Information Security (InfoSec) in Project Management (PM) refers to the protection of confidentiality, integrity and availability of project information.
Scope, time, cost and quality are always considered to be the critical project success factors. On the contrary, with my few years of PM experience, I have realized that InfoSec is one of the critical factors for project success. Disappointingly, the major PM standards i.e PRojects IN Controlled Environments (PRINCE2), Project Management Body of Knowledge (PMBOK) Guide and ISO 21500 (Guidance on Project Management) all disregard InfoSec. They only discuss risk management, which is a much broader area. Likewise, the various PM methodologies (Agile, Waterfall, Six Sigma etc.) all exclude discussion on InfoSec.
It is only ISO 27001:2013 (InfoSec Management System) standard that discusses InfoSec in PM. Control: A.6.1.5 of the standard stipulates that InfoSec needs to be tackled in PM, irrespective of the nature of project. This control seeks to address the security vulnerabilities in PM with emphasis on identifying, addressing and managing InfoSec risks as part of a project.
One of my researches conducted in 2014 had the following objectives:
Out of the 70 respondents, 75.7% had adequate knowledge in InfoSec and 98.6% regarded InfoSec as an important factor in managing IT projects. On the contrary, when respondents were asked to rank scope, time, cost, InfoSec and quality in order of importance, scope, cost, quality, time and InfoSec were ranked 1st,2nd, 3rd, 4th and 5th respectively. It is evident from the findings that, although IT P-Ms regard InfoSec as an important factor in PM, they place the least value on it.
Stellingwerf & Zandhuis (2013) have mentioned that 20% of the world’s GDP, or over $12 trillion will be spent on projects each year between 2010–2020. How do we best protect these huge investments to ensure projects are successfully completed? Since projects in organizations are usually carried out for strategic business goals and competitive advantage, InfoSec must be a top priority of any Project Manager (P-M). When confidential or priceless business information is distorted or gets into the hands of competitors, it can totally put the business at a great disadvantage. Confidential business information getting into the hands of non-competitors is even more secure than getting into the hands of competitors.
InfoSec is vital and is needed in all the PM process groups: from initiation to the closing stage. By including InfoSec considerations in every stage of a project, P-Ms will be capable of delivering better and more secured projects for competitive advantage. According to Pruitt (2013), secured project can be delivered when the opportunity is taken at the initial phase, during initiating and planning of a project. Taking cognizance of the end (i.e. the delivery of a secure project) at the start of a project will circumvent expensive budget, scope, and schedule effects. In order to accomplish the execution of a secure project, it is important to involve InfoSec professional from the time the idea for the project is conceived. According to Monique (2015), the implementation of security and privacy controls into the design of project is the cheapest way to build security into projects. It will be more expensive to do this later in the project and would greatly diminish the return on investment of the project.
Handling security of information in projects
Projects are increasingly becoming dependent on information systems (IS), which usually contain vulnerabilities and security flaws. When vulnerabilities are exploited, it can adversely affect the success of projects. The best way to prevent InfoSec breaches is have a project team that is conscious of InfoSec and uses IS judiciously. At the closing phase of projects, information is usually migrated, preserved or disposed from systems. When these activities are performed improperly, it can be a catalyst for unauthorized disclosure of sensitive and priceless business information.
To guarantee InfoSec in PM, communications plan must be given the foremost consideration. The plan needs to provide guidelines and technical standards for different communication channels and not only methods and frequency for communications. According to Crawley (2013), communication is the bedrock of PM and communication channels carry the risk of exposing confidential project information. Sending e-mails to the wrong recipients or misplacing mobile computers associated with projects are all threats to InfoSec in PM.
It is recommended that equal attention is given to InfoSec, as accorded to the critical factors of PM. InfoSec should, therefore, be regarded as an indispensable factor in managing projects, to help pursue and protect the strategic business goals of organizations.
Discussions on InfoSec should be included in the PM standards and methodologies to help secure project information. According to Monique (2015), InfoSec activities should be incorporated into the PM methodology to ensure that threats are identified, evaluated, addressed and managed as part of projects.