ISACA Journal
Volume 2, 2,014 


The A-to-I Ways to Launch an IT Program or Information Security Project 

Key Mak, CISM, CAP, CISSP, ITIL, PMP, Security Plus, ECMp 

Figure 1Whether launching an information security project or developing a road map for an enterprise, determining where to start can be overwhelming. While there are standards, regulations or laws such as the US Gramm-Leach-Bliley Act (GLBA), the US Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI DSS) and the US Federal Information Security Management Act (FISMA), applicable to specific business requirements, there are high-level generic steps that enable one to follow a systematic approach to success in IT and information security projects. Figure 1 provides a list of projects to which those steps can be applied.

The following A-to-I steps should help the beginner or skilled IT manager launch many projects successfully.


A few tools are necessary to help one understand the business or system. These tools require an assessment of the existing IT systems/environment. The tools include, at least, a business impact assessment, a security impact assessment or a risk assessment. Thus, it is important to perform an assessment first.

The assessment should be tailored for the project and organization’s specific needs. For example, smaller companies or organizations may not have the resources necessary for a dedicated team or the expertise to perform a full-blown risk assessment. Understanding the objectives of the assessment is necessary to ensure selection of the right approach and to plan accordingly. The following are critical to starting an assessment (these substeps form an acronym, OSCAR):

  • Objectives—Always outline the objectives of the assessment.
  • Scope—Know the scope of the work to be completed.
  • Constraints—Realize the constraints to ensure that the results are commensurate with the work being performed.
  • Approach(es)—While the trend is to adopt a risk-based approach, remember that there is no one-size-fits-all approach to IT project management or security. Adopt a consistent approach or approaches to get the assessment done correctly. Use standards and guidance that are considered good practices.
  • Reviews—Review the existing system, determine risk, prioritize, document results and report the findings of the assessment.

There are many standards, guidelines and reference frameworks in the IT world, including the US National Institute of Standards and Technology (NIST) standards and guidelines (NIST SP 800-34, NIST SP 800-30, NIST SP 800-39 and NIST SP 800-37), the Information Security Forum (ISF)’s Standard of Good Practice (SoGP),1 the International Organization for Standardization’s ISO 310002 and ISO 22301,3 the Information Technology Infrastructure Library (ITIL),4 COBIT 5,5 and the Capability Maturity Model Integration (CMMI),6 among others.

Performing due diligence is critical to integrating the most appropriate standards into the business. If an organization is unsure where to start and what to choose, COBIT 5 provides a good overarching framework, designed the way an IT manager thinks. COBIT 5 is the only business framework for both governance and management of enterprise IT. COBIT incorporates the governance activities of ISO 38500,7 Val IT and Risk IT. COBIT also helps organizations meet business challenges in the areas of regulatory compliance, risk management, and aligning IT strategy with the organization’s missions and goals.

B—Build From a Baseline

Before building the case, one must know the baseline. Whether it is configuration or security, a baseline is a must for an assessment on any live system. Knowing the baseline will help in later stages to establish performance indices, metrics and benchmarks.

Establishing a baseline manually is often difficult. One must know which tools to use to establish the baseline. Possible tools include Microsoft Baseline Security Analyzers (MBSA),8 US Government Configuration Baseline (USGCB)9 and Security Content Automation Protocol (SCAP),10 among others. It is also necessary to know whether there are any compliance requirements, such as the US Sarbanes-Oxley Act,11 PCI DSS,12 FISMA,13 the US Health Insurance Portability and Accountability Act (HIPAA ),14 the US Health Information Technology for Economic and Clinical Health Act (HITECH)15 and the International Organization for Standardization (ISO) series. Looking at the big picture, it is important to develop a plan to turn the baseline into a benchmark by adopting industry good practices for the road map. Whether building, using a baseline, benchmarking or applying best practices, one must remember the big picture of the existing IT environment and unique business needs. Planning accordingly is critical to avoiding negative impact. Solutions should be developed by identifying what framework is best for the organization and incorporating it early while building the solution.

C—Communicate, Collaborate, Categorize and Customize

The issues found must be communicated to the stakeholders, including upper management, the program manager, clients, users and team members. A communication plan must be developed. In today’s dynamic business environment, it is critical to collaborate and coordinate with other teams or stakeholders to get support. The program and any of its components (e.g., risk) must be classified and categorized so that the stakeholders, particularly upper management, understand the issues being addressed. The program or plan must be customized and the proposed solution must be scalable. Checklists must be developed and people/processes certified. Findings should be demonstrated in an analysis report and, most likely, in a cost-benefit analysis (CBA) for management, which may include an alternate contingency plan.

D—Document, Design, Develop and Deliver

The risk or security impact must be identified, understood and determined, or an understanding of the enterprise’s systems and applications should be determined by digging below the surface. As a result, the problems or issues faced by the enterprise are understood. The data and findings gathered will be presented to stakeholders to illustrate the value of managing risk and the cost of not doing so. Reliable and timely information on risk allows management to make better quality decisions. Understanding the risk appetite allows for more risk-intelligent management, which should lead to reduced risk or at least minimized impact from adverse events while attaining better project performance.

Once the full picture of the goal has been determined, the solutions should be documented, designed and developed. The project’s key performance indicators (KPIs) must be quantified and developed before one can deliver a plan or road map. The KPIs also provide report metrics for the project’s success. For example, how much rack space, electricity or cooling can be saved by virtualizing a certain number of server


This is the most exciting and challenging part: selling the idea to stakeholders and educating them as to why a change is needed to adopt the solution. Training and awareness program needs must not be forgotten, e.g., educating staff about the program or plan and the skills needed to support and implement the plan. To some, credentials such as the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Project Management Professional (PMP) and Certified Information Systems Security Professional (CISSP) are extremely important in leading the IT project. For these individuals the “E” is to establish their credentials by continuing their education.


It is critical to set goals for the program and be focused on the plan. The “F” is not to simply fulfill something but to go beyond the present and into the future. Therefore, following a few basic rules such as checking and double-checking the action plan and project management plan and following a reasonable (but flexible) timeline helps to accomplish goals.


The goals of the program must be communicated to the people involved in governance prior to communicating them to the team. The goals should align with the organization’s mission and should be fine-tuned to attain strong management support. Key goal indicators (KGIs) and KPIs should be established based on the previous steps. Communicating the goals to the project team helps ensure that everyone is on the same page.

H—Holistic Strategy

Next, one must sit down and review steps A through G one more time and listen to what others are saying about their needs. Ultimately, the solution needs to be scalable as well as holistic.16 A holistic approach enables the development of IT project management and helps identify the critical success factors of a given project and their alignment with each other. Furthermore, it is important to express concern and show one’s passion for the future of the program being launched, letting others feel the positive side of the upcoming project.

I—This Means You

After all these steps and hard work, it is nearly complete. It is important to keep going, like the little engine singing, “I think I can, I think I can….” This may sound trivial, but it is difficult to get people, processes and technology moving together in the right direction. Thus, it is critical to pass through that extra mile or step to get there. It is not always easy, but solving and managing difficult issues is crucial to the success of any project.


There are many approaches and rules for managing a project for an IT or security professional. There are also many frameworks and methodologies available to adopt for a specific IT or security environment, but the A to I steps described here—assess, build, communicate, document, educate, focus, set goals, adopt holistic approach and dedicate the “I”—are a good start. Every project has an end; however, professional credibility does not stop there. Another set of A-I steps can be used to continue to enhance the profession. As leaders, professionals must adapt, build up, continue to learn, be determined or disciplined, equip or enhance and fortify themselves with the right knowledge and skills, to grow, to head the crowd in the right direction and, finally, to inspire people.


1 Information Security Forum (ISF), Standard of Good Practice for Information Security, 2011,
2 International Organization for Standardization, ISO 31000, Risk management, 2009,
3 International Organization for Standardization, ISO 22301, Societal security—Business continuity management systems—Requirements, 2012
4 The APM Group Ltd., ITIL,
6 Carnegie Mellon University, Capability Maturity Model Integration (CMMI),
7 International Organization for Standardization, ISO 38500, Corporate governance of information technology, 2008
8 TechNet, Microsoft Baseline Security Analyzer (MBSA), Microsoft,
9 National Institute of Standards and Technology, US Government Configuration Baseline (USGCB), USA,
10 National Institute of Standards and Technology, Security Content Automation Protocol (SCAP), USA,
11 US Congress, Sarbanes-Oxley Act, USA, 2002,
12 Payment Card Industry Security Standards Council, Payment Card Industry Data Security Standard (PCI DSS), version 2.0, 2010,
13 US Congress, Federal Information Security Management Act (FISMA), USA, 2002,
14 US Congress, Health Insurance Portability and Accountability Act (HIPAA), USA, 1996,
15 US Congress, Health Information Technology for Economic and Clinical Health Act (HITECH), USA, 2009,
16 TechTarget, “Holistic Techology,”

Key Mak, CISM, CAP, CISSP, ITIL, PMP, Security Plus, ECMp, is an information systems security manager. Mak has more than 15 years of experience as a database administrator and developer and 12 years of experience as an IT director with an information security focus. He is working on his Certified Information Systems Auditor (CISA) certification.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.