In order to be successful, the IWC ISSO must have an Information Systems Security Strategic Plan (ISSSP). That plan should be integrated, or at least compatible, with IWC's Strategic Business Plan. It is this plan that sets the long-term direction, goals, and objectives for information protection as stated in the CIAPP, vision, mission, and quality statements.
IWC's Strategic Business Plan sets forth the following information:
The expected annual earnings for the next 7 years;
The market-share percentage goals on an annual basis;
The future process modernization projects based on expected technology changes of faster, cheaper, and more powerful computers, telecommunications systems, and robotics;
IWC expansion goals; and
IWC's acquisition of some current subcontractor and competitive companies.
The IWC ISSSP is the basic document on which to build the IWC CIAPP with a goal of building a comprehensive information protection environment at least cost and impact to the company.
When developing the ISSSP, the ISSO must ensure that the following basic, InfoSec principles are included, either specifically or in principle (since it is part of the InfoSec strategy):
Minimize the probability of an information security vulnerability;
Minimize the damage if a vulnerability is exploited; and
Provide a method to recover efficiently and effectively from the damage.
Let's assume that the IWC Strategic Business Plan called for a mature InfoSec program known as the CIAPP (within the next 7 years) which:
Can protect IWC's information while allowing access to its networks by its international and national customers, subcontractors, and suppliers; and
Can support the integration of new hardware, software, networks, etc., while maintaining the required level of InfoSec without affecting schedules or costs.
The objectives of the ISSSP are to:
Minimize risks to systems and information;
Minimize impact to costs;
Minimize impact to schedules;
Assist in meeting contractual requirements;
Assist in meeting noncontractual requirements;
Build a comprehensive systems security environment;
Respond flexibly to changing needs;
Support multiple customers' information protection needs;
Incorporate new technologies as soon as needed;
Assist in attracting new customers; and
Maximize the use of available resources.
The majority of men meet with failure because of their lack of persistence in creating new plans to take the place of those which fail.—Napoleon Hill
To have a successful CIAPP, the strategy calls for one that also deals with the office politics' aspects of the IWC environment. A key element, which was stated earlier in this book, is to remember that the information and information systems belong to IWC, and not to the ISSO. Therefore, cooperation and coordination are a must!
Many functional organizations have an interest in the ISSSP and other CIAPP-related plans; therefore, the plans should be discussed with other team members such as the auditors, security personnel, human resources personnel, legal, and others deemed appropriate.
The ISSSP should also be discussed with and input requested from key members of the user community and IWC managers. After all, what you do affects what they do! It is a great way to get communication and interaction going. This will lead to a better plan and one that has broad-based support.
Their input and their understanding of what the IWC ISSO is trying to accomplish will assist in ensuring IWC-wide support for the CIAPP. For only with this kind of communication and interaction can the ISSO's IWC CIAPP succeed.
The ISSSP planning considerations must also include the following:
Good business practices;
An InfoSec Vision Statement;
An InfoSec Mission Statement;
An InfoSec Quality Statement; and
Providing channels of open communications with others such as the auditors, systems personnel, security personnel, users, and management.
All these factors must be considered when developing a CIAPP strategy and documenting that strategy in the IWC ISSSP.
The IWC process flow of plans begins with the IWC Strategic Business Plan through the IWC Annual Business Plan. Each of the plans' goals and objectives must be able to support each other: top-down and bottom-up (Figure 6.1).
Figure 6.1: The logical process flow of plans and InfoSec plans' integration into the IWC flow.
Once this process is understood, then the next step is to map the IWC ISSSP into the IWC Strategic Business Plan goals and objectives.
IWC's strategy identified the annual earnings for the next 7 years as well as market-share percentage goals. This clearly underscores the need for a CIAPP that will be cost-effective.
As was previously mentioned, InfoSec is a "parasite" on the profits of IWC if it cannot be shown to be a value-added function (one that is needed to support the bottom line). Therefore, the CIAPP strategy must be efficient (cheap) and effective (good). If that can be accomplished, the CIAPP will be in a position to support the IWC's strategy relative to earnings and market share.
Mapping these points (Figure 6.2) can help the ISSO visualize a strategy prior to documenting that strategy in the InfoSec Strategic Plan. The mapping will also assist the ISSO in focusing on the strategies that support the IWC strategies.
Figure 6.2: A sample mapping of an IWC strategic goal to the ISSSP goals.
Writing the ISSSP will come much more easily once the mapping is completed. Once that is accomplished, the ISSO will write the ISSSP following the standard IWC format for plan writing.
The IWC format was determined to be as follows:
Table of Contents
InfoSec Strategic Goals
How the InfoSec Strategies Support IWC Strategies
For those readers who are inclined to argue the technical definitions of terms, I concede that the definition of terms varies between corporations and those used here may not nicely fit into the definitions used by the corporation or government agency of the reader. However, the reader should not lose sight of the process being discussed. That is the important aspect of this chapter.