Managing Projects in Information Technology

Contents

List of Figures

Project Selection & Introduction

Skills, Roles and structure

Consultancy

Project Management

Final Thoughts

Appendix I – Pre-project network topology

Appendix II – Proposed Network design

References

List of Figures

Figure 1 - Company Organization Structure and the position of the security team

Figure 2 - Security team structure

Figure 3 - Teamwork skills

Figure 4 - Fishbone diagram used in the project

Figure 5 - Work Breakdown Structure (WBS)

Figure 6 - precedence diagramming PDM

Figure 7 - Weekly Status report sample

Figure 8 - Status Report for one of the vendors indicating progress of implementing their project

Figure 9 - Network topology before starting the project

Figure 10 - Proposed Network Topology Design

Project Selection & Introduction

The project that I like to highlight in this assignment is a modernization of security infrastructure for a healthcare Insurance company. I have been employed by a healthcare Insurance company as an Information security manager and one of my main role is to be responsible for this project from initiation to close. It is classified as Information Technology project that totally supports the entire business process by assessing, designing and implementing security controls that will reduce the number of cyber risks that faces the organisation on the cybersecurity realm to an acceptable level which in return protect company reputation and comply with government regulations. In addition, the organisation follows the functional structure that allow specialisation, emphasise standardisation and decrease duplication (Galbraith, 2014). In fact, this empowers me with all the authorities required to take decisions in different project stages and only reports to the IT director. The company has one main data centre located in the headquarters (HQ) and seven branches are connected to it through the MPLS cloud. The Data centers have almost 400 Servers, besides, 2400 users working in premises and remote (See Appendix I). The clients of the project is all company employees, healthcare providers (e.g. hospitals, clinics, etc.), company customers, government and competitors as well. The required is to help the company providing functionally secure healthcare insurance service. This includes assessing current IT systems and processes, identify the security gaps, design a solution covering this gaps and lead the implementation. Jugeesh (2012) argues that the financial return is not the only factor when selecting projects and determining its feasibility. Instead, the most important selection criteria are how far the project fits with organisation strategy or complying with country regulation (Gray et al., 2010 cited In Jugeesh, 2012). Indeed due to regulatory requirement and protecting organisation reputation, the organisation has to prove due care and due diligence in protecting customer’s information. As a result, company's board of directors assign the project ownership to IT department which in return hired me as IT security manager to lead the project and a team of four engineers of good experience in networks and systems. As a project manager, I have a full understanding of the cyber security risks, which will drive my sense of urgency to finish and complete the project as soon as possible. Risk assessment is the key piece in identifying the suitability of the project. Farrow (2004) argues that cost benefits analysis which is the main part of risk assessment is used to assess and aggregate the risk of doing action or not doing it which can be depended on it on project selection and management. Despite of the needs of the project, project doesn't have an infinite budget as the cost should not exceed the benefits under any condition because if so the organisation will accept to not implement the project (Flanders, et al., 2013). In fact, organisation assets are identified, whether its tangible asset or non-tangible assets such as reputation. Following that, values to these assets are assigned. Afterwords, conduct cost-benefits analysis to determine the feasibility of the project. Based on that, the board of director assign the budget. We used quantitative risk assessment as it gives us approximate of the financial value of the impact which is used in the cost-benefit analysis to identify the suitability of the project.

Skills, Roles and structure

The organisation structure is Functional. Galbraith (2014) states that organisation structure has many advantages such as gathering together all skilled labours of the same type in one department (e.g. all system engineers in one team) which allow sharing knowledge among the team. Besides, it emphasis the standardisation and decrease duplication of which only one team is responsible for the certain type of activities (e.g. security team (see Figure 1, Page 4) are the only team that deal with security related topics).

Abbildung in dieser Leseprobe nicht enthalten

Figure 1 - Company Organization Structure and the position of the security team

The team is consists of four engineers of reputable experience of Network and system security and reports to Security manager who report to IT director. Each one of them is responsible for an area in the project (See Figure 2, Page 4), check its gaps and develops solutions for it with the consultation of the security architect.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2 - Security team structure

For examples, Information Governance specialist who are responsible for reviewing policies, producers, guidelines and standards, and make sure to develop the missing one fitting the organisation strategy. He has very good document management skills that made him responsible for all documentation required from the team. Incident response and security operation centre (SOC) specialist who is responsible for assessing the current SOC controls if any and check for the controls to be implemented (e.g. Network monitoring software, dashboards, etc.) in complying with project objective. He has very good communication and presentation skills that made him our facilitator and coordinator. In addition, network and security specialist who assess the current security infrastructure for network and systems and work to identify the gaps and what control should be in place to cover this gap. He is a very good problem-solver by which he work with other team members to solve any problem arise on our path. Besides, security architect who is our consultant or subject matter expert in security who works with the rest of the team members to make sure that we have a final solution that will fulfil the company objective. Because of his expertise and technical skills, we have the confidence that we are on the right track. Finally, Security Manager who is me to take the lead of the project and work with all team members in identifying assets, assign value for this assets, conduct cost-benefit analysis for each controls, do risk assessment and determine the feasibility of each controls separately and the overall suitability of the whole project, besides, working with other teams and departments to align the project with the organization strategy and report to IT Director for the team progress. Mackall & J.G. Ferguson Publishing (2004) states that teamwork enhances productivity from 10% to 40%. All my team members are good team work players as they work with harmony completing each other, share ideas and help in innovations and creativity. Furthermore, all team members share (see Figure 3, Pages 6) some skills like backup performance monitoring that will help us to monitor each other and make sure that we are on the right track. Besides, covering each other if one of the members are not available for any reason. I believe we could be more efficient if we had a team member who is more oriented to the business process as he will help saving our time in cross-functional tasks.

Abbildung in dieser Leseprobe nicht enthalten

Figure 3 - Teamwork skills

Consultancy

Usually, organisations use the services of consultant internally or externally for his expertise or additional management effort (Walker, 1997 cited in Brown, 2000), our team has a security architect hired to work with us during the period of the project, so we can consider him an external consultant. By his experience, skills, he bring confidence to the team and the company, he helped us during all project life cycle. As an advisor or consultant, he provides advancement across functions and department with no promotion aims by bringing thoughts and ideas from outside of the box to serve project objective and minimising the risk of project failure (Brown, 2000). His major input leads us assessing pre-starting situations (initiation phase) that established an understanding in identifying our weaknesses and painful area. Pre-starting activity like identifying the security gaps and the security controls that are suitable and enough for each area? In addition, he worked with project manager to interpret the scope of work into actions that need to be done and conducting a cost-benefit analysis. He works with IT governance specialist in identifying the current procedure, standards, and policies and determines what is needed to be added in order to comply with industries security standards. He helped the SOC specialist identifying the gaps and building incident response skills. Finally, he worked with the network and system security specialist to identify the gaps and set the best practice in configuring and managing network and system devices. Afterwards, in the planning phase, He led with the contribution of other team members based on his experience and skills to get a finalised high-level design for the project. Then, he uses his expertise in the market to contact vendors to work on the low-level design and get the best quotation from them. During the execution of the project, he guides the rest of the team members executing their part and build an operation baseline (Brown, 2000). Finally, he led team technically to validate the whole design and determine the lesson learnt. In order to have Situational knowledge, he contributes with different stack holder in the team, IT department and the rest of the organization by conducting presentations, one to one interviews or group interviews, observation, Inspection and Questionnaires. Based on the activity mentioned, he used scientific decision-making tools such as a fish bone diagram that helped us to prioritise actions to be taken for giving value to it ( Yazdani & Tavakkoli-Moghaddam, 2012). For example (Figure 4, Page 6), the fishbone diagram discuss the reasons that lead to data breach incidents. This tool gives us the opportunity of share and organise ideas for effective decision-making. Having a consultant in the project has also its negative side, first, consultant spends time leveraging his experience and once the project finishes he leave without knowledge transfer. Finally, consultant work style is looking for profit, so the works to be dependent on his skills in the future. We can overcome these problems by adding to his scope of work and responsibility a detailed knowledge transfer. Furthermore, training plan for the rest of the team member covering team weaknesses in operation.

Abbildung in dieser Leseprobe nicht enthalten

Figure 4 - Fishbone diagram used in the project

Project Management

In the beginning, the board of directors needed to comply with regulations and prove due care and due diligence to authorities, so they had to enhance their security infrastructure in general as per as the regulations. They with the IT director had chosen the head of the security team to lead the project with objective to check the feasibility of the project, give them how they will deal with the risks that threaten the organisation and lead the implementation of enhancing and Hardening organisation's security infrastructure. In addition, risk threshold and budget were assigned which should not be exceeded during project life cycle (Hinde, 2012). IT director and security manager checked the available human resources and whether it had the knowledge, skills and expertise to start the project. In addition, what are the technical, business, and financial risks, project benefits, and the costs of mitigation or avoiding the risk. It was agreed to use prince2 framework that contain many processes that can adopt a different type of projects and is used to have control over the whole project life (Hinde, 2012). Afterwards, they formulate the team and get approval to hire a consultant due to lack of experience and skills. Following that, security consultants were interviewed to select security architect to join security team to work with them during the project. Based on meetings and discussions with the senior managements Project scope or charter was stated. Afterwards, the project scope of work or statement of work (SOW) is broken down into small tasks or manageable units (See Figure 5, Page 9) in a diagram called WBS (O'Toole & Mikolaitis, 2002).

[...]