Chapter 4: Implementing Information Security

At the end of the unit, the students should be able to:

 Explain how an organization’s information security blueprint becomes a project plan
 Enumerate the many organizational considerations that a project plan must address
 Explain the significance of the project manager’s role in the success of an information security
project
 Establish the need for professional project management for complex projects
 Describe technical strategies and models for implementing a project plan
 Anticipate and mitigate the nontechnical problems that organizations face in times of rapid change
INTRODUCTION

First and foremost, an information security project manager must realize that implementing an information
security project takes time, effort, and a great deal of communication and coordination. In general, the
implementation phase is accomplished by changing the configuration and operation of the organization’s
information systems to make them more secure. It includes changes to the following:
 Procedures (for example, through policy)
 People (for example, through training)
 Hardware (for example, through firewalls)
 Software (for example, through encryption)
 Data (for example, through classification)

Information Security Management

As the opening vignette of this chapter illustrates, organizational change is not easily accomplished. The
following sections discuss the issues a project plan must address, including project leadership;
managerial, technical, and budgetary considerations; and organizational resistance to the change.

The major steps in executing the project plan are as follows:

 Planning the project
 Supervising tasks and action steps
 Wrapping up

Developing the Project Plan

 Planning for the implementation phase requires the creation of a detailed project plan.
 The project plan can be created using a simple planning tool such as the work breakdown
structure (WBS)
 The major project tasks are placed into the WBS, along with the following attributes for each:
1. Work to be accomplished (activities and deliverables)
 A deliverable is a completed document or program module that can either serve as
the beginning point for a later task or become an element in the finished project
 Work Breakdown Structure(WBS) is a structural schematic diagram that
decomposes tasks layer by layer according to an internal structure or an
implementation process. It breaks down the project into several relatively
independent, single content, and easy accounting work units.
 Request for Proposal(RFP)This is an extensive process that often spans 3 month
or longer. Many organizations considered an RFP basic due diligence for larger
purchases. The following are the basic step in an RFP process.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
1
Chapter 4: Implementing Information Security
 10 STEP TO ACCOMPLISHED PROJECT PLAN:
1. Understand the scope and value of your project plan
2. Conduct extensive research
3. Ask the though questions
4. Create your project plan outline
5. Talk with your team
6. Write your full project plan
7. Execute your plan
8. Publish your plan
9. Share your plan with your team and make sure they read it
10. Prepare to keep planning

2. Individuals (or skill set) assigned to perform the task

The three types of parties’ assignment

 Obligor - The party that is committed to transferring benefits or right to the party
specified in the contract. The obligor is most likely the party that initially makes the
contract.
 Assignor - The party that is the initial beneficiary of the benefit or right. They are
responsible for making the assignment. In other word, they will be handing over the
rights they were initially going to receive.
 Assignee - The party that will be accepting the benefits and right from the assignor.
A transfer may have multiple assignee.
The three step in assignment are:
 The obligor creates a contract with the assignor.
 The rights are transferred from the assignor to the assignee.
 The assignee is paid the benefits from the obligor.
3. Start and end dates for the task (when known)
Start and end dates
 Start date is earlier or more often later than the projected start date due to
unforeseen delays in the beginning stages of opening a business. The planned day
for the start of an important activity
End dates
 The date on which something such as a contract, right, or legal obligation ends.
 If you enter a start date and time and an end date and time, the event will be
upcoming until the end date and time. If you enter a start date, a start time and an
end time, we will assume the event ends the same day as it started, at the end
time.

4. Amount of effort required for completion in hours or work days

 Planners need to estimate the effort required to complete each task, subtask, or
action step. Estimating effort hours for technical work is a complex process.
5. Estimated capital expenses for the task
 Planners need to estimate the capital expenses required for the completion of each
task, subtask, or action item.
 While each organization budgets and expends capital according to its own
established procedures, most differentiate between capital outlays for durable
assets and expenses for other purposes.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
2
Chapter 4: Implementing Information Security
6. Estimated noncapital expenses for the task
 Planners need to estimate the noncapital expenses for the completion of each task,
subtask, or action item.
 Some organizations require that this cost include a recovery charge for staff time,
while others exclude employee time and only project contract or consulting time as
a noncapital expense.
7. Identification of dependencies between and among tasks
 Task dependencies show what must be done before a given task and what will be
done after the task is complete. Project managers can create dependencies
between any two or more tasks in a project.
 Task dependencies allow you to establish relationships between tasks. This can
help to frame a task in the context of a larger project plan.
There are two types of task dependencies:
1. Predecessors: Tasks or action steps that come before the specific task at hand
 Successors: Those that come after the task at hand

PROJECT PLANNING CONSIDERATIONS:

1. Financial Considerations
 A cost benefit analysis (CBA), typically prepared in the analysis phase of the SecSDLC, must be
reviewed and verified prior to the development of the project plan.
 The CBA determines the impact that a specific technology or approach can have on the
organization’s information assets and what it may cost.
2. Priority Considerations
 The most important information security controls in the project plan should be scheduled first.
 Budgetary constraints may have an effect on the assignment of a project’s priorities.
 A less-important control may be prioritized if it addresses a group of specific vulnerabilities and
improves the organization’s security posture to a greater degree than other individual higher-
priority controls.
3. Time and Scheduling Considerations
 Time and scheduling can affect a project plan at dozen of points-consider the time between
ordering and receiving a security control, which may not be immediately available; and the it takes
to install and configure the control; the time it takes to train the user; and the time it takes to realize
on the return in the investment control.
1. Staffing Considerations
 The need for qualified, trained, and available personnel also constraints the project plan. An
experienced staff is often needed to implement technologies and to develop and implement
policies and training program.
What does Staffing means?
Staffing- is the function of employee recruitment, screening and selection performed within an
organization to fill job opening.
Two main types of Hiring/Staffing:
 Temporary Staffing
- It is usually use to fulfil the organizations short-term requirements or to complete specific
needs that may not be part of the core business operators.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
3
Chapter 4: Implementing Information Security

 Permanent Staffing
- Is generally with the intent to retain the employee for a longer period of time and focused
on critical business function.
2. Procurement Considerations
 There are often constraints on the equipment and services selection processes.
What does Procurement means?
Procurement- is a purchasing process that controls quantity, quality, sourcing and timing to
ensure the best possible total cost to ownership.
How it works?
The stage of procurement include:
 information gathering
 Supplier
 Contacts
 Negotiations
 Fulfilment
 Consumption, maintenance and disposal
 Renewal
Two basic types of Procurement:
Direct Procurement
Covers the sourcing and procurement of goods and services that will either become part
of the BOM (Bill of Material) or resold as a part of customer services or product offer.
Indirect Procurement
Refers to the selection of suppliers to provide products and services that companies
need to support and enabled production processes but are not what is produced and shipped to
customer.

There are following main types of Procurement:

 Traditional Procurement- this is one of the most basic types of procurement where the
responsibility of a contractor is limited only to build
 Stock Procurement- means that goods are shipped to stock in periodically defined terms
without any specific order of a customer.
 Just in time Procurement- this concept is based on the just in time concept. It is extended by
the supply of goods in the required at a defined time. This leads to a very efficient and lean
way of procurement.

3. Organizational Feasibility Considerations

 Whenever possible, security-related technological changes should be transparent to
system users, but sometimes such changes require new procedures, for example
additional authentication or validation.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
4
Chapter 4: Implementing Information Security
 New technologies sometimes require new policies, and both require employee training
and education.
 Scheduling training after the new processes are in place (that is, after the users have had
to deal with the changes without preparation) can create tension and resistance, and
might undermine security operations.
4. Training and Indoctrination Considerations
 The size of the organization and the normal conduct of business may preclude a single
large training program on new security procedures or technologies.
 Project planners must ensure that compliance documents are also distributed and that all
employees are required to read, understand, and agree to the new policies.
5. Scope Considerations
 Project scope describes the amount of time and effort-hours needed to deliver the
planned features and quality level of the project deliverables.
 The scope of any given project plan should be carefully reviewed and kept as small as
possible given the project’s objectives.

The Need for Project Management

 Project management requires a unique set of skills and a thorough understanding of a broad body
of specialized knowledge.
 Realistically, most information security projects require a trained project manager—a CISO or a
skilled IT manager who is trained in project management techniques.
 Even experienced project managers are advised to seek expert assistance when engaging in a
formal bidding process to select advanced or integrated technologies or outsourced services.
1. Supervised Implementation
 Although it is not an optimal solution, some organizations designate a champion from the general
management community of interest to supervise the implementation of an information security
project plan.
2. Executing the Plan
 Once a project is underway, it is managed using a process known as a
negative feedback loop or cybernetic loop, which ensures that progress is measured periodically.
 In the negative feedback loop, measured results are compared to expected
results.
 Corrective action is taken in two basic situations: either the estimate was
flawed, or performance has lagged.
 When an estimate is flawed, as when the number of effort-hours required is
underestimated, the plan should be corrected and downstream tasks updated to reflect the
change.
 When performance has lagged, due, for example, to high turnover of skilled employees,
corrective action may take the form of adding resources, making longer schedules, or
reducing the quality or quantity of the deliverable.
 Often a project manager can adjust one of the three following planning parameters for the
task being corrected:
1. Effort and money allocated
2. Elapsed time or scheduling impact
3. Quality or quantity of the deliverable
3. Project Wrap
 Project wrap-up is usually handled as a procedural task and assigned to a mid-level IT or
information security manager.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
5
Chapter 4: Implementing Information Security
 These managers collect documentation, finalize status reports, and deliver a final report
and a presentation at a wrap-up meeting.
TECHNICAL ASPECTS OF IMPLEMENTATION
1. Conversion Strategies
 In both cases, four basic approaches used for changing from an old system
or process to a new one are:
1. Direct changeover: Also known as going “cold turkey,” a direct changeover involves
stopping the old method and beginning the new.
2. Phased implementation: A phased implementation is the most common conversion
strategy and involves a measured rollout of the planned system, with a part of the
whole being brought out and disseminated across an organization before the next
piece is implemented.
3. Pilot implementation: In a pilot implementation, the entire security system is put in
place in a single office, department, or division, and issues that arise are dealt with
before expanding to the rest of the organization.
4. Parallel operations: The parallel operations strategy involves running the new
methods alongside the old methods.

2. The Bull-eye’s Model

 A proven method for prioritizing a program of complex change
 This methodology, which goes by many different names and has been used by many
organizations, requires that issues be addressed from the general to the specific, and that
the focus be on systematic solutions instead of individual problems.
 The approach relies on a process of project plan evaluation in four layers:
1. Policies: This is the outer, or first, ring in the bull’s-eye diagram. The
foundation of all effective information security programs is sound information security
and information technology policy.
2. Networks: In the past, most information security efforts focused on
this layer, and so until recently information security was often considered synonymous
with network security. In today’s computing environment, implementing information
security is more complex because networking infrastructure often comes into contact
with threats from the public network.
3. Systems: This layer includes computers used as servers, desktop
computers, and systems used for process control and manufacturing systems
4. Applications: The layer that receives attention last is the one that
deals with the application software systems used by the organization to accomplish its
work.

3. To Outsource or Not
 Not every organization needs a develop an information security department or program of its own.
 Just as some organization outsource part of or all of their IT operation, so too can organization
outsource part of or all of their information security programs.
 The expense and time required to develop an effective information security program may be
beyond the means of some organization and therefore it may be in their best interest to hire
professional services to help their IT department implement such a program.
 When an organization outsource most or all IT services, information security should be part of the
contact arrangement with the supplier.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
6
Chapter 4: Implementing Information Security
 Organizations, which handle most of their own IT functions may choose to outsource the more
specialized information security functions.
 Small- and medium-sized organization often hire outside consultants for penetration testing and
information security program audits.
 Organizations of all sizes frequently outsource network monitoring functions to make certain that
their systems are adequately secured and to gain assistance in watching for attempted attacks.

4. Technology Governance and Change Control

 Other factors that determine the success of an organization’s IT and information security programs
are technology governance and change control processes.
 Technology governance, a complex process that organizations use to manage the effects and
costs of technology implementation, innovation, and obsolescence, guides how frequently
technical systems are updated and how technical updates are approved and funded.
 Technology governance also facilitates communication about technical advances and issues
across the organization.

NONTECHNICAL ASPECTS OF IMPLEMENTATION

1. The Culture of Change Management
 The prospect of change, the familiar shifting to the unfamiliar, can cause employees to build up,
either unconsciously or consciously, a resistance to that change.
 The basic foundation of change management requires that those making the changes understand
that organizations typically have cultures that represent their mood and philosophy.
 One of the oldest models of change is the Lewin change model,1 which consists of:
o Unfreezing - involves thawing hard-and-fast habits and established procedures
o Moving - transition between the old way and the new
o Refreezing - the integration of the new methods into the organizational culture, which is
accomplished by creating an atmosphere in which the changes are accepted as the
preferred way of accomplishing the necessary tasks

Consideration for Organizational Change

• Steps can be taken to make an organization more amenable to change.
• These steps reduce resistance to change at the beginning of the planning process and encourage
members of the organization to be more flexible as changes occur.
• Three-step process in which project managers:
– communicate
– Educate
– involve
Reducing Resistance to Change from the Start
– Communication is the first and most critical step.
– Project managers must communicate with the employees, so that they know that a new
security process is being considered and that their feedback is essential to making it work.
• At the same time, you must update and educate employees about exactly how the proposed
changes will affect them individually and within the organization.
• While detailed information may not be available in earlier stages of a project plan, details that can
be shared with employees may emerge as the SecSDLC progresses.
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
7
Chapter 4: Implementing Information Security
• Education also involves teaching employees to use the new systems once they are in place.
• Finally, project managers can reduce resistance to change by involving employees in the project
plan.
• This means getting key representatives from user groups to serve as members of the SecSDLC
development process.
• In systems development, this is referred to as joint application development, or JAD.

Developing a Culture that Supports Change

– An ideal organization fosters resilience to change.
– This means the organization understands that change is a necessary part of the culture,
and that embracing change is more productive than fighting it.
– A resilient culture can be either cultivated or undermined by management’s approach.
– Strong management support for change, with a clear executive-level champion, enables
the organization to recognize the necessity for and strategic importance of the change.
– Weak management support, with overly delegated responsibility and no champion,
sentences the project to almost-certain failure.

ACTIVITIES
INSTRUCTIONS. Answer the following activities in the provided answer sheet.
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
8
Chapter 4: Implementing Information Security
Activity 1. Review Questions
1. What is a project plan? List what a project plan can accomplish.
2. What is a work breakdown structure (WBS)? Is it the only way to organize a project plan?
3. What is a milestone, and why is it significant to project planning?

Activity 2.
Create a first draft of a WBS from the scenario below. Make assumptions as needed based on the
section about project planning considerations and constraints in the chapter. In your WBS,
describe the skill sets required for the tasks you have planned.

Scenario
Sequential Label and Supply is having a problem with employees surfing the Web to access material the
company has deemed inappropriate for a professional environment. The technology exists to insert a
filtering device in the company Internet connection that blocks certain Web locations and certain Web
content. The vendor has provided the company with some initial information about the filter. The filter is a
hardware appliance that costs $18,000 and requires a total of 150 effort-hours to install and configure.
Technical support on the filter costs 18 percent of the purchase price and includes a training allowance
for the year. A software component that runs on the administrator’s desktop computer is needed for
administering the filter, and it costs $550. A monthly subscription provides the list of sites to be blocked
and costs $250 per month. The administrator must spend an estimated four hours per week for ongoing
administrative functions.

Items you should consider:

 Your plan requires two parts, one for deployment and another for ongoing operation after
implementation.
 The vendor offers a contracting service for installation at $140 per hour.
 Your change control process requires a seventeen-day lead time for change requests.
 The manufacturer has a fourteen-day order time and a seven-day delivery time for this device.

Activity 1
1. What is a project plan? List what a project plan can accomplish.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
9
Chapter 4: Implementing Information Security

2. What is a work breakdown structure (WBS)? Is it the only way to organize a project plan?

3. What is a milestone, and why is it significant to project planning?

Activity 2.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
10