UNIT V SECURE PROJECT MANAGEMENT

Governance and security - Adopting an enterprise software security framework - Security and
project management - Maturity of Practice

Key Components of Security in Project Management

1. Risk Assessment: Identify potential security risks that could impact the project, including data
breaches, physical threats, and compliance issues.

It typically involves several key steps:

Identify Risks: Determine potential hazards or threats. This can include financial, operational,
strategic, compliance, and reputational risks.

Analyze Risks: Assess the likelihood of each risk occurring and its potential impact. This often
involves qualitative and quantitative analysis.

Evaluate Risks: Prioritize the risks based on their severity and likelihood. This helps in deciding
which risks require immediate attention and resources.

Mitigate Risks: Develop strategies to manage or reduce the identified risks. This may involve
implementing controls, transferring the risk (e.g., through insurance), or accepting the risk if it's
within tolerance levels.

Monitor and Review: Continuously track the risks and the effectiveness of mitigation strategies.
Adjust plans as necessary based on new information or changing circumstances.

2. Security Planning: Develop a comprehensive security plan that outlines protocols for protecting
assets, data, and personnel throughout the project lifecycle.
Assessment of Current Security Posture
Access Control
Define Security Objectives
Develop Security Policies and Procedures
Physical Security Measures
Incident Response Plan
Training and Awareness
Compliance and Legal Considerations
Monitoring and Improvement
Network Security
3. Stakeholder Engagement: Involve stakeholders in security discussions to ensure all perspectives
are considered and to foster a culture of security awareness.
4. Compliance: Ensure adherence to relevant regulations and standards (e.g., GDPR, ISO 27001)
throughout the project.
5. Training and Awareness: Provide security training for team members to recognize and respond to
potential threats.
6. Incident Response: Establish a clear response plan for security incidents, detailing roles,
responsibilities, and communication protocols.
7. Monitoring and Evaluation: Continuously monitor security measures and evaluate their
effectiveness, making adjustments as necessary.

Integrating Security into Project Management Methodologies

● Agile: Incorporate security practices in sprints, ensuring that security features are part of product
backlogs.
Agile is a flexible project management model that emphasizes iterative progress, collaboration, and customer
feedback. It’s widely used in software development but can be applied to various projects. Here are the core
principles and practices of the Agile methodology:

Customer Satisfaction: Deliver value to the customer through early and continuous delivery of functional
software.
Embrace Change: Welcome changing requirements, even late in development. Agile processes harness
change for the customer’s competitive advantage.
Frequent Delivery: Deliver working software frequently, with a preference for shorter timescales (weeks
rather than months).
Collaboration: Business stakeholders and developers must work together daily throughout the project.
Motivated Individuals: Build projects around motivated individuals, providing them the environment and
support they need, and trusting them to get the job done.
Face-to-Face Conversation: The most efficient and effective method of conveying information is through
face-to-face conversation.
Working Software: Working software is the primary measure of progress.
Sustainable Development: Agile processes promote sustainable development. The sponsors, developers,
and users should be able to maintain a constant pace indefinitely.
Technical Excellence: Continuous attention to technical excellence and good design enhances agility.
Simplicity: The art of maximizing the amount of work not done is essential.
Self-Organizing Teams: The best architectures, requirements, and designs emerge from self-organizing
teams.
Reflect and Adjust: At regular intervals, the team reflects on how to become more effective, then tunes and
adjusts its behavior accordingly.

Key Agile Frameworks

1. Scrum:
○ Focuses on time-boxed iterations called sprints (usually 2-4 weeks).
○ Roles include Scrum Master, Product Owner, and Development Team.
○ Regular ceremonies such as Sprint Planning, Daily Stand-ups, Sprint Review, and Sprint
Retrospective.
2. Kanban:
○ Visualizes work in progress using a Kanban board.
○ Focuses on continuous delivery without fixed iterations.
○ Limits work in progress to improve efficiency and flow.
3. Extreme Programming (XP):
○ Emphasizes technical practices to improve software quality.
○ Includes practices like pair programming, test-driven development, and continuous
integration.
4. Lean Software Development:
○ Focuses on eliminating waste, improving quality, and delivering faster.
○ Derived from lean manufacturing principles.

Key Principles of Kanban

1. Visualize the Workflow:

○ Use a Kanban board to represent tasks and their statuses visually. This board typically has
columns representing different stages of work (e.g., To Do, In Progress, Done).
2. Limit Work in Progress (WIP):
○ Establish limits on the number of tasks allowed in each stage to prevent bottlenecks and
encourage team focus on completing tasks before starting new ones.
 3. Manage Flow:
○ Monitor the flow of tasks through the Kanban system to identify and address inefficiencies.
The goal is to achieve a smooth, continuous flow of work.
4. Make Process Policies Explicit:
○ Define and document the rules governing how work is processed. This transparency helps
team members understand expectations and responsibilities.
5. Implement Feedback Loops:
○ Regularly review and reflect on processes (e.g., through stand-up meetings or
retrospectives) to identify areas for improvement.
6. Improve Collaboratively, Evolve Experimentally:
○ Foster a culture of continuous improvement by encouraging teams to experiment with
changes to their processes and learn from the outcomes.

Kanban Practices

● Kanban Board: The visual tool used to track progress. It can be physical (like a whiteboard) or
digital (using software tools).
● Cards: Each task or work item is represented by a card on the board, containing relevant details (e.g.,
description, assignee, deadlines).
● Columns: Represent different stages of work (e.g., To Do, In Progress, Testing, Done), allowing team
members to see task statuses at a glance.
● Meetings: Regular check-ins (daily stand-ups, retrospectives) to discuss progress, challenges, and
improvements.

Benefits of Kanban

● Increased Efficiency: By limiting WIP and visualizing tasks, teams can identify and eliminate
bottlenecks, leading to more efficient workflows.
● Flexibility: Kanban allows for changes in priorities and workloads without disrupting the overall
workflow, making it suitable for dynamic environments.
● Enhanced Collaboration: The visual nature of Kanban encourages communication and
collaboration among team members, improving teamwork.
● Better Focus: Limiting WIP helps team members focus on completing tasks rather than starting new
ones, which can reduce context switching.

Implementation Steps

1. Map the Current Workflow: Understand and visualize how work flows through the system.
2. Design the Kanban Board: Set up the board with appropriate columns and define WIP limits.
3. Start with Existing Work: Begin by visualizing tasks that are already in progress.
4. Make Adjustments: Continuously refine the process based on feedback and performance metrics.
5. Foster a Culture of Improvement: Encourage team members to suggest improvements and
experiment with new practices.

Tools for Kanban

● Physical Boards: Whiteboards, sticky notes, and markers.

● Digital Tools: Software applications like Trello, Jira, Asana, and Monday.com provide digital Kanban
boards with additional features like tracking and reporting.

Agile Methodologies

Agile methodology is a flexible and iterative approach to project management and software development that
emphasizes collaboration, customer feedback, and rapid delivery of functional software. It originated from
the Agile Manifesto, created in 2001 by a group of software developers who sought to address the limitations
of traditional project management practices, particularly the waterfall model. Here’s a detailed overview of
Agile methodology, its principles, frameworks, benefits, and implementation.

Benefits of Agile

● Increased Flexibility: Teams can adapt to changes quickly.

● Enhanced Collaboration: Continuous communication fosters collaboration.
● Higher Quality Products: Frequent testing and feedback lead to better quality.
● Faster Time to Market: Regular releases ensure quicker delivery of features.

Challenges of Agile

● Requires Cultural Shift: Organizations may need to shift their mindset to embrace Agile principles.
● Less Predictability: Agile's flexibility can make it harder to predict timelines and costs.
● Team Dependency: Agile teams rely heavily on collaboration and communication.

● Waterfall: Include security assessments at each phase to ensure that security measures are built in
from the ground up.

The Waterfall model is a traditional software development methodology characterized by a linear and
sequential approach. It is one of the earliest models used in software engineering and is often contrasted with
Agile methodologies. Here’s an overview of the Waterfall model, its phases, advantages, and disadvantages.

Phases of the Waterfall Model

1. Requirements Analysis:
○ Gather and document all requirements from stakeholders.
○ Produce a detailed requirement specification document that outlines what the software
should do.
2. System Design:
○ Based on the requirements, design the system architecture and components.
○ Create design documents, including system interfaces and data models.
3. Implementation (Coding):
○ Developers write code according to the design specifications.
○ This phase may involve unit testing of individual components.
4. Integration and Testing:
○ Integrate all components into a complete system.
○ Perform thorough testing to identify and fix defects. This includes functional, performance,
and system testing.
5. Deployment:
○ Deliver the completed software to the customer or release it into production.
○ This may involve installation, configuration, and training users.
6. Maintenance:
○ Address any issues or bugs that arise post-deployment.
○ Implement updates and enhancements as needed.
Key Characteristics

● Sequential Process: Each phase must be completed before the next one begins, with little overlap.
● Documentation-Driven: Emphasizes thorough documentation at every stage, providing a clear
blueprint for the project.
● Predictable Timeline: Since each phase has defined outputs, the timeline can be more predictable.

Advantages of the Waterfall Model

● Simplicity and Clarity: The linear nature makes it easy to understand and manage.
● Structured Approach: Clear documentation and processes help in tracking progress and
maintaining quality.
● Defined Requirements: Works well when requirements are well-understood and unlikely to
change.

Disadvantages of the Waterfall Model

● Inflexibility: Difficult to accommodate changes once the process is underway. If requirements

change, it can lead to significant delays.
● Late Testing: Testing occurs only after implementation, which can lead to the discovery of major
issues late in the process.
● Customer Involvement: Limited customer feedback during development can lead to
misunderstandings about the final product.

When to Use the Waterfall Model

● Projects with well-defined and stable requirements.

● Smaller projects where the scope is limited.
● Projects where documentation is critical for regulatory or compliance reasons.
Conclusion

The Waterfall model is a foundational approach in software development, best suited for projects with clear
requirements and minimal changes. While it has its limitations, understanding this model can provide
valuable insights into the evolution of software development methodologies.
 AGILE WATERFALL

Tools and Techniques

● Project Management Software: Utilize tools that include security features, such as access control
and data encryption.
● Security Frameworks: Leverage established security frameworks (e.g., NIST, CIS) to guide security
practices in projects.
Challenges
● Budget Constraints: Balancing security needs with project budgets can be challenging.
● Complexity of Regulations: Navigating various compliance requirements can be complex, especially
for international projects.
● Evolving Threat Landscape: Keeping up with the latest security threats requires ongoing vigilance
and adaptation.
Best Practices
1. Start Early: Integrate security considerations into the planning phase of the project.
2. Regular Audits: Conduct regular security audits and reviews to identify vulnerabilities.
3. Collaborative Culture: Foster a culture where security is everyone’s responsibility.
4. Feedback Loops: Establish mechanisms for learning from past incidents to improve future project
security.
Secure Project Management: Governance and Security
Governance and security are essential components of secure project management, ensuring that projects
align with organizational objectives while managing risks effectively. Here’s how these elements
interconnect:
1. Governance Framework
● Definition: Governance in project management refers to the structures, processes, and decision-
making frameworks that guide project execution.
● Purpose: Establish clear roles and responsibilities, ensure compliance with regulations, and facilitate
accountability.
● Components:
○ Policies and Procedures: Define security protocols, risk management strategies, and
compliance requirements.
○ Stakeholder Engagement: Involve key stakeholders in governance discussions to align
project goals with organizational security objectives.
○ Performance Monitoring: Regularly assess project performance against governance
criteria and security benchmarks.
2. Security Policies
● Development: Create comprehensive security policies that address data protection, access control,
incident response, and disaster recovery.
● Implementation: Ensure that all project team members understand and adhere to security policies
throughout the project lifecycle.
● Regular Updates: Review and update security policies regularly to adapt to evolving threats and
compliance requirements.
3. Risk Management
● Identification: Conduct thorough risk assessments to identify potential security risks that could
impact project success.
● Mitigation Strategies: Develop and implement risk mitigation strategies that include technical
controls, training, and contingency planning.
● Monitoring: Continuously monitor risks throughout the project, adjusting strategies as needed
based on new information or changes in the environment.
4. Compliance and Regulatory Adherence
● Regulatory Requirements: Stay informed about relevant laws and regulations (e.g., GDPR, HIPAA)
that may affect project execution.
● Audits and Assessments: Conduct regular audits to ensure compliance with security standards and
identify areas for improvement.
● Documentation: Maintain thorough documentation of compliance efforts, security measures, and
incident responses.
5. Incident Management
● Incident Response Plan: Develop a clear plan outlining how to respond to security incidents,
including roles, responsibilities, and communication strategies.
● Training and Drills: Regularly train project team members on incident response protocols and
conduct drills to test readiness.
● Post-Incident Review: After an incident, conduct a review to analyze what happened, how it was
handled, and how to prevent future occurrences.
6. Communication and Reporting
● Transparent Reporting: Maintain clear and open lines of communication regarding security issues
with all stakeholders.
● Regular Updates: Provide regular updates on project status, security measures, and any incidents
that occur.
● Feedback Mechanism: Establish mechanisms for team members to report security concerns or
suggest improvements.
7. Continuous Improvement
● Lessons Learned: After project completion, conduct a review to capture lessons learned related to
governance and security.
● Adaptation: Use insights gained from previous projects to enhance governance and security
practices in future projects.
Adopting an enterprise software security framework is essential for organizations looking to enhance
their security posture and ensure the integrity, confidentiality, and availability of their software systems.
Here’s a guide to effectively implement such a framework:
1. Define Objectives and Scope
● Identify Goals: Clarify what you want to achieve with the security framework, such as reducing
vulnerabilities, ensuring compliance, or enhancing incident response.
● Scope: Determine which applications, systems, and processes will be covered by the framework.
2. Choose a Security Framework
● Common Frameworks:
○ NIST Cybersecurity Framework: Offers a flexible approach to managing cybersecurity
risks.
○ ISO/IEC 27001: Provides a comprehensive framework for managing information security.
○ OWASP Software Assurance Maturity Model (SAMM): Focuses specifically on software
security practices.
○ CIS Controls: A set of best practices for securing IT systems and data.
3. Conduct a Risk Assessment
● Identify Threats: Assess potential threats and vulnerabilities specific to your enterprise software.
 ● Impact Analysis: Evaluate the potential impact of different security risks on your organization’s
operations.
4. Develop Security Policies and Procedures
● Policy Creation: Draft security policies that align with the chosen framework and address key areas
such as access control, data protection, and incident response.
● Procedural Guidelines: Establish clear procedures for implementing security measures, including
coding standards and security testing protocols.
5. Implement Security Controls
● Technical Controls: Apply measures like encryption, authentication, and intrusion detection to
protect software systems.
● Administrative Controls: Implement training programs and security awareness initiatives to
promote a culture of security among employees.
6. Integrate Security into the Software Development Lifecycle (SDLC)
● Shift Left: Incorporate security practices early in the SDLC, from requirements gathering to design,
development, testing, and deployment.
● Security Testing: Use automated tools for static and dynamic analysis, as well as regular penetration
testing to identify vulnerabilities.
7. Monitor and Review
● Continuous Monitoring: Establish ongoing monitoring of software applications and systems for
security incidents and vulnerabilities.
● Regular Audits: Conduct periodic audits to assess compliance with security policies and the
effectiveness of implemented controls.
8. Incident Response and Recovery
● Incident Response Plan: Develop a detailed plan for responding to security incidents, including
detection, containment, eradication, and recovery processes.
● Post-Incident Analysis: After an incident, review what occurred, how it was handled, and what
improvements can be made.
9. Training and Awareness
● Employee Training: Provide ongoing training for employees on security best practices, potential
threats, and incident reporting procedures.
● Awareness Campaigns: Foster a security-conscious culture through awareness programs and
regular updates on emerging threats.
10. Continuous Improvement
● Feedback Loops: Create mechanisms for gathering feedback on security practices and policies.
● Adaptation: Regularly update the security framework based on new threats, lessons learned from
incidents, and changes in the regulatory landscape.
Knowledge management, training.
An organized collection of security knowledge is likely to include policy, standards, design and attack
patterns, threat models, code samples, and eventually a reference architecture and secure development
framework.
Another element of this competency is the development and delivery of a training curriculum. Topics include
security knowledge as well as help for conducting assurance activities.
This pursuit also includes new courseware, along with retrofitting of existing courseware to software security
concepts.
Security touchpoints. The definition of tasks and activities that augment existing development processes
(formally or informally) help developers build security into any custom software development process, as
well as in-place outsource assurance and commercial off- the-shelf validation processes. This competency
defines how to assure software.

Assurance. The execution of security touchpoint activities provides assurance—conducting a software

architectural risk assessment, for example, validates that security requirements were translated into aspects
of the software’s design and that the design resists attack. Assurance activities rely heavily on the knowledge
and training competency to define what to look for. Tool adoption is likely to be part of this pursuit in the
short-to medium term.
It will involve the purchase, customization, and rollout of static analysis tools as well as dynamic analysis
aides. Your organization might have already adopted a penetration-testing product, for instance.
Governance
Governance is competency in measuring software-induced risk and supporting an objective decision- making
process for remediation and software release. This competency involves creating a seat at the project
management table for software risk alongside budget and scheduling concerns. Governance should also be
applied to the roll out and maturation of an organization’s Framework. The framework’s owners can measure
project coverage and depth of assurance activities, reported risks (and their severity), and the progress of
software security knowledge and skill creation, among other things.

How Much Security is Enough ?

• principles enacted by policies and procedures that state these requirements and risk tolerances for this
asset
• clear assignment of roles and responsibilities and periodic training for staff and managers involved in
protecting this asset; financial incentives for those demonstrating innovative approaches to asset protection
• periodic training for staff having access to this asset; immediate removal of access and authorization for any
staff member whose responsibilities no longer require a need for access, including any change in employment
status such as termination
• infrastructure architecture that fulfills these requirements, meets these risk tolerances, and implements
effective controls (strong authentication, firewalls including ingress and egress filtering, enforcement of
separation of duties, automated integrity checking, hot backups, etc.)
• review of all new and upgraded technologies that provide database support and in-house and remote
access, to determine if any of these technologies introduce additional security risks or reduce existing risks.
Review occurs before and after technology deployment.
• regular review and monitoring of relevant processes, and performance indicators and measures including
financial performance and return on investment; regular review of new and emerging threats and evaluation
of levels of risk
• purchasing insurance for high-impact, low-probability events
• regular audit of relevant controls and timely resolution of audit findings
Security and Project Management:

Importance of Security in Project Management

● Risk Mitigation: Projects often involve sensitive data and critical assets. Effective security measures
help identify and mitigate risks that could lead to data breaches or operational disruptions.
● Regulatory Compliance: Many industries are subject to regulations that require specific security
practices. Compliance ensures legal adherence and protects the organization from penalties.
● Stakeholder Trust: Demonstrating a commitment to security builds trust with stakeholders, clients,
and partners, enhancing the organization’s reputation.
2. Key Security Considerations in Project Management
● Risk Assessment: Conduct thorough risk assessments to identify potential security threats associated
with the project. This includes evaluating vulnerabilities in processes, technology, and human factors.
● Security Planning: Develop a security plan that outlines security objectives, measures, and protocols
throughout the project lifecycle. This should include data protection, access control, and incident
response strategies.
● Integration into SDLC: Incorporate security practices into the Software Development Life Cycle
(SDLC) by integrating security testing, code reviews, and threat modeling into each phase.
3. Frameworks and Standards
● NIST Cybersecurity Framework: A flexible framework for managing cybersecurity risks, providing
guidance on identifying, protecting, detecting, responding to, and recovering from security incidents.
● ISO/IEC 27001: An international standard for information security management systems (ISMS),
helping organizations manage and protect their information assets.
● OWASP SAMM: A framework that focuses on software assurance and security best practices, useful
for integrating security into development processes.
4. Security Roles and Responsibilities
● Project Manager: Ensures that security is a priority throughout the project and that all team
members understand their security responsibilities.
● Security Officer: Provides expertise on security protocols and best practices, conducts risk
assessments, and advises on security-related decisions.
● Team Members: Everyone involved in the project should be trained on security policies and
encouraged to report potential security issues.
5. Incident Management
● Incident Response Plan: Develop a plan for responding to security incidents, detailing procedures for
detection, containment, eradication, and recovery.
● Post-Incident Review: After an incident, conduct a review to identify what happened, assess the
response effectiveness, and implement improvements to prevent recurrence.
6. Continuous Improvement
● Monitoring and Auditing: Regularly monitor security practices and conduct audits to ensure
compliance with policies and identify areas for improvement.
● Feedback Mechanisms: Establish channels for team members to provide feedback on security
practices and report issues.
● Training and Awareness: Provide ongoing training to keep project teams informed about emerging
threats and security best practices.
7. Conclusion
By prioritizing security in project management, organizations can reduce risks, ensure compliance, and foster
a culture of security awareness. This proactive approach not only protects assets and data but also enhances
project success and stakeholder trust. Implementing structured frameworks, ongoing training, and
continuous monitoring will further strengthen the integration of security into project management practices.
Maturity of Practice
The maturity of practice in security and project management reflects an organization’s capability to
effectively integrate security considerations into project processes. A higher maturity level typically
correlates with better risk management, enhanced security protocols, and overall project success. Here’s an
overview of the maturity levels, their characteristics, and how to enhance practices:
Maturity Levels
1. Initial/Ad Hoc (Level 1)
○ Characteristics:
■ Security measures are informal and inconsistent.
■ Limited awareness of security risks among project teams.
■ Security practices are reactive rather than proactive.
○ Improvement Focus:
■ Establish basic security policies.
■ Raise awareness about security risks and their implications.
2. Developing (Level 2)
○ Characteristics:
■ Some security practices are in place, but they are not standardized.
■ Teams begin to recognize the importance of security.
■ Risk assessments are conducted sporadically.
○ Improvement Focus:
■ Standardize security processes across projects.
■ Implement regular risk assessments and training programs.
3. Defined (Level 3)
○ Characteristics:
■ Security practices are well-defined and documented.
■ Risk management is integrated into the project lifecycle.
■ Teams are trained in security awareness and best practices.
○ Improvement Focus:
■ Enhance integration of security in all phases of project management.
■ Use metrics to measure security effectiveness and compliance.
4. Managed (Level 4)
○ Characteristics:
■ Security practices are monitored and measured for effectiveness.
■ Continuous improvement processes are in place.
■ Proactive risk management strategies are implemented.
○ Improvement Focus:
■ Regularly review and refine security practices based on metrics and feedback.
■ Foster a culture of security across the organization.
5. Optimizing (Level 5)
○ Characteristics:
■ Security is fully integrated into the organizational culture.
■ Continuous innovation in security practices is encouraged.
■ Advanced threat modeling and incident response capabilities are established.
○ Improvement Focus:
■ Stay updated with emerging threats and industry trends.
■ Share knowledge and best practices with external stakeholders and partners.
Enhancing Maturity Levels
1. Conduct Assessments: Regularly evaluate current practices against maturity models to identify
gaps and areas for improvement.
2. Implement Frameworks: Adopt established security frameworks (like NIST, ISO, or OWASP) that
provide guidelines and best practices for integrating security into project management.
3. Training and Development: Invest in ongoing training programs for project teams to enhance their
understanding of security principles and practices.
4. Encourage Collaboration: Foster collaboration between project management, IT, and security
teams to ensure a unified approach to risk management.
 5. Leverage Technology: Utilize tools and technologies that support secure project management, such
as risk management software, security testing tools, and compliance monitoring systems.
6. Establish Metrics: Define key performance indicators (KPIs) related to security to track
improvements and ensure accountability.
7. Promote a Security Culture: Encourage a culture where security is viewed as everyone's
responsibility, and reporting security issues is supported and rewarded.
By systematically advancing the maturity of security practices within project management, organizations can
enhance their resilience against threats and ensure successful project outcomes. This approach not only
protects assets but also builds trust among stakeholders.
1. Natural disasters and events such as floods, hurricanes, seismic activity, wildfires, tsunamis, volcanoes,
drought, and even the ongoing effects of climate change.
2. Legal or statutory compliance. Depending on where in the world your project is being executed, there
will be laws, regulations, forms of contract, and other statutory obligations which must be observed or
followed as they relate to people, data, finances, natural resources, quality and safety standards,
communication systems, security, and transparency.
3. Threats associated with people inclusive of theft, vandalism, malicious intent and behavior, breaches in
confidentiality, the lack of adherence to policies and procedures, terrorism, and civil conflict.
4. The costs associated with security failures. Whilst there may be no assured way to protect against every
security risk, investing in and implementing suitable security policies, standards, controls, and systems can
definitely reduce the costs and risk associated with its absence.

Protecting Information
The key requirements of DSS include the following:
• Build and maintain a secure network.
• Protect cardholder data.
• Maintain a vulnerability management program.
• Implement strong access control measures.
• Regularly monitor and test networks.
• Maintain an information security policy. Audit's Role
• Strategic alignment of information security with business strategy to support organizational objectives.
• Risk management by executing appropriate measures to manage and mitigate risks and reduce potential
impacts on information resources to an acceptable level.
• Resource management by utilizing information security knowledge and infrastructure efficiently and
effectively. • Performance measurement by measuring, monitoring, and reporting information security
governance metrics to ensure that organizational objectives are achieved.
• Value delivery by optimizing information security investments in support of organizational objectives.

Operational Resilience and Convergence

• reduced risk of a business interruption
• shorter recovery time when an interruption occurs
• improved ability to sustain public confidence and meet customer expectations
• increased likelihood of complying with regulatory and internal service level requirements

A Legal View • Establish governance structure, exercise oversight, develop policies.

• Inventory digital assets (networks, applications, information).
• Establish ownership of networks, applications, and information; designate security responsibilities for each.
• Determine compliance requirements with laws, regulations, guidance, standards, and agreements (privacy,
security, and cybercrime).
• Conduct threat and risk assessments and security plan reviews (for internal and contractor operations).
This may include certification and accreditation.
• Conduct risk management based on digital asset categorization and level of risk.

A Software Engineering View

•the business climate
•building blocks of change, including four common pitfalls:
• over-reliance on late-life-cycle testing
• management without measurement
• training without assessment
• lack of high-level commitment (particularly relevant for governance and management) •building an
improvement program
•establishing a metrics program, including a three-step enterprise rollout:
• assess and plan
• build and pilot
• propagate and improve
•continuous improvement
•what about COTS (and existing software applications)?, including an enterprise information architecture
•adopting a secure development life cycle