SOCIETY | Jul 17, 2019

About trains, data protection and Project Management

Listening to a telephone conversation on a Frecciarossa train provides a lesson in Risk Management and Privacy.

“Let those that are at peace with you be many, but let your advisers be one in a thousand.”
(Bible, Sirach 6)

A few weeks ago, on a Milan-Rome train, a talkative pro sitting in front of me spent 90% of the 3 hours of the journey telling everybody all about his business on his mobile phone.

Not being able to concentrate on anything else because of his agitated tone of voice, I turned on my PC and started to listen to what he was saying, putting my headphones on to hide my interest, but keeping them turned off, and opening the Google home page which would soon come in handy. In fact, the guy turned out to be a real treasure trove of information.

After a couple of minutes, he revealed he was a bid manager and began talking about a bid they were preparing for an IT contract (wow, my area of interest!) which he was in charge of.

With the elements he gave me whilst talking to his bosses and collaborators, supplemented by a few web searches on the fly, within a quarter of an hour, I identified the contract and the customer, the company he was working for, what their strengths were (according to him), the weaknesses and the criteria which they were using to prepare the bid.

I also identified him. Thanks to the volume level of his smartphone, tinnitus move over, I could hear his interlocutor haranguing him, at which point I simply carried out a search on Linkedin cross referencing him with the name of the company, which he had mentioned several times (“…no, because as XXX we cannot afford not to make a move onto this customer…”“…because the customer expects that as XXX we bring innovation…”, etc.).

In short, by the time I reached my destination I had a dossier ready on a potential competitor.

Projects and information security

Preparing a bid for a tender is technically a project. Documentation must be submitted within a certain timeframe with clear objectives. Our bid manager on the Frecciarossa was therefore a Project Manager.

The Project Manager is always responsible for protecting project information, strategies, business, resources, personal references and more. This information must be identified, classified and its processing defined. Let’s leave aside all considerations about politeness and whether the advisability of speaking out loud for three hours might bother the poor people sitting one meter away from you, we can certainly say that as a Project Manager the guy on the train was a total disaster.

No confidentiality, no caution in processing data; information about facts, names and people spoken out loud in a context (the business class of a high-speed train) where that information could be of interest to others.

It is a classic example of a failure to apply any risk management, which not by chance is a key area of action when managing any project.

To simplify, risk management is based on the preliminary assessment of the so-called exposure, which classical theory defines as the product of the probability that the risk will occur by the resulting impact.

In the case of our traveler, the exposure, as I showed with my “intelligence-led” action, not even too difficult at that, was medium to high as the probability that someone could steal information of interest was high and the potential impact even downright catastrophic (loss of the contract because of the sensitive information revealed by the chatterbox).

Projects and the right level of confidentiality

In cases like this, using some common sense would be enough. However, in order to approach the problem in a more structured way, there are several guidelines and good practices to ensure the right level of confidentiality and processing of project data.

In particular, annex “A.6.1.5 Information Security in Project Management” of the standard  ISO27001 concerning information security management systems. Any project requires resources, activities to be developed and established time objectives. Information security can be integrated into project management activities in various ways.

As a first step, it is necessary to include information security objectives in the more general objectives of the project.

Then a risk assessment (probability and impacts) should be carried out both at the initial stage of the project and afterwards, periodically and when specific events occur which may suggest an update. Finally, the identified risks must be treated and the most appropriate countermeasures implemented.

In conclusion…

The information security policy should be an indispensable part of all phases of a project. Where this is important in any industry or sector, it becomes actually crucial in areas that affect or aim at the integrity, availability and confidentiality of digital content and information, such as most IT projects. If you don’t care about the confidentiality of your information, at least think about the fact that your train neighbor doesn’t care much at all about what you have to say. At least at the beginning…

Marco Caressa