One of the key risk enhancers to many technology projects is the lack of evaluation of the cyber-security risk, introduced to the organization by carrying out the project. If organizations do carry this out it is usually at the end of the project or after the event (if at all). Unevaluated risks could include:
- Unapproved ports being opened on firewalls which allow access to the network and critical
- Using critical data in a new way that increases a risk of breach
- Poor coding allowing vulnerabilities to be introduced
- Third parties accessing critical data in an unsecured manner
- Unapproved users being given access to critical data in a new application
Project Management processes should include formal gateposts built in whereby a security analysis is required to take place. The objectives of the security gatepost in the projects should be:
- Evaluation of the risk associated with the implementation of new technology or change to the existing technology.
- Evaluation of the data that will be a part of the project and the behaviors the change will bring upon that data.
- Security code review (if part of the project).
- Vulnerability scans to ensure that prior to deployment to production the changes are secure.
- Access changes required to the systems.
You must identify issues within change and project management practices related to security controls and implement improvements within those processes.