Linking Infosec Accomplishments to IWC Goals


The ISSO believes that the initial reasons for the IWC CIAPP and IWC's reasons for establishing the ISSO position have not changed, but a reverification and validation would probably be a good idea. To be sure that the CIAPP and the ISSO's accomplishments are meeting their stated purpose, the ISSO decided on the following course of action:

  • Using a link analysis methodology, the ISSO maps all the LOE and project results to all applicable InfoSec and IWC plans; and

  • The ISSO develops a formal presentation to be given to IWC executive management in which the CIAPP status is briefed (assuming that the ISSO's boss agrees).

The results of the link analysis (Figure 10.1a and 10.1b) disclosed that overall CIAPP goals, LOE, projects, and objectives were, with some minor setbacks and exceptions over the year, meeting the needs of IWC.

click to expand
Figure 10.1: A and B are examples of linking the InfoSec LOE and projects support to the CIAPP and IWC's goals.

The ISSO discussed the matter with the CIO. The CIO agreed that a briefing would be a good idea, especially since this is the end of the first year of the formal CIAPP under the ISSO. The executive management would want to know:

  • What was accomplished;

  • The cost of the CIAPP;

  • The status of the overall protection of the IWC information environment; and

  • What else was needed to ensure a secure information environment.

The CIO provides several recommendations:

  • The briefing should take no longer than 15 minutes and allow 15 minutes for questions;

  • The ISSO should not use any technical jargon but speak in business terms of costs, benefits, and competitive advantage, and give the IWC management some sense of assurance that the information and systems are being protected as needed;

  • The briefing charts should be clear, concise, and more of a graphical presentation than text—another reason for "management by metrics";

  • The briefing should be given professionally and objectively; it should not be used as a soapbox for requesting additional resources or to show how great a job the ISSO is doing;

  • All briefing charts should be provided in a package for each member of the audience with supporting detailed charts; and

  • At least 5 of the 15 minutes should be used to brief on next year's projects, goals, their costs, and how they would benefit IWC.

The ISSO had not been prepared to present the new year's plans and projects as part of the briefing. However, it appeared that the necessary information would be available based on the previous briefings and discussions with the InfoSec staff.

The ISSO suggested a briefing to be held the first week of December. The CIO agreed to set it up. The ISSO's rationale for a meeting in December was that the InfoSec staff's LOE and project input would be available on or about the first week of November, and that would provide sufficient time to develop the briefing.

The ISSO wanted to ensure that the briefing accomplished its goals, and that could be jeopardized, not by the material, but by the manner and format used. The ISSO had heard of several briefers having their messages ignored because the format, fonts, colors, or whatever was used to present the facts was not liked by one or more of the executive management.

The ISSO knew that such trivia should not be a prime concern of executive management, but the ISSO also knew that such things did occur. To ensure that the InfoSec briefing was successful, the proper format would be the first item of business.

The ISSO stopped by the desks of several of the key executive managers' secretaries, who provided insight as to the correct format, font size, and color of slides to use. At the same time, the ISSO was given some valuable tips from several of the secretaries as to how to present the material in a manner that the executives preferred. (Note: Although throughout this book the ISSO actions are discussed, some may be delegated by the ISSO, such as this task to the ISSO secretary or administrative assistant.)

The ISSO long ago learned that the secretaries of the executive managers had great insight into what worked with their bosses and what didn't. The ISSO's respect for them and informal assistance to them over the year had made them close allies. Now, that friendship would be able to help ensure a successful briefing format.

As part of this briefing, the ISSO developed an annual report for each IWC department vice president based on the metrics charts used throughout most of the year. That annual report contained some narrative and analyses supported by metrics charts showing the status of each department's compliance with the CIAPP and the security of their information environment. It included an Executive Summary in the front of the report and recommendations for improvements that could be made in the future, as well as the benefits of the recommended improvement versus the potential costs and cost savings.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net