Information Security Group
|
Home > Secure Delivery

SECURITY IN PROJECT DELIVERY LIFECYCLE

Engineering Security & Data Privacy across Project Delivery Lifecycle is a comprehensive approach ensuring that the project or the solution adheres to the security and data privacy best practices. It covers all stages of the Project Delivery Lifecycle from its creation till its closure including design, development, testing, integration, deployment, operation, change management and maintenance. It also helps in ensuring the security and data privacy controls are effectively implemented in delivery processes, environments, and solutions, considering the skills and efforts required to implement & maintain them.


The Project Delivery Lifecycle must consider all the security & data privacy commitments as per the final proposal to the customer, the master service agreement (MSA). the statement or scope of work (SoW), regulatory requirements associated to the business & industry vertical to which the project belongs (e.g. PCI, HiTrust etc.). The project must ensure the security & data privacy obligations are met and adhered to, while delivering the project. Entire project delivery life cycle is covered in 6 Gates and collectively aim to achieve the security & data privacy objectives such as :

  • Security configurations based on security & regulatory controls to make the systems and solution resilient to the cyberattack during business operations.
  • Employing the required security best practices and controls as per the applicable & required security & regulatory standards keeping the project compliant to those standards’ requirements.
  • Auditing, assessing, reviewing and testing the constituent components, assets and processes of the project keeping it well protected from any internal or external security threat, breeches or compromise.
  • All the third parties participating in the project delivery are assessed for security and regulatory risks for their services, product, tools or any integrating entities required for the project delivery.
GATE No Description
GATE - 1 Contract Negotiation/ Bidding Phase
GATE - 2 Project Planning / Setup
GATE - 3 Project Execution, Monitoring & Control (During Project Execution)
GATE - 4 Project change management
GATE - 5 Project Go-Live
GATE - 6 Project Closure (Project Hand-over)
# Description
Regulatory Requirements Identify regulatory requirements required for the engagements like PCIDSS, HIPPA etc. Involve ESRM team during RFP Stage and cluster compliance manager
Contractual Requirements Understand contractual requirements covering Administrative / HR controls like (Criminal Checks etc.), Physical security requirements, Logical Security requirements etc.
1. Identify additional contractual requirements for the engagement.
2. Any third party involved in meeting the contractual requirements.
Certifications Identify any ISO Standards certification are required like IS0 27001, SOC1, SOC2 etc. Identify if external certification is required as part of customer requirements
Security Team Identify any dedicated security team is requirement for the engagement who can be the SPOC in case of security incident and security related communications
  • Any dedicated security ream required for the engagement.
  • Their Roles and responsibilities.
Delivery Model Onsite / Offshore / Vendor / All
Vendor Assessments Identify any third-party vendors are required for the engagement and clearly understand their roles and responsibilities and security requirement
  • OEM
  • Partners
  • Contractors
  • Customer recommended Auditors / Vendors
  • Any pre-requisites in selecting vendors
  • Check list for selecting Vendors
Domain / SME Requirements Engage domain SME’s for solutioning and identifying any challenges and roadblocks.
Sales Team Security Awareness Create a security check list for Sales team for their awareness
Audit Requirements Identify type of audits to be conducted (Internal / External). And duration of the audits.
  • For third party audits who will own the cost.
  • Any customer recommended third party vender etc.
Team Identifications Identify critical resources, dependencies and SME’s for the project and highlight the challenges
Communication Identify the communication channel with customer and vendors. Governance meetings, Project status both all levels.
Legal Advice Commitments and Penalties.
RACI Create a RACI Matrix including all delivery, customer, vendors and support functions.
Others Sign off, Infrastructure, Visas, Re-badging etc.
# Description
Kick of meeting PM to initiate kick off meeting with call the key stake holders like CS, TIM, HR, ISG. He must make sure all the contractual requirement is met at per the MSA singed.
PM Gray areas Any grey areas identified in kick off call should be highlighted in all the stake holders
Infrastructure Planning DC, Cloud setup are as per the agreements
Technologies Technologies used, open source, Licenses, Frameworks etc. Make a list of above and get sign off from respective stake holders
PM Check list PM to validate audit check list, in case of any non-compline to be highlighted to Sr. Management.
Deployment Architecture Deployment Architecture - Development, Test, Production
Physical and Logical requirements Make sure all the requirements are per the MSA Contracts
Audit requirements Plan for internal and external audits as per the MSA
Team security Awareness PM to make sure all the Customer and TechM related mandatory exams are completed
Single point of Failure Identify any SPOF which impact the delivery.
BCP BCP Plan and drill are as per the agreement
Vendor Engagement Initiate vender engagement and identify their roles and responsibilities. Also identify if they need to be audited
Data privacy Identify if the application is handling PI/SPI data and make sure all the security controls are in place including any country specific regulations.
Team Responsibilities Identify the responsibilities of each team members.
Others NDA’s
# Description
Project Tracking PM to tracking project timelines. Highlight any challenges both from delivery, security and dependencies prospective.
BCP Tracking Track BCP Plan and drills are as per schedules. Any challenges and gaps to be tracked and highlighted to Customer and Management
Privacy Tracking PIA and ROPA as per ISG Guidelines
Vendor Monitoring Tracking Vendors and highlighting the gap including closing of Third-party audits NC closure
Tracking external audits Tracking Third party audits NC closure
Security Assessments Regular security assessments with the help of internal functions and highlight any gaps to respective stake holders
Customer updates Regular meeting with customer and their security team and discuss on current and improvement plans
Quality Assurances Closing Quality NC
Communication Communication with all the stake holders on updates including vendors and customers
Risk Register Update Risk register at regular intervals.
Alert Is alert mechanism is place during downtime
Application Security Lifecycle (ASL) Monitoring application security life cycle.
Health check Automate health check at regular intervals
Secure Data Lifecycle Monitoring of Secure data life cycle
Additional Training Update associates with additional trainings specially on data security and business continuity. Connect with ISG Training division for security training, mailers and posters.
Project Management Review Update Project management with current and upcoming tasks and challenges.
Initiate change request Consider any project change request with customer and vendors.
Check list review Review check list as per Gate 2 process
Commitments review Highlight wherever commitment levels are going down with all stake holders.
Data Classification followed? Are all documents labeled as per classification guidelines - "Company Confidential”, "Restricted", "Client Confidential", "PUBLIC”, or "Commercial in Confidence”?
Data Breach Monitoring Are project team members aware of the incident management training & reporting websites?
# Description
Security Requirements Any security part of change requirements
Additional Certification Any additional certificate to be taken care
New Technologies New technologies to be considered as part of change request
Scope and Timelines changes
Physical / Logical requirement Any physical / logical / admin to be considered as per of change request.
New Vendors / Suppliers Any new vendors / suppliers considered as part of change request.
# Description
Security Acceptance Criteria Follow any acceptance criteria defined in the agreement.
Security Clearance If any Security Clearance required for this engagement, make sure follow the process like Evidences of Code-Review are been maintained, WAPT etc.
Security Risk Sign off Security Risk Sign off formalities to be completed.
Bugs or issues raised in pre-prod / UAT are fixed Sign off from customer that all the bugs and issues raised in UAT are closed before moving to Production.
Go Live approval are in place
  • Any re-usable components used in the project from org. level repositories? If yes, are these components all clean TechM copyright marked?
  • Take all the approvals from respective owners before going live.
# Description
Transition plan Prepare plan from transition include all the stake holders who were part of this engagement. Document and record all the activities.
KT session as planned Technology related KT
Support for customer in Shadow Once the project moved to Production - plan to support customer during warranty period.
All Handovers
  • Handover all the documents like design documents, test cases, use cases etc. to customer including supporting vendors
  • (People) permanently revoking access rights on project/ client specific doc & data repositories/ files/ folders on shared drives, if any.
  • Final Back-up of all the Project related Doc & Data including the deliverables and relevant documentation on restoration procedure of the same.
  • Cleaning/ Formatting of all the desktops/ laptops of the team members in view of client confidential information on the machine.
  • All the IPR's earned during the project execution, are appropriately marked and stored in Org. level repositories?
Any hardware to be returned to customer (Ex. Tokens)
  • Return all the hardware used in the projects like (Tokens) to customer and destroy any media if any.
  • Update the inventory accordingly and record all the activities.
All the relevant stakeholders are involved by the PM / PgM during the Project Closure meeting Final sign off form all stake holders involved in the project.

RACI (Responsible, Accountable, Consulted, Informed) Implementation

Activities ISG Function Sales Function Delivery Vendors Customer
GATE - 1 I, C R, A R, A I I, A
GATE - 2 I, C I A, R I I
GATE - 3 I, C I A, R A, R I
GATE - 4 I I A, R A, R I
GATE - 5 I, C I A, R A, R I, A
GATE - 6 I, C I A, R A, R I, A
Copyright © Tech Mahindra Limited. All Rights Reserved