Goal: Tailored project management processes in unplanned situations Introduction: Currently during the Covid 19 pandemic time, companies need to go to digitalization overnight. Advanced threat protection is mandatory, which results in the need of a security operation center. Therefore, in March 2020 during the lockdown, a security operation’s center project was raised quickly. The Project Management processes needed to be tailored as the scope was only very high level defined. First, what you cannot tailor is finding your stakeholders, and I mean all stakeholders for your endeavor. For sure, you need to agree on, what needs to be done first, even, if you know this only at a remarkably high level at this stage. For example, the financial sector needs to have a 24/7 logfile monitoring regarding being compliant with BAIT/VAIT (Guideline by the regulatory body for financial institutions) and the current EBA Guidelines “ICT Risk….” as valid from June 30th 2020 needs to be taken into consideration, too. Means, in other words having a Security Operations Center, as well as (including) a Security Incident and Event Management System (SIEM) in place is mandatory. From the start of COVID-19 and digitalization’s point of view, organizations need this center and the SIEM, as well. For sure, Cybercriminals know this fact, as well, and they will try to harm internally and externally, as much as they can. Keep in mind they can harm you a lot harder than COVID-19 can. Scenario: For instance, in March 2020 the institute established remote access (Virtual Desktop Infrastructure), a proper online meeting tool e.g. GoToMeeting or WebEx, and Microsoft teams as being part of Office 365 from one day to the other. Especially the CEO and the CIO of a financial institution must realize this as BAFIN is always watching, while more threats appear. Usually the CISO has this in his mind, but the CIO has a different business case. Currently there is only one simple SIEM in place, as this was mandatory by the BAFIN before the EBA guideline came out, but this is not established for 24x7 monitoring. On the other hand, the SIEM is very, very basic also. Now, you know as well, even in Corona times security specialists are rare on the market. Maybe the company will not be able to run a 24x7 monitoring (operating) by itself, as it is very expensive, regardless of you can find specialists, or not. OK. We tailored the make or buy decision. We decided by this fact, that we wanted to outsource the SOC. As we don’t know exactly what’s on the market today, means, we tailor the scope at this moment to „We like to outsource SOC and SIEM services as fully managed Security Services “. Now we are preparing the Request for Proposal including a request for quotation (RFP and RFQ) only by this very high-level scope definition. We put as much as we can into the RFP, like looking for someone in a beauty contest, as the bidder, means the different providers know what kind of services are needed within the SOC tool stack, that are much more better, than we can imagine. Currently we have tailored a lot, but we need to have a clear picture, how the SOC will be linked with our ITSM (regarding ITIL). Therefore, we need to have all stakeholders in place, and we need to have our project organization for the bidding process established and later for the SOC project itself before, too. Tailoring the RFP process itself is impossible, because if you don’t have all the people in your stakeholder’s list being engaged, as this stakeholders will be touched later by the new service, the organization will run in serious problems, by some resistant stakeholders. Keep in mind it needs someone who is prepared to be the service manager after transition, and maybe running the SOC stream within the transition phase, together with the SOC manager of the assigned provider plus someone to run the project at least for the RFP phase till the contract is signed. If there is no basic project organization installed at the beginning and ALL stakeholders are informed then running into major problems is unavoidable, with lots of inconvenient consequences. At the end of the RFP process when you get a few or more proposals you can pick the best and finalize your scope a bit better than it was before or maybe finalize it after presentation by the proposed provider. The contract should have a clearly written scope within, but that is about 4 months, or even longer after the project was started. You might call this agile, but it´s only a tailored agile, because you do not know time and budget. The finalized scope is usually needed within a predictive lifecycle. Or maybe you have a budget, and you are looking how much SOC and SIEM services you can effort to buy. Nevertheless, this would limit your decision about picking the best proposed scope. Even the planning phase is very tailored, and light weighted also, we prepared an RFP and packed into as much as possible, or maybe, telling the bidder the budget, and looking how much we can afford. This depends on what senior management provides you for your roadmap budget wise. RFP process itself, getting the contract in place, as well as, the transition phase, together with the provider are elements of your tailored executing phase. But be careful, the regulatory authority, in this case the BAFIN likes to have a project, which is auditable. This means, you need to write something like a project initiation documentation or a charter, but you can do it by writing the document during the project lifecycle. So, it is more a thing between a charter, and lessons learned documentation, as you cannot write it complete upfront. At the start you do not know more than high level scope, maybe timeframe from other historical files from other financial institutions and maybe you have gotten from the other institutions a rough budget estimate. But you want to get as much as you can, what even fits into your pocket, and maybe the most beautiful solution out of your RFP, too. And for any upcoming audits you need to be careful with the bidding process. How to find the best proposal before you get the proposals makes it hard to write this down upfront, but this cannot be tailored. And for sure you need to do some risk management, some monitoring and controlling, at least the SLA, KPIs, OLA, etc. within the contract. In conclusion, you do not need to follow all processes of PMBOK, partially Risk management, as well as, monitoring and controlling, but only as much as the BAFIN requires, if they come, and audit you. And Initiating and Planning are different with this tailored lightweight attempt. Only closing, means closing the contract, and closing the project, will be remarkably like, what you expect, if you follow up the PMBOK. Anyway, in this way, you have both proper Cyber Defense Center (Security Operations Center SOC) in place, also you will have a digitalized modern company operating in a secure environment. Your regulatory body will be impressed by what you have achieved in quite a short period of time! Jutta E. Zilian, CGEIT, CISA, CISM, PMP, CAPM
- News Feeds
-
Timeline
0
Alternatively, you may also filter post types from the stream by selecting the items below:
-
Post is under moderationStream item published successfully. Item will now be visible on your stream.
-
Post is under moderationStream item published successfully. Item will now be visible on your stream.