Robert Fullagar CISSP CISM CRISC Clas CEH
“Security is everyone’s responsibility”
Security Programme Structure and
Methodology
Contents
• People Structure
– Key positions
– Roles of individuals
• Methodology/Approach
– Deliverables
People
Senior
Manager/Board
Member
Business
Representatives
Business
Representatives
Business
Representatives
Programme
Manager
Project
Managers
Senior Security
SME
Delivery Teams
External
Resource
Security SME
Business
Representatives
Delivery Team Structure
Programme
Manager
Project Manager
Infrastructure
Lead
External
Resource
Do’ers
Security SME
Other People
Security
Architects
Legal Specialist
PMO Support
Technical
Architects
Procurement
HR
Etc
Roles
Senior
Manager/Board
Member
•
•
•
•
Influencer
Has a vested interest in improving security
Can keep the momentum going
Able to procure budget
Roles
Business
Representatives
•
•
•
•
Business
Representatives
Business
Representatives
Business
Representatives
Set/agree scope for the business area
Set priority based on risk for the business area
Monitor progress
They are decision makers
Roles
Programme
Manager
•
•
•
•
•
Project
Managers
Senior Security
SME
Action the decisions of the business representatives
Translate the business and technical requirements
Bring resource and structure to deliver the scope
Provide budgetary figures to the programme board
Select and evaluate solutions
Roles
Delivery Teams
External
Resource
Security SME
• These are the do’ers, the engine room
• The detail people, they bring to bear that detailed
specific knowledge
• They do the actual work, hands on work
• They help make the projects boards scope a reality
Initiator
•
•
•
•
•
•
•
Legislative
Contractual
External standards
Business driver or direction
Infrastructure replacement project
Consolidate security in finished project
Because its “Best Practice”
What happens when
Discovery 6-18 Months
Phase 0
Risk Assessment provides
Input to phase 1
Phase 0 – Eye on Phase 1 scope and long term strategy
Phase 1
Foundation 18 months – 2 years
Delivery phase 1 scope
Phase 1 – Define long term strategy
Phase 2
Leverage 2-5 Years +
BAU Security Cycle
Delivery phase 2 scope
Board Deliverables
Senior
Manager/Board
Member
Business
Representatives
Business
Representatives
Business
Representatives
Phase 0 - Scope
–
–
–
–
–
Business area
Drivers – why
Financial commitment
Time and resource commitment
Draft strategy
Business
Representatives
Programme Deliverables
Programme
Manager
Project
Managers
Senior Security
SME
Delivery Teams
External
Resource
Security SME
Phase 0
–
–
–
–
Plan – Resource and tasks
Budget +/- 100%
Approach
Quick wins
• Minimal cost
– Risk Assessment
Board Deliverables
Senior
Manager/Board
Member
Business
Representatives
Business
Representatives
Business
Representatives
Phase 1
–
–
–
–
Priorities the items from the risk assessment
Financial support
Allocate and commit resource
Long term strategy
Business
Representatives
Programme Deliverables
Programme
Manager
Project
Managers
Senior Security
SME
Delivery Teams
External
Resource
Security SME
Phase 1
–
–
–
–
–
Risk assessment
Proposals to remediate
Accurate costs
Plan, time and resource
Deliver agreed scope
Summary
Phase 0
Phase 0
Board
– Business Driver
• Vision
– Initial Budget
– Commitment
Programme
Summary
Phase 0
Phase 0
Board
Programme
–
–
–
–
Plan
Budget
Approach
Quick wins
Summary
Phase 1
Board
GO
Summary
Phase 1
Phase 1
Board
Programme
–
–
–
–
Risk Assessment
Remediation actions
Budget to remediate
Outline plan
Summary
Phase 1
Phase 1
Board
Programme
–
–
–
–
Priorities Risks
Financial support
Commitment
Agree plans
Summary
Phase 1
Board
Long term strategy
BAU Security
Plan
Act
Do
Check
Thank You
Questions