CC7178

Cyber Security Management

Lecture 9

Information Security
Implementation & Maintenance

CC7178 Cyber Security Management

 Learning Objectives
• To understand how an organization’s
security blueprint becomes a project plan
(implementation)
• To understand the numerous
organizational considerations that must
be addressed by a project plan

• To understand Information Security

Maintenance

CC7178 Cyber Security Management Slide 2

 Introduction
• Information security is a process, not a project;
however, each element of an information security
program must be managed as a project, even if it
is an ongoing one. In other words, information
security is a continuous series, or chain of
projects.

• Organization translates blueprint for information

security into a concrete project plan.

CC7178 Cyber Security Management Slide 3

 Project Management for IS
• Major steps in executing project plan are:
–Planning the project
–Supervising tasks and action steps
–Wrapping up
• Each organization must determine its own project
management methodology for IT and information
security projects.

CC7178 Cyber Security Management Slide 4

 Project Plan Development
Three core elements are used in the creation of a project plan:
work time, resources, project deliverables

CC7178 Cyber Security Management Slide 5

Project Plan Development (cont.)
• Project plan development is the process of integrating all
these elements into a cohesive plan with the goal of
completing the project within the allotted work time,
using no more than the allotted project resources.

• Changing any one element usually affects the accuracy

and reliability of the estimates of the other two, and likely
means that the project plan must be revised.

CC7178 Cyber Security Management Slide 6

 Developing the Project Plan
• Creation of project plan can be done using Work
Breakdown Structure (WBS)
• Major project tasks in WBS are:
– work to be accomplished;
– individuals assigned;
– start and end dates;
– amount of effort required;
– estimated capital and non-capital expenses;
– identification of dependencies between/among tasks

• Each major WBS task further divided into smaller tasks or

specific action steps

CC7178 Cyber Security Management Slide 7

 Example - Early Draft WBS

• Information security is a process, not a project;

however, each element of an information
security program must be managed as a
project, even if it is an ongoing one. In other
words, information security is a continuous
series, or chain, of projects

• Organization translates blueprint for

information security into a concrete project
plan

CC7178 Cyber Security Management Slide 8

 Later Draft WBS

• Information security is a process, not a project;

however, each element of an information
security program must be managed as a
project, even if it is an ongoing one. In other
words, information security is a continuous
series, or chain, of projects

• Organization translates blueprint for

information security into a concrete project
plan

CC7178 Cyber Security Management Slide 9

 Later Draft WBS

• Information security is a process, not a project;

however, each element of an information
security program must be managed as a
project, even if it is an ongoing one. In other
words, information security is a continuous
series, or chain, of projects

• Organization translates blueprint for

information security into a concrete project
plan

CC7178 Cyber Security Management Slide 10

Project Planning Considerations
• As project plan is developed, further details can be
added.
• Special considerations include:
– finance
– priority
– time and schedule
– staff
– procurement
– organizational feasibility
– training

CC7178 Cyber Security Management Slide 11

 Financial Considerations
• No matter what information security needs exist,
amount of effort that can be expended depends
on funds available.
– Cost-benefit analysis must be verified prior to
development of project plan.
– Both public and private organizations have
budgetary constraints, though of a different nature.
– To justify an amount budgeted for a security project
at either public or private organizations, it may be
useful to benchmark expenses of similar
organizations.

CC7178 Cyber Security Management Slide 12

 Priority Considerations
• In general, most important information security
controls should be scheduled first.

• Implementation of controls is guided by

prioritization of threats and value of threatened
information assets.

CC7178 Cyber Security Management Slide 13

Time and Scheduling Considerations
• Time impacts many points in the development
of a project plan, including:

– Time to order, receive, install and configure

security control

– Time to train the users

– Time to realize return on investment of control

CC7178 Cyber Security Management Slide 14

 Staffing (HR) Considerations
• Project plan can be constrained by lack of
enough qualified, trained, and available
personnel.

• Experienced staff often needed to implement

available technologies, develop and implement
policies and training programs.

CC7178 Cyber Security Management Slide 15

 Procurement Considerations
• IT and information security planners must consider
acquisition of goods and services.

• Many constraints on selection process for

equipment and services in most organizations,
specifically in selection of service vendors or
products from manufacturers/suppliers.

• These constraints may eliminate a technology from

choices of possibilities.

CC7178 Cyber Security Management Slide 16

 Organizational Feasibility
Considerations
• Policies require time to develop; new technologies
require time to be installed, configured, and tested.

• Employees need training on new policies and

technology, and how new IS program affects their
working lives.

• Changes should be transparent to system users, unless

the new technology intended to change procedures (e.g.,
requiring additional authentication or verification).

CC7178 Cyber Security Management Slide 17

 Training and Indoctrination
Considerations
• Organization size and normal conduct of
business may preclude a single large training
program on new security procedures/
technologies.

• Where necessary, organization should conduct

phased-in or pilot approach to implementation.

CC7178 Cyber Security Management Slide 18

 Project Scope Considerations
• In the case of information security, project plans
should not attempt to implement entire security
system at one time.

• Project Scope concerns boundaries of time

and effort-hours needed to deliver planned
features and quality level of project
deliverables.

CC7178 Cyber Security Management Slide 19

 Supervising Project Implementation
Up to each organization to find most suitable leadership
for a successful project implementation
• Some organizations may designate champion from
general management community of interest to
supervise implementation of information security
project plan.
• An alternative is to designate senior IT manager to
lead implementation.
• Optimal solution is to designate a suitable person
from information security community of interest.

CC7178 Cyber Security Management Slide 20

 Executing the Plan
• Once a project is underway, it is managed using a process
known as a negative feedback loop or cybernetic loop.

CC7178 Cyber Security Management Slide 21

 Project Wrap-up
• The goal of wrap-up is to resolve any pending
issues, critique overall project effort, and draw
conclusions about how to improve process.

• Project wrap-up is usually handled as procedural

task and assigned to mid-level IT or information
security manager.

• Collect documentation, finalize status reports, and

deliver final report and presentation at wrap-up
meeting.

CC7178 Cyber Security Management Slide 22

 Dealing with Change
• The prospect of change can cause employees to be
unconsciously or consciously resistant. By understanding
and applying change management, you can lower the
resistance to change, and even build resilience for
change.
• Steps can be taken to make an organization more
responsive to change. Reducing resistance to change,
• 3 steps:
– Communication is the first and most crucial step
– Educate employees on exactly how the proposed
changes will affect them, both individually and across
the organization
– Involvement means getting key representatives from
user groups to serve as members of the process

CC7178 Cyber Security Management Slide 23

 Project Management Tools
• There are many tools that support the management of
the diverse resources in complex projects.

• Most project managers combine software tools that

implement one or more of the main modeling
approaches.

• Examples of project management tools:

– WBS (Work Breakdown Structure)
– PERT (Program Evaluation and Review Techniques)
– Gantt Chart

CC7178 Cyber Security Management Slide 24

 PERT - Program Evaluation
and Review Technique
• PERT(one of the network diagrams), the most popular
networking dependency diagramming techniques, was
originally developed in the late 1950s

• It is possible to take a very complex operation and

diagram it in PERT, if you can answer three key
questions about each activity:
– How long will this activity take?
– What activity occurs immediately before this activity can
take place?
– What activity occurs immediately after this activity?

CC7178 Cyber Security Management Slide 25

 PERT - Program Evaluation
and Review Technique (cont.)
• By determining the path through the various activities, you can
determine the critical path
• As each possible path through the project is analyzed, the
difference in time between the critical path and any other path
is the slack time
– An indication of how much time is available for starting a
noncritical task without delaying the project as a whole

• Should a delay be introduced (due to poor estimation of time,

unexpected events, or the need to reassign resources to other
paths such as the critical path), the tasks with slack time are
the logical candidates for delay

CC7178 Cyber Security Management Slide 26

 PERT Example

CC7178 Cyber Security Management Slide 27

 PERT Advantages
– Makes planning large projects easier by facilitating the
identification of pre- and post-activities.
– Allows planning to determine the probability of meeting
requirements.
– Anticipates the impact of changes on the system.
– Presents information in a straightforward format that
both technical and nontechnical managers can
understand and refer to in planning discussions.
– Requires no formal training.

CC7178 Cyber Security Management Slide 28

 PERT Disadvantages
– Diagrams can become awkward and
cumbersome, especially in very large projects.
– Diagrams can become expensive to develop
and maintain, due to the complexities of some
project development processes.
– Can be difficult to place an accurate “time to
complete” on some tasks, especially in the initial
construction of a project; inaccurate estimates
invalidate any close critical path calculations.

CC7178 Cyber Security Management Slide 29

 Gantt Chart
• Another popular project management tool is the bar or
Gantt chart, developed in the early 1900s.
• The Gantt chart lists activities on the vertical axis of a
bar chart, and provides a simple time line on the
horizontal axis.
• Like network diagrams, Gantt charts are easy to
understand, and thus easy to present to management.
• Gantt charts are even easier to design and implement
than the PERT diagrams, and present much of the same
information.

CC7178 Cyber Security Management Slide 30

Project Gantt Chart Example

CC7178 Cyber Security Management Slide 31

 Information Security Maintenance
• Organization should avoid overconfidence after
implementation of improved information security
system.
• Organizational changes that may occur include:
new assets acquired; new vulnerabilities emerge;
business priorities shift; partnerships form or
dissolve; organizational divestiture and
acquisition; employee hire and turnover.
• Maintenance model must be adopted to manage
and operate ongoing security program.

CC7178 Cyber Security Management

 The Maintenance Model
• Designed to focus organizational effort on
maintaining systems.
• Recommended maintenance model based on five
subject areas
• External monitoring
• Internal monitoring
• Planning and risk assessment
• Vulnerability assessment and remediation
• Readiness and review

CC7178 Cyber Security Management Slide 33

The Maintenance Model

CC7178 Cyber Security Management Slide 34

 External Monitoring

CC7178 Cyber Security Management Slide 35

 Internal Monitoring

CC7178 Cyber Security Management Slide 36

Planning and Risk Assessment

CC7178 Cyber Security Management Slide 37

Vulnerability Assessment and
Remediation

CC7178 Cyber Security Management Slide 38

Readiness and Review

CC7178 Cyber Security Management Slide 39

 Summary
• Moving from security blueprint to project plan
• Organizational considerations addressed by
project plan
• Applying project management to information
security
• Project management tools
• Maintenance of information security program

CC7178 Cyber Security Management Slide 40