Security & compliance: When can you start the project?

31. 07. 19 John Chapman

Security and compliance with project management

An innocuous question?

A seemingly innocuous question to ask at project initiation ‘When can you start?’ The contract is signed and authority to proceed given. Consultants have been allocated, selected for their product knowledge and sector skill sets. The subject matter experts who are in the client’s organisation have made themselves available.

Initial activities include a technical planning call to discuss infrastructure requirements. This includes an assessment of the access needed for the Touchstone team. The usual questions arise such as:

  • What servers will they need to access to?
  • What access permissions are needed?
  • Is there a shared SQL database?
  • Who can deploy the software onto the live system?
  • Is this work to be on site, off site or a combination thereof?

All should be straightforward and will usually be managed by the customer’s IT team.

Obstacles to consider

Recently there has been a lot more focus on who is accessing which systems. From a risk perspective IT Departments and the wider organisation are asking about who will be able to access which databases and application servers.

A standard part of Touchstone’s project initiation is to go through our quality assurance checklist for site and system access. This asks questions such as:

  • Are there any vetting procedures that need to be followed prior to allowing the consultants access to the system such as DBS Checks? If so what details need to be obtained as these will need to be been factored into the project planning?
  • Are there any protocols to adhere to prior to arriving on site? For example do reception need to be advised that the consultant is visiting?
  • Is photographic ID needed to prove identity? If so does it have to be national ID such as a passport or a photo driving licence?
  • Does it take time to get through security? For example should time be allowed at the start of the day to gain access to the building or site?
  • Will individual logins be created for each consultant or are they to be given a generic login?
  • Is there any two factor authentication that needs to be set up? If so what mobile or desktop applications are needed for this?

Security policies and procedures have to be adhered to. Each organisation is different and the protocols vary. By asking the correct questions at the commencement of the project we factor into the planning the activities and elapsed time required to ensure compliance with the security practices.

So when the question is asked "When can you start working on the project?" Our core competencies as an organisation mean we can answer, with a level of certainty, based on the specific considerations for that particular organisation.


  • Share on:
John Chapman

Written by:

John Chapman

Programme Director

More