The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units.
Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?
If alignment across business units is important, a centralized model would seem the proper choice. By directing and managing the program within a central governance body, all business units would be forced to abide by the same unified vision and policy set. This structure gives executive leadership and board better oversight as there's only one place to go to assess the posture of the organization. Centralized governance is generally most efficient as resources can be leveraged in a cost effective manner across the organization, thereby limiting duplication of effort and better utilizing talent and tools. This model also offers some sustainability in that shareholders can be assured that the profitability of an individual unit isnt likely to compromise the quality of the program. Finally, should an incident occur, it can be handled in a uniform manner with full corporate oversight.
However, there are issues with the centralized approach that can better be addressed with a distributed model, in which each business unit is responsible for its own InfoSec program. As they will develop their own policies and standards, they are far more likely to embrace the program, assign the necessary resources to it, and fully implement. Rather than having a generic set of policies that can apply across the organization, this model has the advantage of producing policies that are aligned with each units specific business model. Further, the business unit can act autonomously, and thus theoretically more efficiently when policy changes or incident investigations are necessary.
We are all familiar with the accountability issues that arose during the Enron situation. As a result, today's shareholders demand that corporate leadership be well-versed on the conduct of the organizations they lead. Immediately following a significant information security incident, these leaders will likely be called upon for details.
In order to address this issue, while leveraging the benefits of business unit autonomy, many organizations are adopting a hybrid approach. The best of both models is achieved by providing for a central governance body focused on program results, while the business unit has control over the methods. These groups work together to achieve the overall program objectives. The following describes how the establishment of a hybrid program and sharing of responsibilities might be realized.
1. Development of baseline policies and standards - In order to assure consistency, many organizations centralize this process. Business units, however, should have significant input into the development of these materials as acceptance will be critical to adoption. By defining consistent baseline requirements across the organization, leadership can understand the framework of the program. The unit is then encouraged to develop their own business-specific set which augments the corporate baseline, and addresses any unique needs they may have.
2. Assessment of gaps - This may be performed by internal security and audit resources, external vendors or consulting agencies. Centralizing this function will help ensure an objective picture of each units conformance to baseline policy.