Robert Fullagar CISSP CISM CRISC Clas CEH

“Security is everyone’s responsibility”

Security Programme Structure and Methodology

Contents

• People Structure– Key positions– Roles of individuals

• Methodology/Approach– Deliverables

PeopleSenior

Manager/Board Member

Senior Security SME

Business Representatives

Business Representatives

Business Representatives

Business Representatives

Programme Manager

Project Managers

Delivery TeamsExternal

ResourceSecurity SME

Delivery Team Structure

Security SME

Programme Manager

Project Manager

Infrastructure Lead

External Resource

Do’ers

Other People

Security Architects

Legal Specialist PMO Support

Technical Architects

Procurement HR

Etc

Roles

• Influencer• Has a vested interest in improving security• Can keep the momentum going• Able to procure budget

SeniorManager/Board

Member

Roles

• Set/agree scope for the business area• Set priority based on risk for the business area• Monitor progress• They are decision makers

Business Representatives

Business Representatives

Business Representatives

Business Representatives

Roles

Senior Security SME

Programme Manager

Project Managers

• Action the decisions of the business representatives• Translate the business and technical requirements• Bring resource and structure to deliver the scope• Provide budgetary figures to the programme board• Select and evaluate solutions

Roles

• These are the do’ers, the engine room• The detail people, they bring to bear that detailed

specific knowledge• They do the actual work, hands on work• They help make the projects boards scope a reality

Delivery TeamsExternal

ResourceSecurity SME

Initiator

• Legislative• Contractual• External standards• Business driver or direction• Infrastructure replacement project• Consolidate security in finished project• Because its “Best Practice”

What happens when

Phase 0Discovery 6-18 Months

Risk Assessment provides Input to phase 1

Phase 1Foundation 18 months – 2 years

Phase 2Leverage 2-5 Years +

Delivery phase 1 scope

Delivery phase 2 scope

Phase 0 – Eye on Phase 1 scope and long term strategy

Phase 1 – Define long term strategy

BAU Security Cycle

Board DeliverablesSenior

Manager/Board Member

Business Representatives

Business Representatives

Business Representatives

Business Representatives

Phase 0 - Scope– Business area – Drivers – why– Financial commitment– Time and resource commitment– Draft strategy

Phase 0 – Plan – Resource and tasks– Budget +/- 100%– Approach– Quick wins

• Minimal cost

– Risk Assessment

Programme Deliverables

Senior Security SME

Programme Manager

Project Managers

Delivery TeamsExternal

ResourceSecurity SME

Board DeliverablesSenior

Manager/Board Member

Business Representatives

Business Representatives

Business Representatives

Business Representatives

Phase 1– Priorities the items from the risk assessment– Financial support– Allocate and commit resource– Long term strategy

Phase 1 – Risk assessment– Proposals to remediate – Accurate costs– Plan, time and resource– Deliver agreed scope

Programme Deliverables

Senior Security SME

Programme Manager

Project Managers

Delivery TeamsExternal

ResourceSecurity SME

Board

Summary

Programme

Phase 0Phase 0

– Business Driver• Vision

– Initial Budget– Commitment

Phase 0– Plan– Budget– Approach– Quick wins

Board

Summary

Programme

Phase 0

Board

Summary

Phase 1

GO

Phase 1– Risk Assessment– Remediation actions– Budget to remediate– Outline plan

Board

Summary

Programme

Phase 1

Board

Summary

Programme

Phase 1Phase 1

– Priorities Risks– Financial support– Commitment– Agree plans

Board

Summary

Phase 1

Long term strategy

BAU Security

Plan

Do

Check

Act

Thank You

Questions