Presented at Phonix, AZ Local Chapter event by Igor Pertsovsky, PMP. There is a real need for Project Management in Information Security with knowledge and experience in the field.
1. INFORMATION SECURITY
PROJECT MANAGEMENT
I g o r P e r t s o v s k y , M B A , P M P, C S M , S A F e , I T I L
S t a r g a t e I T S o l u t i o n s L L C
P M O M a n a g e r a t C o l u m n 5 C o n s u l t i n g L L C
i g o r @ s t a r g a t e i t . n e t
2. • B o r n i n B e l a r u s
• G r a d u a t e d l o c a l U n i v e r s i t y
• I m m i g r a t e d t o I s r a e l
• B A i n I n d u s t r i a l E n g .
• W o r k e d f o r H i - T e c h s t a r t u p s
• C o m p l e t e d M B A i n M I S i n U K
• B a c k g r o u n d i n S y s t e m
A d m i n i s t r a t i o n a n d I T
M a n a g e m e n t
• R e l o c a t e d t o S c o t t s d a l e i n 2 0 0 6
b y D H L E x p r e s s
• P M P s i n c e 2 0 0 9
• C o n s u l t a n t s i n c e 2 0 1 0 f o r l a r g e
s i z e p r o j e c t s
• H o b b y - C h e s s
2
ABOUT ME
3. WHY INFOSEC PM?
3
• T h e m o s t i m p o r t a n t a s s e t i s
D A T A
• B r e a c h e s h a p p e n a l m o s t
d a i l y a n d w e r e a d a b o u t
t h e m i n t h e n e w s
• T h e r e i s a 3 m i l l i o n d e m a n d
o f I n f o S e c p r o f e s s i o n a l s
u n t i l 2 0 2 1 w h a t m a k e s i f
r e c e s s i o n p r o o f i n d u s t r y
• P r o j e c t M a n a g e m e n t c a n
h e l p I n f o S e c p e o p l e t o
i m p l e m e n t t h e r i g h t
s o l u t i o n s , m a k e t h e r i g h t
b a l a n c e d b u s i n e s s
d e c i s i o n s , m i t i g a t e r i s k s
4. INFOSEC TYPICAL AREAS OF
RESPONSIBILITY
• G o v e r n a n c e , R i s k ,
C o m p l i a n c e - G R C
• A u d i t i n g a n d C o m p l i a n c e
• P o l i c i e s a n d s t a n d a r d s
• A p p l i c a t i o n s e c u r i t y -
D e v O P S
• A w a r e n e s s a n d e d u c a t i o n
p r o g r a m s
• P h i s h i n g c a m p a i g n s
• P e n e t r a t i o n t e s t i n g
• D L P, A n t i v i r u s
• B u s i n e s s c o n t i n u i t y ,
• P A M , S S O , I A M
• I n c i d e n t M a n a g e m e n t P l a n 4
5. MY INFOSEC PROJECTS
5
• Arizona Public Services:
• Managed design of InfoSec Policies and rollout of New Browser to 10k End Users
• Next Generation Firewall Vendor Selection Process and implementation projects
• Hard Drive Encryption for 4k laptops
• Department of Education: was responsible to Information Security Policies and Procedures,
Managed DR and Business Continuity Projects
• American Express GBT: PCI Compliance Program
• ALSAC/St. Jude Children's Hospital: PCI Compliance and InfoSec Programs
• SIEM Implementation
• MDR (Managed Detection Response) Project
• GRC Implementation
6. STAKEHOLDERS AND TEAM MEMBERS
• C I S O , V P o f I n f o r m a t i o n S e c u r i t y
• D i r e c t o r s
• A n a l y s t s , A r c h i t e c t s , S e c u r i t y
E n g i n e e r , I T O p e r a t i o n s
• C h a n g e M a n a g e m e n t , P r o d u c t O w n e r s
• C o m p l i a n c e t e a m s , I n t e r n a l A u d i t s
• P h y s i c a l S e c u r i t y , A p p l i c a t i o n T e a m s
• K n o w Y o u r P r o j e c t T e a m , V e n d o r s , A n d
S u b c o n t r a c t o r s
6
7. PMO AND METHODOLOGY
• G l o b a l P M O
• I n f o S e c P M O
• N o P M O - a l i g n e d
w i t h I T
• A g i l e v s . W a t e r f a l l
• S A F e
7
8. • E s t a b l i s h A C o m m o n R i s k
M a n a g e m e n t A p p r o a c h
• S e c u r i t y p r a c t i t i o n e r s t e n d t o
t h i n k i n t e r m s o f t h r e a t s a n d
t h e p o s s i b i l i t y o f t h e s e b e i n g
e x p l o i t e d t o e x p o s e p a r t i c u l a r
v u l n e r a b i l i t i e s
• A s s e t s n e e d t o b e a s s i g n e d a
v a l u e s o t h e t h r e a t s o r
v u l n e r a b i l i t y c a n b e q u a n t i f i e d
8
RISK MANAGEMENT