project manager user group · 2021. 6. 1. · office of information services information security...
TRANSCRIPT
![Page 1: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/1.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
Project Manager User Group
Project Management and SecurityMay19, 2021
Bryant Lister, CISSP, PMP
![Page 2: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/2.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
2
Bryant Lister is the Chief Information Risk Officer from ODHS/OHA
• Received PMP about 8 years ago
• Received CISSP early in 2020 (right before pandemic shutdown)
• Been an application developer, system analyst, project manager, development manager, strategic manager
• Director of the Information Security & Privacy Office in the Office of Information Services for ODHS/OHA
![Page 3: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/3.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
3
What we will discuss today
• Project Management & Security Triangles• Shift Left
• Project Phases – where does Security fit in?• Project Documents – writing about Security
• Security Controls• Security Standards & Frameworks
• Regulatory Bodies & Data Types• Data Acronyms & Terms
• Risk Management• Consequences of not shifting left
• Resources
![Page 4: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/4.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
4
Project Management Security
Triangles
![Page 5: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/5.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
5
Security Problems
Shift Left
Project Work
• Setup projects securely• Security issues should be identified early• Less cost to address/fix when found at the beginning• Security incidents can have extreme costs
![Page 6: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/6.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
6
Project Phases – where does Security fit in?
There is a role for security in every phase• Scope – what overall level of security is needed?• Requirements – detailed security plans and needs• Implementation – apply security controls, test for
vulnerabilities• Reports – security findings, access controls• End – remove security rights for project team
![Page 7: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/7.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
7
Project Documents – writing about Security
Standard docs• Scope• Plans• Requirements• WBS• Schedule• Contracts/Agreements• Quality Metrics• Risk Register
Special docs• PIA• POAM• SSP
![Page 8: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/8.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
8
Security Controls
• Doors• Cameras• Card readers
• Firewalls• Passwords• Encryption
• Policies• Standards• Data
classification
![Page 9: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/9.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
9
Security Control frameworks• National Institute of Standards and
Technology (NIST)• Center for Internet Security (CIS) Critical
Security Controls • Control Objectives for Information and
Related Technology (COBIT)• International Standards Organization (ISO)
Statewide Information and Cyber Security Standards• Created by Enterprise Information Services
Security Standards & Frameworks
![Page 10: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/10.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
10
Regulatory Bodies & Data Types
![Page 11: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/11.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
11
Data Acronyms & Terms• PII, PCI, PHI, FTI• Data Levels 1, 2, 3, 4• Inference• Obfuscation
![Page 12: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/12.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
12
Risk ManagementMinimizing risk is an important part of security
![Page 13: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/13.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
13
• Project Delays and Increased Costs• Security deficits cost more when
implemented later• Leaked project information
• Public perception degraded• Integrity of project data
• Non-compliance with regulations and mandates
• Fines, penalties, rework• Risks to information systems
• Breaches – loss of data privacy• Malware – system disruption• Service attacks – decrease availability
Consequences of not shifting left
![Page 14: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/14.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
14
Resources
• DAS – Cybersecurity Services https://www.oregon.gov/das/OSCIO/Pages/Security.aspx
• ISO 27001 A.6.1.5 Information Security in Project Management
• Cybersecurity & Infrastructure Security Agency (CISA) https://us-cert.cisa.gov/
• Certified Security Project Manager (CSPM) https://www.securityindustry.org/professional-development/cspm-certification/
![Page 15: Project Manager User Group · 2021. 6. 1. · OFFICE OF INFORMATION SERVICES Information Security & Privacy Office Project Manager User Group Project Management and Security May19,](https://reader035.vdocument.in/reader035/viewer/2022071607/6144a1edb5d1170afb440017/html5/thumbnails/15.jpg)
OFFICE OF INFORMATION SERVICESInformation Security & Privacy Office
15
Questions