Thursday, July 21, 2022

Principle of Information Security Module 3 Information Security Management part 2

Because InfoSec management oversees a specialized program, certain aspects of its managerial responsibility are unique. These unique functions, which are known as “the six Ps” (planning, policy, programs, protection, people, and project management), are discussed throughout this book and briefly described in the following sections.


Planning in InfoSec management is an extension of the basic planning mentioned later in this module. Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strategies within the planning environments of all organizational units, including IT. Because the InfoSec strategic plans must support not only the IT department’s use and protection of information assets but those of the entire organization, it is imperative that the CISO work closely with all senior managers in developing InfoSec strategy. The business strategy is translated into the IT strategy. The strategies of other business units and the IT strategy are then used to develop the InfoSec strategy. Just as the CIO uses the IT objectives gleaned from the business unit plans to create the organization’s IT strategy, the CISO develops InfoSec objectives from the IT and other business units to create the organization’s InfoSec strategy.

The IT strategy and that of the other business units provides critical information used for InfoSec planning as the CISO gets involved with the CIO and other executives to develop the strategy for the next level down. The CISO then works with the appropriate security managers to develop operational security plans. These security managers consult with security technicians to develop tactical security plans. Each of these plans is usually coordinated across the business and IT functions of the enterprise and placed into a master schedule for implementation. The overall goal is to create plans that support long-term achievement of the overall organizational strategy. If all goes as expected, the entire collection of tactical plans accomplishes the operational goals and the entire collection of operational goals accomplishes the subordinate strategic goals; this helps to meet the strategic goals and objectives of the organization as a whole.

Several types of InfoSec plans and planning functions exist to support routine operations as well as activities and responses that are not part of the normal operating environment. Routine planning includes that for policy, personnel issues, technology rollouts, risk management, and security programs. Plans and functions that go beyond the routine include planning for incident response, business continuity, disaster recovery, and crisis management. Each of these plans has unique goals and objectives, yet each can benefit from the same methodical approach. These planning areas are discussed in detail in Module 4.

Another basic planning consideration unique to InfoSec is the location of the InfoSec department within the organization structure. This topic is discussed in Module 7.


In Info Sec, there are three general policy categories, which are discussed in greater detail later in this module:

Enterprise information security policy (EISP)—Developed within the context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CIS O typically drafts the program policy, which is usually supported and signed by the CIO or the CEO.

Issue-specific security policies (ISSP)—These are sets of rules that define acceptable behavior within a specific organizational resource, such as e-mail or Internet usage.

Systems-specific policies—A merger of technical and managerial intent, Systems-specific policies include both the managerial guidance for the implementation of a technology as well as the technical specifications for its configuration.


Post a Comment