IWC s Business Plans | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

IWC's Business Plans

The ISSO must have an understanding of business and business competition on a global scale. Prior to developing a CIAPP, the ISSO must also read and understand the plans of IWC. These plans include the corporation's Strategic Business Plan, Tactical Business Plan, and Annual Business Plan. These plans are outlined at the executive management level and passed down to all IWC departments. The management of the departments then provide input into the plan outline. This information is then integrated at the executive management level. From there, they are passed down to the IWC departments, who will develop their own plans to support the overall IWC plans (see Figure 4.2).

click to expand
Figure 4.2: The structure of the IWC business plans.

Strategic Business Plan

IWC has developed a proprietary Strategic Business Plan (IWC SBP). The plan describes IWC's strategy for maintaining its competitive edge in the design, manufacturing, and sale of high-technology widgets. That plan sets the baseline and the direction that IWC will follow for the next 7 years. It is considered IWC's long-range plan. It was decided that any plan longer than 7 years was not feasible because of the rapidly changing environment brought on by technology, and IWC's competitive business environment.

The IWC SBP sets forth the following:

The expected annual earnings for the next 7 years;
The market-share percentage goals on an annual basis;
The future process modernization projects based on expected technology changes of faster, cheaper, and more powerful computers, telecommunications systems, and robotics;
IWC expansion goals; and
IWC's acquisition of some current subcontractor and competitive companies.

The IWC SBP also calls for a mature CIAPP that can protect IWC's valuable assets, especially its proprietary information and processes, while allowing access to these assets by its international and national customers, subcontractors, and suppliers. In addition, it is expected that the CIAPP will be capable of supporting the secure integration of IWC processes and systems with others.

Key Elements of IWC's Strategic Business Plan that the ISSO Should Consider

The ISSO must ensure that the IWC SBP, which also resides on the IWC networks, is protected at a priority level second only to the proprietary processes.

Protection of this information is vital to the future of IWC. Its release to those without the need-to-know for the information could cause it to fall into the hands of IWC's competitors. If that happened, it would jeopardize IWC's competitive edge and its leadership position in the widget industry.

Another reason why the ISSO must understand the IWC SBP is that the CIAPP must include an information and information systems protection SBP that provides the strategies necessary to support the IWC SBP.

Tactical Business Plan

IWC also has a proprietary Tactical Business Plan (IWC TBP). The IWC TBP, which is a 3-year plan, sets more definitive goals, objectives, and tasks. The IWC TBP is the short-range plan that is used to support IWC's SBP. IWC's successful implementation and completion of its projects is a critical element in meeting IWC's goals and objectives.

The IWC TBP also calls for the completion of a CIAPP that can protect IWC's proprietary and sensitive information and systems while allowing access to them as needed under contractual agreements with national and international customers, subcontractors, and suppliers. In addition, it is expected to be able to integrate new, secure processes, etc., with minimum impact on schedules or costs.

Key Elements of IWC's Tactical Business Plan that the ISSO Should Consider

The IWC TBP must itself also be protected in much the same way as the IWC SBP; however, a less secure environment may be possible, since it is a support plan which provides the tactics to be used in support of the IWC SBP.

The ISSO must always remember that information is time-sensitive and the global marketplace is always dynamic. That is, its value is time-dependent and changes as global market conditions change. Therefore, the compromise of the IWC TBP would not cause as much damage to IWC as would the compromise of the IWC SBP. Thus, the protection requirements could be less, and also less costly. This is a key factor in protecting any information: It should be protected using only those methods necessary, and only for the time period required, based on the value of that information over time.

The ISSO must consider that the IWC CIAPP must contain processes to reevaluate the protection mechanisms used to protect IWC information and systems so that it is only protected for the period required.

As was true with the IWC SBP, the ISSO must understand the IWC TBP because an IWC information and systems protection TBP must be developed to integrate InfoSec services and support into the IWC TBP. The InfoSec TBP should identify the goals, objectives, and tactics necessary to support the IWC TBP.

A key point which should be not be overlooked can be found by comparing portions of the IWC SBP and the IWC TBP. The IWC SBP stated that, "In addition, it is expected that the CIAPP will be capable of supporting the integration of new customers, subcontractors, plants, processes, hardware, software, networks, etc., while maintaining the required level of information and information systems protection without impact on schedules or costs."

The IWC TBP also includes a similar statement: "In addition, it is expected that the CIAPP will be capable of supporting the integration of new customers, subcontractors, plants, processes, hardware, software, networks, etc., while maintaining the required level of information and information systems protection with minimal impact on schedules or costs."

The interpretation can be made that the ISSO has 3 years to establish a CIAPP with minimum impact on schedules and costs. After that 3-year period, it is expected that the CIAPP will not have an impact on schedules or costs. As the new ISSO, you must determine whether that goal of zero impact is possible. (Hint: There will always be some impact. The goal should be to minimize that impact.)

As the new ISSO, you should immediately bring this potential conflict to the attention of upper management for clarification and interpretation. The apparent conflict may have been caused by a poor choice of words. However, it may be that the IWC management meant what they said. It is then up to you as the IWC ISSO to meet that objective or have the sentence clarified and changed.

IWC's Annual Business Plan

IWC also has a proprietary Annual Business Plan (IWC ABP) that sets forth its goals and objectives for the year. The IWC ABP defines the specific projects to be implemented and completed by the end of the year. The successful completion of these projects will contribute to the success of IWC's Tactical Business Plan and Strategic Business Plan.

IWC's ABP called for the hiring of an ISSO to establish a CIAPP that can provide for the protection of IWC's valuable information and information systems assets, while allowing access to them by its customers, subcontractors, and suppliers. This obviously seems like an impossible challenge; however, it is not unusual for corporate executives to demand or require this.

The ISSO will also be responsible for forming and managing an InfoSec organization. The ISSO will report to the IWC Corporate Information Office (CIO) (see Figure 4.1, above). The ISSO must also develop a corporate security annual business plan. That plan must include goals, objectives, and projects that will support the goals and objectives of IWC's ABP.