ISO/IEC 27001 Control 5.8: Information security in project management

Information security should be integrated into project management.

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

MidPoint can manage projects as organizational units, including project governance information (managers, sponsors, reviewers).

Privileges necessary for project members and managers can be assigned automatically. As midPoint organizational structures act as roles (abstract roles), all necessary policies and privileges for project can be defined centrally (project meta-role or archetype) or on per-project level. Projects can be automatically represented by entitlements, e.g. automatically creating and managing Active Directory groups for projects. Information classification labels can be applied to projects, manually or automatically ( Delegated administration can be used to allow project managers to control certain aspects of the projects (e.g. project name, description and membership). Policy rules can report or enforce validity and consistency of project structure, e.g. making sure that all projects have at least one manager.

MidPoint is necessary, as the project-related policies cannot be practically enforced manually on large number of roles, and large number of project membership changes. If not automated, access rights associated with the projects are usually assigned to users, and never removed. Retaining access rights related to closed projects and former project members usually result in severe over-provisioning. Access control related to project management must be automated to be secure and practical.