This is the final part in a three-part series of Top Tips for Government Security Leads. It is intended to provide a brief overview of the most important aspects of fulfilling the Security Lead role and what pitfalls to avoid. In Part 2, we covered the importance of establishing and communicating with the right stakeholders, including the Accreditor and Information Asset Owners. The series concludes with three more top tips.
Tip 5: Have an escalation path
The Terms of Reference (ToRs) for the Security Working Group (SWG) should determine the escalation path, however experience has shown that it is often only a paper exercise until needed to resolve a critical issue. The Security Lead should have confidence that any issues that may impact the overall security of the project can be quickly and effectively escalate so there is minimal impact or delay.
Tip 6: Record all decisions
Decisions made at the SWG must be recorded in the minutes and widely distributed. Any decisions made outside of the SWG should be raised at the SWG for awareness, endorsement and recording. The Security Lead must be able to track decisions back to where they were agreed and be able to articulate when and why a particular decision was made and who made it. It is inevitable that during the lifecycle of a major project, the same questions will come up time and time again, and the Security Lead is there to avoid nugatory effort or conflicting decisions arising.
Tip 7: Plan, plan and more planning
All Project Managers love a good plan and spend most of their time doing it. This should be no exception for a Security Lead who is really the PM for security-related activities. Key planning requirements are:
- Accreditation Plan. Following on from the accreditation strategy agreed with the Accreditor and endorsed by the SWG, the Accreditation Plan should provide the detailed breakdown of what security activities are to take place, over what time frame, to what standard and by whom.
- Assurance Planning. The requirement for assurance planning is worth a special mention. The specialist resources needed to conduct IT Health Checks (ITHC), Vulnerability Assessments, CESG Tailored Assurance Service (CTAS) tests and a plethora of others all take time, effort and cost to put in place. If these factors have not been identified in formal security activity planning they are likely to be overlooked or rushed, which may impact on the overall accreditation outcome.
- Alignment. The Security Lead needs to ensure that security plans align with the wider project plans and they don’t conflict. It is often the case that a lack of adequate security engagement throughout the project lifecycle has significant impacts on other project deliverables as security requirements seep into the project consciousness. Trying to shoehorn security controls into designs at the end rather than building in at the start generally increases cost, adds a time delay and are unlikely to be as effective.
In summary, the role of a Security Lead can be complex, time-consuming and stressful, however, with a bit of planning, preparation and a determination to get involved the role can be very rewarding and add real benefit to any project.
Article by Paddy Keating, Director/Government Service Manager at Ascentor.
If you found this article useful, take a look at Part 1 and Part 2 of this three-part series.