GOV-019 Information Security in Project Management
Description
Information security requirements are identified and addressed throughout the project lifecycle for all types of projects. Security reviews are required at defined project gates before go-live, and security findings must be resolved or risk-accepted before deployment.
Rationale
Integrating security into project delivery ensures that new systems and changes do not introduce unreviewed risks. Security retrofitted post-deployment is more expensive and less effective than security designed in.
Framework Mappings (3)
| 5.8 | Information security in project management | full |
| PL-2 | System Security and Privacy Plans | partial |
| CC5.1 | COSO Principle 10: Selects and Develops Control Activities | partial |
Evidence (2)
Information security in project management procedure defining mandatory security gates, review points, and sign-off requirements throughout the project lifecycle.
Example: Secure SDLC or Project Security Requirements Procedure (Confluence), listing: project types in scope, required security activities per phase (e.g. security requirements at design, threat modelling before build, security review before go-live), and the named role responsible for sign-off.
Test: Request the project security procedure. Verify: (1) security activities are defined for each project phase, (2) a mandatory pre-launch security review or sign-off is required, (3) the procedure specifies how findings must be resolved before deployment, (4) the document has an approval date within the last 12 months.
Pre-launch security review records for recent projects confirming security gates were completed before go-live.
Example: Jira tickets or Confluence sign-off pages for the last two to three project launches, showing: security review checklist completion, named reviewer, findings list, disposition of each finding, and go-live approval.
Test: Select two recent project launches. Request the security review records for each. Verify: (1) a security review was conducted prior to go-live, (2) all findings are documented with severity ratings, (3) each finding is either resolved or has a documented risk-acceptance from a named approver, (4) a named security reviewer signed off the deployment.
Questions (2)
Does your organization have a documented process for integrating information security requirements throughout the project lifecycle, including mandatory security reviews before go-live?
The process should define required security activities per project phase and require that findings are resolved or risk-accepted before deployment.
At which stages of a project are security activities formally required?
Pre-launch security sign-off is the minimum — look for completed review checklists with a named security reviewer and documented disposition of findings.