Planning for Next Year

The ISSO had received the input from the InfoSec staff at the November meetings. Based on that input, the ISSO was prepared to write next year's InfoSec Annual Plan and update the InfoSec Strategic and Tactical Plans. However, in order to accomplish those tasks, the IWC Plans must be received. After all, the InfoSec Plans had to support the IWC Plans.

The ISSO knew that the draft IWC Plans would not be available until January. Therefore, the ISSO drafted the InfoSec Annual Plan and updated the InfoSec Strategic and Tactical Plans based on information gathered through discussions with various levels of management involved in developing the IWC Annual Plan and updating the IWC Tactical and Strategic Plans.

The ISSO implemented the InfoSec Plans January 1st, without waiting for the draft IWC Plans. The ISSO did so in order to begin the much-needed LOE modifications and projects that were time-dependent. If they were not started right after the first of the year, their schedules might have to be slipped. The ISSO could not afford to do that and took the risk that the information gathered to date was accurate, and that any changes at the IWC level would only cause minor adjustments to the InfoSec schedules—if any.

As part of the ISSO and InfoSec staff year-end analyses, a flowchart was developed (Figure 10.3) which would be used for briefings and also would let InfoSec staff see how their jobs supported IWC.

Figure 10.3: An example of how corporate goals' InfoSec support can be visually linked to provide a simple view of InfoSec service and support functions.

The ISSO and staff also took all their risk management reports for the year and evaluated what was accomplished to correct CIAPP deficiencies and determine what needed to be done in the coming year to correct other deficiencies (Figure 10.4). These then were linked through a vulnerabilities-projects flowchart to identify "Strategic Direction: CIAPP Projects to Address Vulnerabilities."

Figure 10.4: An example of how vulnerabilities identified throughout the year by risk management methods, such as risk analyses and risk assessments, can be visually linked to provide a simple view of work accomplished or needed to provide a more secure IWC information environment.

After completion of all the executive management briefing charts, and 1 week prior to briefing IWC executive management, the ISSO gave the briefing and with additional analysis of the CIAPP and InfoSec functional accomplishments to the InfoSec staff. The 1-week interval was to ensure that the briefing was accurate and that the charts said what needed to be said. The InfoSec staff could evaluate the briefing and provide an avenue for constructive criticism. After all, the ISSO wanted, as a side issue, to show executive management the outstanding job done by the InfoSec staff during the past year, without saying so. In other words, let the briefing speak for that.

The CIO was invited to attend the ISSO's "expanded staff meeting" so that the CIO would not have any surprises at the executive management briefing. In addition, the ISSO wanted the CIO to attend to say a few words after the briefing, thanking the InfoSec staff for their fine work over the past year. The ISSO believed that such visibility of InfoSec staff to executive management would also boost morale, as they would see that their hard work was appreciated.

Upon the completion of the successful briefing, the ISSO scheduled another expanded staff meeting to be held on a Friday before the holidays and scheduled to last all day. At that expanded staff meeting, the ISSO had a catered lunch brought in as a special measure of thanks to the InfoSec staff. After all, if the InfoSec staff was not successful, the ISSO could not be successful.