|
|
|
Resource Assignments for Risk Management Typical responsibilities of the “regular” IPS staff are as follows. Corporate policy and procedures — A comprehensive set is essential. Several recent surveys (including a 1996 study by Gordon and Glickson “Shortcomings in Corporate Technology Policies”) and articles in respected publications such as CIO Magazine continue to stress the importance of well-defined policies for access and use of information resources. In the “virtual organization” IPS may need to work with the Legal Department to ensure relevant measures are included in the “terms and conditions” of contracts with key vendors and suppliers. Awareness of staff and management — Although many organizations denigrate the significance of security awareness training, in the experience of many information security practitioners it remains the most efficient and often the most effective method for ensuring that the staff safeguard information. As the global economic competition gives rise to the more classic Cold War espionage elements, it is vital to educate both staff and managers about the changing threats and their evolving responsibilities. Such education is best achieved through a well-designed security awareness campaign. Incident response — In even the best planned and run information protection programs there will be incidents and matters that must be carefully investigated. This is an essential IPS role and it is best led by a regular IPS staffer. However, serious incidents will likely require use of both matrix internal and external assets depending on the nature and complexity of the incident. Building cases for prosecution through careful acquisition of criminal evidence are specialized tasks where seemingly minor errors can compromise otherwise excellent efforts. Network intrusions — Identifying the possible or likely perpetrators, reviewing the systems and network activity and audit logs to find evidence, and preparing disciplinary or prosecutorial reports for organization management and/or law enforcement are tasks best overseen by a regular IPS staffer with the organization’s best interest paramount. Supplemental skills may be added from both matrix and external assets but leadership should remain with the organization’s IPS regulars. Theft or loss of proprietary information — This is such a serious incident that it deserves special and advance planning to ensure a quick, timely response to any indications of such an event. In this case the nominal leadership is likely to rest with the corporate law department or corporate security group. However, as many incidents have already arisen where the crime involves information systems and networks, IPS is likely to be a pivotal player in documenting the nature and extent of the loss. Virus infection — These situations have become a regular exercise for most large organizations. It is important to have well thought out SOPs, an incident response plan, and roles assigned in advance. These are areas where a regular IPS staffer can significantly contribute to the speedy restoration of services with minimum lost data and disrupted processing. Internal Consulting Applications and systems development — As new technologies and systems are deployed to increase business advantage, it is essential that IPS provide advice and direction on secure implementations or at least insure that responsible management knowingly accepts risks inherent to unsecured projects. Information valuation and classification — This is a major project when first undertaken. Use the ISSA-approved information valuation methodology or other techniques to determine and obtain consensus on the list of the “crown jewels” will likely include the organization’s trade secrets and other elements of information from which the organization derives competitive advantage. Project Resources In the VPT it is assumed that the typical IPS staff member will be responsible for no more than three to five major projects or functional responsibilities, depending on the experience/capability of the incumbent staffer and the complexity of the projects or job responsibility. IPS regulars should be employed as project managers to ensure timely completion of essential projects. The project management role will typically encompass directing a combination of internal matrix staff (probably belonging to corporate MIS/IS or line/business unit IS staffers) supplemented with necessary external consultants providing special expertise or knowledge. Projects and functional responsibilities should be defined in the context of the organization’s long-term/strategic IS and operational plans. If resources and experience allow, the IPS group itself should prepare a multiyear plan which highlights significant information security priorities and initiatives. Benefits of Virtual Team Planning Process Flexible — Able to add external and matrix resources without committing IPS to permanent/regular staff until or unless a proven functional responsibility is identified by organization experience. Adaptive — Too often information security organizations, as most business organizations, become prisoners of past responsibilities, unwilling to give up a comfort zone familiarity with activities which contribute less to the welfare of the enterprise than uncomfortable new alternatives. Responsive — Management can expect the flexible and adaptive organization to focus on new priorities and devise protection strategies consistent with changes deriving from either environmental change or strategic business initiatives. Drawback to Virtual Team Divided loyalties of the matrix staff — The most difficult challenge for IPS is enrolling and managing non-IPS staffers in a project they may perceive as less desirable than competing alternatives. Since their assignment is, by definition, limited to a matrix role, expect them to retain primary loyalty and priority for their sponsoring organization. However, through the influence of management with both the supporting IS management chain as well as project management and use of the IPS organization senior management chain of command, reasonable results can be achieved. The most common consequence of matrix assignment is that projects will generally take longer than they would if staffed exclusively with regular dedicated IPS staff or even outside consultants. However, the trade-off in cost is often worth the delay. Those projects that have no flexibility in timelines should be assigned to IPS regular staff and/or external consultants.
|