Information Security Program Chain Management of Information Security, 2nd ed. - Chapter 12

Project Management The Guide to the Project Management Body of Knowledge defines project management as: The application of knowledge, skills, tools, and techniques to project activities to meet project requirements Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing Project management involves the temporary assemblage resources to complete a project Some projects are iterative, and occur regularly Project Management The Guide to the Project Management Body of Knowledge defines project management as: the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing. Unlike ongoing operations, project management involves the temporary assemblage of a group that completes the project, and whose members are then released, and perhaps assigned to other projects. Some projects are iterative, and occur regularly. Benefits for organizations that make project management skills a priority include: Implementation of a methodology—such as the SecSDLC—ensures that no steps are missed. Creation of a detailed blueprint of project activities can serve as a common reference tool, and make all project team members more productive by shortening the learning curve when getting projects underway. Identification of specific responsibilities for all involved personnel lessens ambiguity and reduces confusion when individuals are assigned to new or different projects. Clear definition of project constraints, including time frame, budget, and minimum-quality requirements increases the likelihood that the project stays within them. Established measures of performance and creation of project milestones simplify project monitoring. Early identification of deviations in quality, time, or budget enables early correction In general a project is deemed a success when: It is completed on time or early as compared to the baseline project plan. It comes in at or below the expenditures planned for in the baseline budget. It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity. Management of Information Security, 2nd ed. - Chapter 12

Project Management (continued) Benefits for organizations that make project management skills a priority include: Implementation of a methodology Improved planning Less ambiguity about roles Simplified project monitoring Early identification of deviations in quality, time, or budget In general, a project is deemed a success when: It is completed on time or early as compared to the baseline project plan It comes in at or below the expenditures planned for in the baseline budget It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity Project Management The Guide to the Project Management Body of Knowledge defines project management as: the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing. Unlike ongoing operations, project management involves the temporary assemblage of a group that completes the project, and whose members are then released, and perhaps assigned to other projects. Some projects are iterative, and occur regularly. Benefits for organizations that make project management skills a priority include: Implementation of a methodology—such as the SecSDLC—ensures that no steps are missed. Creation of a detailed blueprint of project activities can serve as a common reference tool, and make all project team members more productive by shortening the learning curve when getting projects underway. Identification of specific responsibilities for all involved personnel lessens ambiguity and reduces confusion when individuals are assigned to new or different projects. Clear definition of project constraints, including time frame, budget, and minimum-quality requirements increases the likelihood that the project stays within them. Established measures of performance and creation of project milestones simplify project monitoring. Early identification of deviations in quality, time, or budget enables early correction In general a project is deemed a success when: It is completed on time or early as compared to the baseline project plan. It comes in at or below the expenditures planned for in the baseline budget. It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity. Management of Information Security, 2nd ed. - Chapter 12

Applying Project Management to Security In order to apply project management to information security, you must first identify an established project management methodology While other project management approaches exist, the PMBoK is considered the industry best practice Applying Project Management to Security In order to apply project management to information security, you must first identify an established project management methodology. While other project management approaches exist, the PMBoK is considered the industry best practice. Management of Information Security, 2nd ed. - Chapter 12

Table 12-1 PMBoK Knowledge Areas Management of Information Security, 2nd ed. - Chapter 12

Table 12-1 PMBoK Knowledge Areas (continued) Management of Information Security, 2nd ed. - Chapter 12

Project Integration Management Project integration management includes the processes required to ensure that effective coordination occurs within and between the project’s many components, including personnel The major elements of the project management effort that require integration include: Development of the initial project plan Monitoring of progress as the project plan is executed Control of the revisions to the project plan Control of the changes made to resource allocations as measured performance causes adjustments to the project plan Project Integration Management Project integration management includes the processes required to ensure that effective coordination occurs within and between the project’s many components, including personnel. The major elements of the project management effort that require integration include: The development of the initial project plan Monitoring of progress as the project plan is executed Control of the revisions to the project plan Control of the changes made to resource allocations as measured performance causes adjustments to the project plan Management of Information Security, 2nd ed. - Chapter 12

Project Plan Development Project plan development is the process of integrating all of the project elements into a cohesive plan with the goal of completing the project within the allotted work time, using no more than the allotted project resources These three elements—work time, resources, and project deliverables—are core components used in the creation of the project plan Changing any one element usually affects the accuracy and reliability of the estimates of the other two, and likely means that the project plan must be revised Project Plan Development Project plan development is the process of integrating all of the project elements into a cohesive plan with the goal of completing the project within the allotted work time using no more than the allotted project resources. These three elements—work time, resources, and project deliverables—are core components used in the creation of the project plan. Changing any one element usually affects the accuracy and reliability of the estimates of other two, and likely means that the project plan must be revised. Management of Information Security, 2nd ed. - Chapter 12

Figure 12-3 Project Plan Inputs Management of Information Security, 2nd ed. - Chapter 12

Project Plan Development (continued) When integrating the disparate elements of a complex information security project, complications are likely to arise Among these complications are: Conflicts among communities of interest Far-reaching impact New technology Project Plan Development When integrating the disparate elements of a complex information security project, complications are likely to arise. Among these complications are: Conflicts among communities of interest - When business units or IT staff do not perceive the need or purpose of an information security project, they may not fully support the project. Far-reaching impact - Many information security projects span the enterprise and may affect parts of the organization that may be opposed to the project. New technology - a project may deploy technology-based controls that are new to the industry as well as new to the organization. Management of Information Security, 2nd ed. - Chapter 12

Project Scope Management Project scope management ensures that the project plan includes only those activities necessary to complete it Scope is the quantity or quality of project deliverables expanding from the original plan Includes: Initiation Scope planning Scope definition Scope verification Scope change control Project Scope Management Project scope management includes the processes required to ensure that the project plan includes those activities—and only those activities—necessary to complete it. Scope creep occurs when the quantity or quality of project deliverables is expanded from the original project plan. The major processes of this stage include: Initiation Scope planning Scope definition Scope verification Scope change control Management of Information Security, 2nd ed. - Chapter 12

Project Time Management Project time management ensures that the project is finished by the identified completion date while meeting objectives The failure to meet project deadlines is among the most frequently cited failures in project management Many missed deadlines are rooted in poor planning Includes the following processes: Activity definition Activity sequencing Activity duration estimating Schedule development Schedule control Project Time Management Project time management includes the processes required to ensure that the project is finished by the identified completion date while meeting its objectives. The failure to meet project deadlines is one of the most frequently cited failures in project management. Many missed deadlines are rooted in poor planning. This area includes the following processes: Activity definition Activity sequencing Activity duration estimating Schedule development Schedule control Management of Information Security, 2nd ed. - Chapter 12

Project Cost Management Project cost management ensures that a project is completed within the resource constraints Some projects are planned using only a financial budget from which all resources must be procured Includes the following processes: Resource planning Cost estimating Cost budgeting Cost control Project Cost Management Project cost management includes the processes required to ensure that a project is completed within the resource constraints placed upon it. Some projects are planned using only a financial budget from which all resources must be procured, other are planned with no formal budget. This management area includes the following processes: Resource planning Cost estimating Cost budgeting Cost control Management of Information Security, 2nd ed. - Chapter 12

Project Quality Management Project quality management ensures that the project adequately meets project specifications If project deliverables meet requirements specified in the project plan, the project has met its quality objective A good plan defines project deliverables in unambiguous terms against which actual results are easily compared Includes: Quality planning Quality assurance Quality control Project Quality Management Project quality management includes the processes required to ensure that the project adequately meets the project specifications. If the project deliverables meet the requirements specified in the project plan, the project has met its quality objective; if they do not, it has not met its quality objectives. A good plan defines project deliverables in unambiguous terms against which actual results are easily compared. This focus of management includes: Quality planning Quality assurance Quality control Management of Information Security, 2nd ed. - Chapter 12

Project Human Resource Management Project human resource management ensures personnel assigned to project are effectively employed Staffing a project requires careful estimates of effort required In information security projects, human resource management has unique complexities, including: Extended clearances Deploying technology new to the organization Includes: Organizational planning Staff acquisition Team development Project Human Resource Management Project human resource management includes the processes necessary to ensure the personnel assigned to a project are effectively employed. Staffing a project requires careful estimates of the number of worker hours required. In information security projects, human resource management has unique complexities, including: Extended clearances may be required. Often, information security projects deploy technology controls that are new to the organization, and so there is not a pool of resources skilled in that area from which to draw. The major processes that take place in this management area include: Organizational planning Staff acquisition Team development Management of Information Security, 2nd ed. - Chapter 12

Project Communications Management Project communications conveys details of activities associated with the project to all involved Includes the creation, distribution, classification, storage, and ultimately destruction of documents, messages, and other associated project information Includes: Communications planning Information distribution Performance reporting Administrative closure Project Communications Management Project communications management includes the processes necessary to convey the details of activities associated with the project to all involved parties. This includes the creation, distribution, classification, storage, and ultimately destruction of documents, messages, and other associated project information. The major processes associated with this area of project management include: Communications planning Information distribution Performance reporting Administrative closure Management of Information Security, 2nd ed. - Chapter 12

Project Risk Management Project risk management assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project Information security projects do face risks that may be different from other types of projects Includes: Risk identification Risk quantification Risk response development Risk response control Project Risk Management Project risk management includes the processes necessary to assess, mitigate, manage, and reduce the impact of adverse occurrences on the project. Information security projects do face risks that may be different from other types of projects. The major processes involved in this area are: Risk identification Risk quantification Risk response development Risk response control Management of Information Security, 2nd ed. - Chapter 12

Project Procurement Management Project procurement acquires needed resources to complete the project Depending on common practices of organization, project managers may simply requisition resources from organization, or they may have to purchase Includes: Procurement planning Solicitation planning Solicitation Source selection Contract administration Contract closeout Project Procurement Management Project procurement management includes the processes necessary to acquire needed resources to complete the project. Depending on the common practices of the organization, project managers may simply requisition resources from the organization, or they may have to purchase them. The major processes involved in this area of project management are: Procurement planning Solicitation planning Solicitation Source selection Contract administration Contract closeout Management of Information Security, 2nd ed. - Chapter 12

Additional Project Planning Considerations Financial considerations Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available Priority considerations In general, the most important information security controls in the project plan should be scheduled first Time and scheduling considerations Time can affect a project plan at dozens of points in its development Additional Project Planning Considerations Financial Considerations – Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available. Priority Considerations – In general, the most important information security controls in the project plan should be scheduled first. Time and Scheduling Considerations – Time can affect a project plan at dozens of points in its development. Staffing Considerations – The lack of qualified, trained, and available personnel also constrains the project plan. Scope Considerations – In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization. Procurement Considerations – There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers. Organizational Feasibility Considerations – Another consideration is the ability of the organization to adapt to change. Training and Indoctrination Considerations – The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies. Technology Governance and Change Control Considerations – Technology governance is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence. By managing the process of change the organization can: Improve communication about change across the organization. Enhance coordination among groups within the organization as change is scheduled and completed. Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce. Improve quality of service as potential failures are eliminated and groups work together. Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security. Management of Information Security, 2nd ed. - Chapter 12

Additional Project Planning Considerations (continued) Staffing considerations The lack of qualified, trained, and available personnel also constrains the project plan Scope considerations In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization Organizational feasibility considerations Another consideration is the ability of the organization to adapt to change Management of Information Security, 2nd ed. - Chapter 12

Additional Project Planning Considerations (continued) Procurement considerations There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers Training and indoctrination considerations The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies Additional Project Planning Considerations Financial Considerations – Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available. Priority Considerations – In general, the most important information security controls in the project plan should be scheduled first. Time and Scheduling Considerations – Time can affect a project plan at dozens of points in its development. Staffing Considerations – The lack of qualified, trained, and available personnel also constrains the project plan. Scope Considerations – In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization. Procurement Considerations – There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers. Organizational Feasibility Considerations – Another consideration is the ability of the organization to adapt to change. Training and Indoctrination Considerations – The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies. Technology Governance and Change Control Considerations – Technology governance is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence. By managing the process of change the organization can: Improve communication about change across the organization. Enhance coordination among groups within the organization as change is scheduled and completed. Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce. Improve quality of service as potential failures are eliminated and groups work together. Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security. Management of Information Security, 2nd ed. - Chapter 12

Additional Project Planning Considerations (continued) Technology governance and change control considerations Technology governance is a complex process that organizations use to manage the effects and costs of technology implementation, innovation, and obsolescence By managing the process of change, the organization can: Improve communication about change across the organization Enhance coordination among groups within the organization as change is scheduled and completed Additional Project Planning Considerations Financial Considerations – Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available. Priority Considerations – In general, the most important information security controls in the project plan should be scheduled first. Time and Scheduling Considerations – Time can affect a project plan at dozens of points in its development. Staffing Considerations – The lack of qualified, trained, and available personnel also constrains the project plan. Scope Considerations – In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization. Procurement Considerations – There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers. Organizational Feasibility Considerations – Another consideration is the ability of the organization to adapt to change. Training and Indoctrination Considerations – The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies. Technology Governance and Change Control Considerations – Technology governance is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence. By managing the process of change the organization can: Improve communication about change across the organization. Enhance coordination among groups within the organization as change is scheduled and completed. Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce. Improve quality of service as potential failures are eliminated and groups work together. Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security. Management of Information Security, 2nd ed. - Chapter 12

Additional Project Planning Considerations (continued) By managing the process of change, the organization can (continued): Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce Improve quality of service as potential failures are eliminated and groups work together Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security Management of Information Security, 2nd ed. - Chapter 12

Controlling the Project Once a project plan has been defined and all of the preparatory actions are complete, the project gets underway Supervising implementation The optimal approach is usually to designate a suitable person from the information security community of interest, because the focus is on the information security needs of the organization Controlling the Project Once a project plan has been defined and all of the preparatory actions are complete, the project gets underway. Supervising Implementation - The optimal approach is usually to designate a suitable person from the information security community of interest, because the focus is on the information security needs of the organization. Management of Information Security, 2nd ed. - Chapter 12

Executing the Plan Once a project is underway, it is managed using a process known as a negative feedback loop or cybernetic loop, which ensures that progress is measured periodically Corrective action is required in two basic situations: the estimate is flawed or performance has lagged When an estimate is flawed, as when an incorrect estimate of effort-hours is made, the plan should be corrected and downstream tasks should be updated to reflect the change When performance has lagged, correction is accomplished by adding resources, lengthening the schedule, or reducing the quality or quantity of the deliverable Executing the Plan Once a project is underway, it is managed using a process known as a negative feedback loop or cybernetic loop, which ensures that progress is measured periodically. Corrective action is required in two basic situations: the estimate is flawed, or performance has lagged. When an estimate is flawed, as when an incorrect estimate of effort-hours is made, the plan should be corrected and downstream tasks updated to reflect the change. When performance has lagged, correction is accomplished by adding resources, lengthening the schedule, or by reducing the quality or quantity of the deliverable. Management of Information Security, 2nd ed. - Chapter 12

Figure 12-4 Negative Feedback Loop Management of Information Security, 2nd ed. - Chapter 12

Executing the Plan Often a project manager can adjust one of the three following planning parameters for the task being corrected: Effort and money allocated Elapsed time or scheduling impact Quality or quantity of the deliverable Executing the Plan Often a project manager can adjust one of the three following planning parameters for the task being corrected: Effort and money allocated Elapsed time or scheduling impact Quality or quantity of the deliverable Management of Information Security, 2nd ed. - Chapter 12

Wrap-Up Project wrap-up is usually a procedural task assigned to a mid-level IT or information security manager These managers collect documentation, finalize status reports, and deliver a final report and a presentation at a wrap-up meeting The goal of the wrap-up is to resolve any pending issues, critique the overall effort, and draw conclusions about how to improve the process in future projects Wrap-Up Project wrap-up is usually a procedural task assigned to a mid-level IT or information security manager. These managers collect documentation, finalize status reports, and deliver a final report and a presentation at a wrap-up meeting. The goal of the wrap-up is to resolve any pending issues, critique the overall effort, and draw conclusions about how to improve the process in future projects. Management of Information Security, 2nd ed. - Chapter 12

Conversion Strategies Direct changeover: also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new Phased implementation is the most common approach and involves rolling out a piece of the system across the entire organization Pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization Parallel operation involves running the new methods alongside the old methods Conversion Strategies Direct changeover; also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new. Phased implementation is the most common approach and involves rolling out a piece of the system across the entire organization. Pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization. Parallel operation involves running the new methods alongside the old methods. Management of Information Security, 2nd ed. - Chapter 12

To Outsource or Not Just as some organizations outsource part of or all of their IT operations, so too can organizations outsource part of or all of their information security programs, especially developmental projects The expense and time it takes to develop effective information security project management skills may be beyond the reach—as well as the needs—of some organizations, and it is in their best interest to hire competent professional services Because of the complex nature of outsourcing, organizations should hire the best available specialists, and then obtain capable legal counsel to negotiate and verify the legal and technical intricacies of the contract To Outsource or Not Just as some organizations outsource part of or all of their IT operations, so too can organizations outsource part of or all of their information security programs, especially developmental projects. The expense and time it takes to develop effective information security project management skills may be beyond the reach—as well as the needs—of some organizations, and it is in their best interest to hire competent professional services. Because of the complex nature of outsourcing, organizations should hire the best available specialists, and then obtain capable legal counsel to negotiate and verify the legal and technical intricacies of the contract. Management of Information Security, 2nd ed. - Chapter 12

Dealing with Change The prospect of change can cause employees to be unconsciously or consciously resistant By understanding and applying change management, you can lower the resistance to change, and even build resilience for change One of the oldest models of change management is the Lewin change model, which consists of: Unfreezing - the thawing of hard and fast habits and established procedures Moving - the transition between the old and new ways Refreezing - the integration of the new methods into the organizational culture Dealing with Change The prospect of change can cause employees to be unconsciously or consciously resistant. By understanding and applying change management, you can lower the resistance to change, and even build resilience for change. One of the oldest models of change management is the Lewin change model, which consists of: Unfreezing - the thawing of hard and fast habits and established procedures. Moving - the transition between the old and new ways. Refreezing - the integration of the new methods into the organizational culture. Management of Information Security, 2nd ed. - Chapter 12

Unfreezing Phases Disconfirmation Induction of survival guilt or survival anxiety Creation of psychological safety or overcoming learning anxiety Unfreezing Phases Disconfirmation Induction of survival guilt or survival anxiety Creation of psychological safety or overcoming learning anxiety Management of Information Security, 2nd ed. - Chapter 12

Moving Phases Cognitive redefinition Imitation and positive or defensive identification with a role model Scanning (also called insight, or trial-and-error learning) Moving Phases Cognitive redefinition Imitation and positive or defensive identification with a role model Scanning (also called insight, or trial-and-error learning) Management of Information Security, 2nd ed. - Chapter 12

Refreezing Personal refreezing occurs when each individual employee comes to an understanding that the new way of doing things is the best way Relational refreezing occurs when a group comes to a similar decision Refreezing Personal refreezing occurs when each individual employee comes to an understanding that the new way of doing things is the best way. Relational refreezing occurs when a group comes to a similar decision. Management of Information Security, 2nd ed. - Chapter 12

Considerations for Organizational Change Steps can be taken to make an organization more amenable to change Reducing resistance to change from the start Communication is the first and most crucial step The updates should also educate employees on exactly how the proposed changes will affect them, both individually and across the organization Involvement means getting key representatives from user groups to serve as members of the process Considerations for Organizational Change Steps can be taken to make an organization more amenable to change. Reducing Resistance to Change from the Start- Communication is the first and most crucial step. The updates should also educate employees on exactly how the proposed changes will affect them, both individually and across the organization. Involvement means getting key representatives from user groups to serve as members of the process. Management of Information Security, 2nd ed. - Chapter 12

Developing a Culture that Supports Change An ideal organization fosters resilience to change This resilience means the organization accepts that change is a necessary part of the culture, and that embracing change is more productive than fighting it To develop such a culture, the organization must successfully accomplish many projects that require change A resilient culture can be either cultivated or undermined by management’s approach Developing a Culture that Supports Change An ideal organization fosters resilience to change. This resilience means the organization accepts that change is a necessary part of the culture, and that embracing change is more productive than fighting it. To develop such a culture, the organization must successfully accomplish many projects that require change. A resilient culture can be either cultivated or undermined by management’s approach. Management of Information Security, 2nd ed. - Chapter 12

Project Management Tools There are many tools that support the management of the diverse resources in complex projects Most project managers combine software tools that implement one or more of the dominant modeling approaches The most successful project managers gain sufficient skill and experience to earn a certificate in project management The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs: The Project Management Professional (PMP) Certified Associate in Project Management (CAPM) Project Management Tools There are many tools that support the management of the diverse resources in complex projects. Most project managers combine software tools that implement one or more of the dominant modeling approaches. The most successful project managers gain sufficient skill and experience to earn a certificate in project management. The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs: The Project Management Professional (PMP) Certified Associate in Project Management (CAPM) Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project. Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work. The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis. Management of Information Security, 2nd ed. - Chapter 12

Project Management Tools (continued) Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis Project Management Tools There are many tools that support the management of the diverse resources in complex projects. Most project managers combine software tools that implement one or more of the dominant modeling approaches. The most successful project managers gain sufficient skill and experience to earn a certificate in project management. The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs: The Project Management Professional (PMP) Certified Associate in Project Management (CAPM) Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project. Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work. The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis. Management of Information Security, 2nd ed. - Chapter 12

Work Breakdown Structure A project plan can be created using a very simple planning tool, such as the work breakdown structure (WBS) In the WBS approach, the project plan is first broken down into a few major tasks Each of these major tasks is placed on the WBS task list Work Breakdown Structure A project plan can be created using a very simple planning tool, such as the work breakdown structure (WBS). In the WBS approach, the project plan is first broken down into a few major tasks. Each of these major tasks is placed on the WBS task list. Management of Information Security, 2nd ed. - Chapter 12

Work Breakdown Structure (continued) The minimum attributes that should be determined for each task are: The work to be accomplished (activities and deliverables) Estimated amount of effort required for completion in hours or workdays The common or specialty skills needed to perform the task Task interdependencies Work Breakdown Structure The minimum attributes that should be determined for each task are: The work to be accomplished (activities and deliverables) Estimated amount of effort required for completion in hours or workdays The common or specialty skills needed to perform the task Task interdependencies As the project plan develops, additional attributes can be added, including: Estimated capital expenses for the task Estimated noncapital expenses for the task Task assignment according to specific skills Start and end dates, once tasks have been sequenced and dates projected Work To Be Accomplished - The first step in the WBS is to identify the work to be accomplished in the task or task area. This encompasses both activities and deliverables. Amount of Effort - Planners need to estimate the effort required to complete each task, subtask, or action step. Skill Sets/Human Resources - The project planner should describe the skill set or individual (often called a human resource) needed to accomplish the task. Instead of assigning individuals, the plan should focus on roles or known skill sets. Task Dependencies - Planners should note wherever possible when a task or action step is dependent upon other tasks or actions steps. Estimated Capital Expenses - Planners need to estimate the expected capital expenses for the completion of each task, subtask, or action item. Estimated Noncapital Expenses - Planners need to estimate the expected noncapital expenses for the completion of each task, subtask, or action item. Start and End Dates - In the early stages of planning, the project planner should focus on determining completion dates only for major milestones within the project. A milestone is a specific task completion point in the project plan that has a noticeable effect on the progress of the project plan as a whole. Management of Information Security, 2nd ed. - Chapter 12

Work Breakdown Structure (continued) As the project plan develops, additional attributes can be added, including: Estimated capital expenses for the task Estimated noncapital expenses for the task Task assignment according to specific skills Start and end dates Work to be accomplished Amount of effort Skill sets/human resources Task dependencies Work Breakdown Structure As the project plan develops, additional attributes can be added, including: Estimated capital expenses for the task Estimated noncapital expenses for the task Task assignment according to specific skills Start and end dates, once tasks have been sequenced and dates projected Work To Be Accomplished - The first step in the WBS is to identify the work to be accomplished in the task or task area. This encompasses both activities and deliverables. Amount of Effort - Planners need to estimate the effort required to complete each task, subtask, or action step. Skill Sets/Human Resources - The project planner should describe the skill set or individual (often called a human resource) needed to accomplish the task. Instead of assigning individuals, the plan should focus on roles or known skill sets. Task Dependencies - Planners should note wherever possible when a task or action step is dependent upon other tasks or actions steps. Estimated Capital Expenses - Planners need to estimate the expected capital expenses for the completion of each task, subtask, or action item. Estimated Noncapital Expenses - Planners need to estimate the expected noncapital expenses for the completion of each task, subtask, or action item. Start and End Dates - In the early stages of planning, the project planner should focus on determining completion dates only for major milestones within the project. A milestone is a specific task completion point in the project plan that has a noticeable effect on the progress of the project plan as a whole. Management of Information Security, 2nd ed. - Chapter 12

Work Phase Once the project manager has completed the WBS by breaking tasks into subtasks, estimating effort, and forecasting the necessary resources, the work phase—during which the project deliverables are prepared—may begin Next Step Once the project manager has completed the WBS by breaking tasks into subtasks, estimating effort, and forecasting the necessary resources, the work phase—during which the project deliverables are prepared—may begin. Management of Information Security, 2nd ed. - Chapter 12

Table 12-2 Early Draft WBS Management of Information Security, 2nd ed. - Chapter 12

Table 12-2 Early Draft WBS (continued) Management of Information Security, 2nd ed. - Chapter 12

Table 12-3 Later Draft WBS Management of Information Security, 2nd ed. - Chapter 12

Task-Sequencing Approaches Once a project reaches even a relatively modest size, say a few dozen tasks, there can be almost innumerable possibilities for task assignment and scheduling A number of approaches are available to assist the project manager in this sequencing effort Task-Sequencing Approaches Once a project reaches even a relatively modest size, say a few dozen tasks, there can be almost innumerable possibilities for task assignment and scheduling. A number of approaches are available to assist the project manager in this sequencing effort. Management of Information Security, 2nd ed. - Chapter 12

Network Scheduling One method for sequencing tasks and subtasks in a project plan is known as network scheduling Network refers to the web of possible pathways to project completion from the beginning task to the ending task Network Scheduling One method for sequencing tasks and subtasks in a project plan is known as network scheduling. “Network” refers to the web of possible pathways to project completion from the beginning task to the ending task. Management of Information Security, 2nd ed. - Chapter 12

Figure 12-5 Simple Network Dependency Management of Information Security, 2nd ed. - Chapter 12

Figure 12-6 Complex Network Dependency Management of Information Security, 2nd ed. - Chapter 12

Program Evaluation and Review Technique (PERT) PERT, the most popular networking dependency diagramming techniques, was originally developed in the late 1950s to meet the needs of rapidly expanding government-driven engineering projects About the same time, a similar project, called the Critical Path Method, was being developed in industry It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity: How long will this activity take? What activity occurs immediately before this activity can take place? What activity occurs immediately after this activity? PERT The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects. About the same time, a similar project, called the Critical Path Method, was being developed in industry. It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity: How long will this activity take? What activity occurs immediately before this activity can take place? What activity occurs immediately after this activity? By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project. As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole. Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay. There are several advantages to the PERT method: Makes planning large projects easier by facilitating the identification of pre- and post- activities Allows planning to determine the probability of meeting requirements Anticipates the impact of changes on the system Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions Requires no formal training. Disadvantages of the PERT method include: Diagrams can become awkward and cumbersome, especially in very large projects. Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes. Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations. Management of Information Security, 2nd ed. - Chapter 12

Program Evaluation and Review Technique (PERT) (continued) By determining the path through the various activities, you can determine the critical path As each possible path through the project is analyzed, the difference in time between the critical path and any other path is the slack time An indication of how much time is available for starting a noncritical task without delaying the project as a whole Should a delay be introduced, due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay PERT The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects. About the same time, a similar project, called the Critical Path Method, was being developed in industry. It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity: How long will this activity take? What activity occurs immediately before this activity can take place? What activity occurs immediately after this activity? By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project. As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole. Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay. There are several advantages to the PERT method: Makes planning large projects easier by facilitating the identification of pre- and post- activities Allows planning to determine the probability of meeting requirements Anticipates the impact of changes on the system Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions Requires no formal training. Disadvantages of the PERT method include: Diagrams can become awkward and cumbersome, especially in very large projects. Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes. Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations. Management of Information Security, 2nd ed. - Chapter 12

PERT Advantages There are several advantages to the PERT method: Makes planning large projects easier by facilitating the identification of pre- and post-activities Allows planning to determine the probability of meeting requirements Anticipates the impact of changes on the system Presents information in a straightforward format that both technical and nontechnical managers can understand and refer to in planning discussions Requires no formal training PERT The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects. About the same time, a similar project, called the Critical Path Method, was being developed in industry. It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity: How long will this activity take? What activity occurs immediately before this activity can take place? What activity occurs immediately after this activity? By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project. As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole. Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay. There are several advantages to the PERT method: Makes planning large projects easier by facilitating the identification of pre- and post- activities Allows planning to determine the probability of meeting requirements Anticipates the impact of changes on the system Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions Requires no formal training. Disadvantages of the PERT method include: Diagrams can become awkward and cumbersome, especially in very large projects. Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes. Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations. Management of Information Security, 2nd ed. - Chapter 12

PERT Disadvantages Disadvantages of the PERT method include: Diagrams can become awkward and cumbersome, especially in very large projects Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations PERT The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects. About the same time, a similar project, called the Critical Path Method, was being developed in industry. It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity: How long will this activity take? What activity occurs immediately before this activity can take place? What activity occurs immediately after this activity? By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project. As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole. Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay. There are several advantages to the PERT method: Makes planning large projects easier by facilitating the identification of pre- and post- activities Allows planning to determine the probability of meeting requirements Anticipates the impact of changes on the system Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions Requires no formal training. Disadvantages of the PERT method include: Diagrams can become awkward and cumbersome, especially in very large projects. Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes. Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations. Management of Information Security, 2nd ed. - Chapter 12

Figure 12-7 PERT Example Management of Information Security, 2nd ed. - Chapter 12

Gantt Chart Another popular project management tool is the bar or Gantt chart, named for Henry Gantt, who developed this method in the early 1900s Like network diagrams, Gantt charts are easy to read and understand, and thus easy to present to management These simple bar charts are even easier to design and implement than the PERT diagrams, and yield much of the same information The Gantt chart lists activities on the vertical axis of a bar chart, and provides a simple time line on the horizontal axis Gantt Chart Another popular project management tools is the bar or Gantt chart, named for Henry Gantt, who developed this method in the early 1900s. Like network diagrams, Gantt charts are easy to read and understand, and thus easy to present to management. These simple bar charts are even easier to design and implement than the PERT diagrams, and yield much of the same information. The Gantt chart lists activities on the vertical axis of a bar chart, and provides a simple time line on the horizontal axis. Management of Information Security, 2nd ed. - Chapter 12

Figure 12-8 Project Gantt Chart Management of Information Security, 2nd ed. - Chapter 12

Automated Project Tools Microsoft Project is a widely used project management tool If you’re considering using an automated project management tool, keep the following in mind: A software program cannot take the place of a skilled and experienced project manager who understands how to define tasks, allocate scarce resources, and manage the resources that are assigned A software tool can get in the way of the work Choose a tool that you can use effectively Automated Project Tools Microsoft Project is a commonly used project management tool. If you’re considering using an automated project management tool, keep the following in mind: A software program cannot take the place of a skilled and experienced project manager who understands how to define tasks, allocate scarce resources, and manage the resources that are assigned. A software tool can get in the way of the work. Choose a tool that you can use effectively. Management of Information Security, 2nd ed. - Chapter 12

Summary Introduction Project Management Applying Project Management to Security Project Management Tools Management of Information Security, 2nd ed. - Chapter 12