As project managers, one of our primary roles is to make sure information flows between those that need it to do their job and support the project. But we’re also responsible for ensuring that corporate information assets and strategic information about the project remain secure.
The 2005 edition of ISO 17799 (Code of Practice for Information Security Techniques) advocates a risk based approach to managing sensitive information. This applies equally to information flows in projects.
It’s well understood that achieving increased security usually occurs at the expense of the user and, in this case, project stakeholder expense. For example, certain files we may want to view may be subject to restricted access. It’s an extra step which serves to limit the exposure of information to those granted the privilege of access. Access may require an additional password or other authentication technique, adding yet more difficulty to the process of restricting the information on an ongoing basis.
So what do we need to consider when deciding how to protect sensitive information? We don’t wish to overburden project participants with access limitations, nor reduce efficiency in our project execution? We need a balance.
First, identify sensitive information and rank the risk of exposure. This will guide the level of effort you apply to restricting access to key project stakeholders. “Need-to-know” is the guiding principle here.
Second, you can review your project activities and resource allocations in terms of “separation of duties.” The idea here is to limit an individual’s ability to act irresponsibly (intentionally or accidentally) based on the information they have access to. Of course, clear lines of separation and an understanding of what individuals need to know is necessary for this to be effective. Segregating roles reduces the risk of collusion as well as protecting corporate assets.
Finally, “cross-training” can be used to increase the likelihood that the people with the right knowledge will be available to perform project activities at the right time. It ensures an alternative when individuals who have developed specific knowledge based on their access to privileged information become unavailable to support the project. The availability of key people should play into your assessment of risks regarding sensitive information.
By considering these three security principles, the appropriate level of protection can be applied to project plans based on the risk of exposure of the information assets. Plans can mitigate or avoid risks of exposing sensitive information and project delays due to the unavailability of key stakeholders.