You budget for, enable, and staff your organization’s
information security program with people, technology, and visionary prowess. As
you step back and observe do you find yourself wondering: Does the business
consider the program relevant? Is my security program effective? In a business
environment where resources are limited, compliance requirements abound, and
budgets are constantly challenged to meet cost containment targets, this
article will explore a strategy to align information technology (IT), information
security (IS) (note: one is not necessarily inclusive of the other – a topic
for another article), system and data owners (SDO), aka: your business units,
Aligning IT, IS, SDO, and leadership will strengthen information systems’ value and inherent information security situational awareness, an awareness I would argue is incorrectly shouldered by IT. When it comes to managing information assets to assure the confidentiality, integrity, and availability (CIA) of an organization’s systems and data, what roles are in play? Good question, here are the primary ones found in any organization, with roles defined:
- Information Technology:
- Custodians of an organization’s systems and the data contained within. IT handles most facets of system care and feeding (updating, patching, and routine maintenance). When you consider the CIA triad, IT is primarily concerned with availability. IT will also partner with IS and SDO to enact information security controls and best practices to assure confidentiality and integrity of the organizations systems and data.
- Information Security (or compliance):
- Looks to understand an organization’s reliance on systems and data necessary to deliver on customer expectations and guides the business through a myriad of compliance requirements, mandates, and industry best practices. IS will assist an organization in control framework interpretation and application in an effort to manage information systems risk and compliance while aligning to CIA principles. This department is critical in achieving information security in any way, as it provides the oversight component for all things that impact CIA.
- System and Data Owner:
- Those within the business who are responsible for an organizations systems and data. An SDO is concerned with all three elements of the CIA triad and will work with IT, IS, and leadership to ensure the business system meets the needs, for the business and customers for which it was designed. It has been my experience that an SDO is primarily concerned with availability as this element of the CIA triad is most related to business income and customer satisfaction. Have you wondered who your SDO is within your business? If a business system fails who is the person most likely to stand on an IT desk and demand the system or service be restored? This person is likely your SDO.
- Senior most leaders in the organization responsible for casting business vision and managing the strategy to achieve. Among many areas of responsibility, leadership will oversee and manage risk to the organization, such as risk present within an organization’s information systems environment. An organization must individually consider confidentiality, integrity, and availability in the assessment of information systems risk.
How can you effectively secure what you do not fully understand? Effectively securing an organization’s systems and data requires a clear understanding, outside of IT, of information systems value and risk. Components of a total information systems picture may include:
- Clear understanding of what matters most to the SDO
- System characteristics and their information security implications
- System complexity, capabilities, and limitations
- Threats, vulnerabilities, and related controls
- Integrations (systems are not an island)
- Legal and regulatory compliance
An effective communications strategy will strengthen information systems’ alignment between IT, IS, and the business. When an organization raises the level of awareness with the” total information systems picture”, a business process will take hold that facilitates system discussions leading to meaningful system decisions. While there can be many types of system decisions organizations must consider, a few examples may include:
- Introducing a new system or data to an existing
system or environment
- Decisions or changes affecting a systems
- Risk strategy – acceptance, avoidance, mitigation,
reduction, or transfer
- Business continuity or incident response readiness
- IT and IS operating budget negotiations and staff
- Service level agreement capability and
A strategy for enabling effective communications will look
different from one organization to another. A communications strategy should
consider an organization’s unique characteristics, culture, and climate.
Activities that can contribute to enabling an effective communications strategy
- Getting IT, IS, SDO, and leadership at the table
for system discussions is a great first step. Appoint members to committees and
set up charters to provide governance and oversight for critical information
systems areas such as risk management, capability and performance management, compliance
management, incident management, business continuity readiness, and change
- Seek change control maturity derived through the
activities of a change control board (CCB). To avoid pulling out the carpet
from under “system decisions”, ensure a process capability exists that
considers change and the potential impact to business systems. Change management
should require changes that are documented, tested, approved, and evaluated by
a change review process (change board), and if necessary, rolled back or stopped.
- Incorporate control framework language into
system discussions. Identifying the control frameworks that are relevant to the
organization and then leveraging the framework(s) as a basis for system
decisions will support compliance objectives and strengthen an organizations
information security posture. Control frameworks could include, as an example,
ISO, NIST, CIS, PCI-DSS.
Planning, execution, and effective communications can
produce meaningful results and aid in your information security program being experienced