Monday

Tag: Risk Assessment

IT Security Manager Responsibilities

What are the day-to-day responsibilities of an IT Security Manager?

An IT Security Manager is a technology professional who oversees the security of an organization’s information systems and networks. They are responsible for planning, implementing, and monitoring security policies and procedures to protect the organization from cyber threats and ensure compliance with relevant regulations and standards.

An IT Security Manager requires a combination of technical skills, such as knowledge of network security, encryption, firewalls, antivirus software, etc., and soft skills, such as communication, leadership, problem-solving, teamwork, etc. An IT Security Manager typically has a bachelor’s degree in computer science, information technology, cybersecurity or equivalent business experience. They may also have relevant certifications (CISSP, CISM, Security+, CASP+, CEH, etc.) to demonstrate specific skills and knowledge. An IT Security Manager may work for various types of organizations, such as government agencies, corporations, nonprofits, educational institutions, etc., depending on their industry and size.

Continue reading “IT Security Manager Responsibilities”

Building a Successful Cybersecurity Strategy

Photo by Pixabay on Pexels.com

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

Project Management: Overview

As a information systems employee, you will eventually be assigned to a project. As a new employee, you are usually supplied with a list of assigned tasks, and you don’t worry too much about how those lists of tasks were generated, the budget of the overall project, our why the project is required. As you progress in your career you are usually more involved in projects, with a gradual increase in overall project definition, gathering requirements, and scheduling team activities. Maybe one day, you will be assigned the job of managing a project. We should discuss what project management is and what skills are required to prepare you for that job.

Overview

Generally speaking, project management is a carefully planned and organized effort to accomplish a successful project. A project is a single effort that produces a specific output, a major new computer program or even building a house. This is different that a program, which is an ongoing process, such as a quality control program, or an activity to manage a group of other projects.

The process of project management includes developing a project plan, which includes defining and confirming the project goals, documenting project objectives, identifying specific tasks, listing how individual goals will be achieved, quantifying the resources needed, and determining budgets and timelines for completion. It also includes managing the implementation of the project plan, creating and managing regular controls to ensure that there is accurate and objective information on team activity relative to the plan, and the mechanisms to implement actions to solve issues when required.

A project follows a general plan, with major phases, that guide the team from planning to development to completion of all tasks.

The key to a successful project is in accurate planning. You should create a project plan as the first step in any kind of project. Often people want to ignore project planning in favor of getting on with the work. However, those people fail to understand the value of a project plan in saving time, money, and avoiding many of the problems caused by poor planning.

Step One – Goals

A project is successful when the needs of the of the people asking for the project have been met. Anybody directly, or indirectly, impacted by the project is a stakeholder. The a first step is to identify the stakeholders in your project. It is not always easy to identify the stakeholders of a project, particularly those impacted indirectly. Examples of stakeholders are:

  • The project sponsor.
  • The customer who will receive the project outputs.
  • The users of the project outputs.
  • The project manager and project team.

You will need a deep understanding of the needs of all the stakeholders, usually through stakeholder interviews. You will need to sit with the stakeholders and draw out the true needs that will create real benefits. Sometimes stakeholders will list needs that aren’t relevant to the project or don’t deliver business benefits. These can still be recorded and you might set those items as a low priority.

Once you have conducted all the interviews, and should now have a comprehensive list of stakeholder needs is to prioritize as part of the project. From the prioritised list, create a set of goals that can be measured. A technique for doing this is to review them against the SMART principle.

The acronym SMART has a number of slightly different variations, which can be used to provide a more comprehensive definition for goal setting:

S – specific

M – measurable

A – attainable

R – realistic

T – time-based

This way it will be easy to know when a goal has been achieved.

Once you have established a clear set of goals, they should be recorded in the written project plan.  This process can be the most difficult part of the project planning process.

Step Two – Deliverables

Using the goals you have defined in step one, create a list of things the project needs to deliver in order to meet those stakeholder needs. Specify when and how each item must be delivered. Add the deliverables to the project plan with an estimated delivery date. More accurate delivery dates will be established during the scheduling phase, which is next.

Step Three – Schedule

Create a list of tasks that need to be carried out for each deliverable identified in step two. For each task item the following:

  • The amount of effort (hours or days) required to complete the task.
  • The resource (person) who will carryout the task.

Once you have established the amount of effort for each task, you can determine the effort required for each deliverable, with an accurate delivery date. Update your deliverables section with the more accurate delivery dates as the plan is defined with more and more detail. At this point in the planning, you could choose to use a software package to create your electronic project schedule. Input all of the deliverables, tasks, durations and the resources who will complete each task and tweak the plan until it is as accurate as possible.

A common problem that should be addressed at this point is an imposed delivery deadline from a sponsor that is unrealistic, based on your estimates, because of the level of work required and/or the resources available. If you discover this is the case, you must contact the sponsor immediately. The options you have in this situation are:

  • Renegotiate the deadline (project delay).
  • Employ additional resources (increased cost).
  • Reduce the scope of the project (less delivered).

Use the project schedule to justify pursuing one of these options. Supplying alternate plans showing each option can help the sponsor make a decision.

Step Four – Plans

During the planning process, there are several plans that you should create to help track project requirements. These can be included directly in the overall plan.

Human Resource Plan

Create a list of all the individuals and organisations with a leading role in the project, identified by name. For each person, describe their roles and responsibilities in the project, describing their role in as much detail as possible. Also describe the number and type of people needed, known as resources, to complete the project. For each resource detail their start dates, estimated duration, and the method you will use for obtaining them. Sometimes resources are internal employees that are easily assigned to the reject, but sometimes you will need to hire new employees with specific skills, or secure third-party resources for an external vendor.

Communications Plan

Create a document showing who needs to be kept informed about the project and how they will receive the update information. The most common mechanism is a weekly or monthly progress report, describing how the project is performing, milestones achieved, and work planned for the next period. This is an import part of the overall project management toolset to help people understand the status of the project, is the project getting the resources required, and if the project is still on target for completion as projected.

Risk Management Plan

Although often overlooked, it is important to identify as many risks to your project as possible, and be prepared in advance if something bad happens. If you understand the potential risks and plan on how to address them in advance of the event, the impact to the overall project can be greatly reduced.

Here are some examples of common project risks:

  • Estimates on time or cost were too optimistic.
  • Customer slow to answer questions or stakeholder to slow to provide feedback.
  • Unexpected budget changes.
  • Unclear or changing roles and responsibilities.
  • Stakeholder input wasn’t completely documented, or their needs were not properly understood.
  • Stakeholders changed requirements after the project has started.
  • Stakeholders added new requirements after the project has started.
  • Poor communication resulting in misunderstandings
  • Development quality problems.
  • Unable to secure proper resources.

Risks can be tracked using a simple risk log. Add each risk you have identified to your risk log; write down what you will do in the event it occurs, and what you will do to prevent it from occurring. Review your risk log on a regular basis, adding new risks as they occur during the life of the project. You can ignore risks and hope they don’t happen, or you can plan for the risk and have a solution ready to implement. The response to a specific risk might be the entire project is cancelled.

Step Five – Execution

Once you have planned everything, it is time to deliver. A frequent complaint about the strategic planning process is that it produces documents that end up collecting dust on a shelf — the organization ignores the precious information depicted in the document.

The following guidelines will help ensure that the plan is correctly implemented.

  1. When conducting the planning process, involve the people who will be responsible for implementing the plan. Use a cross-functional team to ensure the plan is realistic and collaborative.
  2. Ensure the plan is realistic. Continue asking planning participants “Is this realistic? Can you really do this?”
  3. Organize the overall strategic plan into smaller action plans, often including an action plan for each person or team on the project.
  4. In the overall planning document, specify who is doing what and by specific deadlines.
  5. In an implementation section in the plan, specify and clarify the plan’s implementation roles and responsibilities. Be sure to detail particularly the first 30 days of the implementation of the plan. Build in regular reviews of status of the implementation of the plan.
  6. Communicate the role of follow-ups to the plan. If people know the action plans will be regularly reviewed, implementers tend to do their jobs before they’re checked on.
  7. Be sure to document and distribute the plan, including inviting review from everyone.
  8. Be sure that one person is identified as the person with ultimate responsibility for verifying the plan is enacted in a timely fashion.
  9. Place huge emphasis on feedback to the board’s executive committee from the planning participants.
  10. It might also be helpful to have pairs of people be responsible for each task. Have each partner commit to helping the other to finish the other’s tasks on time.

It’s OK to deviate from a original plan. But managers should understand the reason for the deviations and update the plan to reflect the new direction.

It is common to talk about Agile methods for modern project management processes in the context of a set of lightweight activities used to manage the development or acquisition of software. These activities include requirements, design, coding, and testing processes based on a minimal set of activities needed to reach the end goal — a working software system.

Although some of these agile development methods address the management aspects of software projects – people, processes, and technology – they are primarily focused on coding, testing, and software artifact delivery. Applying the concept of agility to the management of a software project is a natural step in the evolution of software development. One important question to be asked though is how can these minimalist approaches be applied to traditional project management activities?

Agile methods don’t replace the need for planning and forecasting, but can be helpful in the delivery phase.

Step Six – Communication

Project communication can often be more difficult due to challenges unique to project management. Many projects are short-term, and therefore project communication is temporary. This means that communications systems need to be established quickly in shorter periods of time. It is just as important to develop a communication plan for the project as it is to develop task planning.

Time and time again in post-project assessments, project team members list communication as one of the most needed areas for improvement. Many times on troubled projects, project team members feel that if the communication had been better, the project would have run smoother.

Communication not only keeps everyone updated on the project progress, but also facilitates buy-in and ownership of major project decisions and milestones. To ensure the success of a project much information (including expectations, goals, needs, resources, status reports, budgets and purchase requests) needs to be communicated on a regular basis to all the major stakeholders.

Step Seven – Project Audit

Eventually the project will end, and you should be prepared to audit your project success. It can be a painful and uncomfortable process to review your success and measure you performance. Doing this simple audit can identify those items you got wrong, and allow you to do better on the next project.

Review the original project schedule, original stakeholder requirements, and original resource requirements and compare those documents to the eventual schedule (did your accurately predict the project timeline), final state holder requirements (did you do a good job of identifying all the stakeholder requirements and needs), and the final resources (did you accurately identify all the resources required).

Based on these comparisons, you might identify those tasks that you were really good at identifying, or items that your were poor at documenting correctly. The goal of the audit isn’t to identify blame or admonish mistakes, but to identify opportunities for improvement.

As a project manager, your goal should be perfection. You want to be able to identify the stakeholder requirements and assign resources to predict an accurate as possible target date and cost of completion. If your date or cost estimate is wrong, you should be able to pinpoint the exact cause or causes of the change and understand what you can do on the next project to minimize those same causes from having an impact.

%d bloggers like this: