Issue link: https://epubs.iltanet.org/i/74024
Managing the "People" Side of Information Security Projects • Coordinating and overseeing the traditional technical aspects of installation, testing and rollout Coordinating these additional people-related aspects is as important as the technical nuts and bolts of installing and integrating a new system. Project Planning Teams In order to implement an information security solution successfully, it is necessary to develop a comprehensive deployment plan, outlining the milestones and deliverables of the parallel work streams. A crucial aspect of the project plan is integrating the technical and nontechnical work that is required, identifying dependencies between the two and determining at which points these intersect. The project manager will need to coordinate the activities of the following two teams: • A technical team whose members will manage the implementation of the system • A business team who will interact with the key stakeholders impacted by the new system A project sponsor (or committee) should be identified to oversee the deployment and make key decisions where required. A project team should also be put in place to execute the deployment plan. Regular project meetings and status reports circulated to key stakeholders will ensure visibility of the overall objective is not obscured by the potentially complex and intermingled strands of work, and that delivery of the project stays on track. Tackling Technical Considerations As part of the software installation, it's important for the technical team to review the architecture requirements needed to integrate with the firm's other systems and to ensure that prerequisites for installation in the firm's environment are in place. Securing downstream systems is a primary objective of implementing a confidentiality management application. A firm's document management system is often the main focus, but it's also important to consider other systems that contain relevant client-matter information that may also need to be secured. These may include systems for practice management, records management, client relationship management and time recording. Organizations should also carefully consider how they will provide their confidentiality management software with accurate, updated data regarding clients, matters, users and group relationships. A confidentiality application that requires manual or scheduled updates using scripts or import mechanisms creates additional management and enforcement challenges. Bad data can lead to some very bad results. Software that automates integration and quality checking of comprehensive data can deliver more efficient and effective controls. This includes the ability to accurately track and manage access controls based on more sophisticated details (increasingly called out in case law), such as lawyer-secretary relationships, physical location and printer proximity. Following the configuration of the technical solution in accordance with business rules defined by the relevant stakeholders, user acceptance testing can take place in a test environment to verify the system works in accordance with business, technical and integration specifications. User acceptance testing should take into consideration the roles and requirements of each stakeholder community. Risk and business staff should not be expected to understand or delve into underlying security settings and configurations at a detailed technical level; and IT staff need not be burdened with exercises that review the formatting options for internal notification messages. Once any issues are addressed, the system can be released into the production environment. ILTA White Paper 23