Security is not something that forms part of the standard project initiation process. However, project security is something that project managers should be concerned about. This article looks at what project security is how you can apply it to your project.
What is project security?
Project security involves making sure that all the project artefacts have the correct access protocols. An access protocol is the way in which the user gains access to something. A project security process ensures that the project team members only access the right information.
Why is project security important?
Project security is important to protect the confidentiality of your project. It also helps project artefacts and corporate data. There are two types of security that you should consider as a project manager. This week we'll look at information security. Next week I'll talk about the second type of security: physical security.
Don't store financial, confidential or stakeholder analysis documentation in an openly accessible space. Ensure that external team members and third-party contractors only have access to the right systems. This is particularly important if you are using web-based project management tools: don't ask the IT team to create a user account for the project management tool that mirrors yours. Instead, make sure that they receive a user account that only allows them access to what they need to see.
Of course, everyone who needs access to something to do their job should get it. Ask project team members and third parties to sign your corporate information governance policy or a nondisclosure agreement. Stress to everyone that they need to comply with any corporate standards, and make sure that they know what these are and what is expected of them.
Manage data off-site
Data can also be at risk when it is used off-site. Make sure the team know how to do data backups, in case their laptop is stolen or lost. If you think there is a threat of theft or loss, consider installing encryption software on the laptops. External hard drives all fall into this category: check that these are protected adequately.
Manage test data
Information security also means anonymising test data so that you do not use real data in the project testing phase. Make sure that any test data is deleted at the end of the project.
Monitoring and auditing
The final area of information security is monitoring and auditing. Do you need to tell the project team and any other users that their internet use is being monitored, if indeed it is? Do you monitor compliance with policy? Make sure that there is a process in place for deleting user accounts at the end of the project. Delete the user accounts of people who leave, whether they leave the company or the project itself.
This makes sure that they cannot login once they no longer have the right to do so. As you can see, there are a lot of information security areas to consider. Mind mapping with a tool like iMindQ is a good way to identify every area that needs to be taken into account for our project, if your PMO doesn't already have a list of project security standards.
Last week I looked at what project managers should consider in relation to project security. Security is not something that you might think of when you first kick off a project, but as a project manager you'll find that a lot of information passes across your desk (or through your inbox). Last week I talked about how you can manage project information security securely, through putting in places process and asking the right questions about managing project assets safely. This week I want to look at the second part of project security: physical security.
Access to rooms
Project team members and third party contractors need access to rooms to do their jobs, including potentially the data centre or server room. These rooms offer great potential to accidentally (or on purpose) damage or transmit corporate information.
Think about who on the project needs privileges on their security badge to get into the project office or the server room. Do they really need permanent access granted or could they be escorted into the secure area for the short time they need access? Over-zealous security policies can also cause problems.
Engineers can be turned away from an office if they turn up and the reception staff are not expecting them. Make sure that anybody who needs to gain access to another site understands the process to do so. This will help ensure that engineers are welcomed into the building to do their work, instead of turned away, as this can cause delays to the project. You should also consider the security of the home offices of project team members working from home. Do they have the same security measures in place as the people in the office?
Some companies provide a security guard to escort lone women to the car park late at night. Some companies have other measures for remote workers when they need to work in potentially dangerous environments or travel home late at night. Is the car park in a well-lit, secure area? Could you provide an alternative way home for workers who use public transport who have to stay late for whatever reason, like paying for their taxi?
Physical security doesn't only refer to people: it can also refer to documents. Make sure there are adequate measures in place for the secure storage of physical documentation. Lock away documents and laptops overnight or when you are not in the office for an extended period of time.