According to the IT Governance Institute, information security governance is "an integral and transparent part of enterprise governance and must be aligned with the IT governance framework." While this may work well for large enterprises that have implemented matrixed business models, it may not lend itself well to midmarket companies. Leadership and business models of smaller organizations may not support enterprise governance frameworks due to the lack of suggested leadership structures. This is where the quandary occurs.
For information security to succeed in an organization, its leader must have a vehicle for floating strategy, validating objectives and communicating risk exposure that does not require the same level of process and structure as governance for the enterprise. The vehicle must still consider some of the same aspects of enterprise governance, such as communication, convergence, a common language and organizational alignment. Such a vehicle exists in the use of an IT engagement model.
An engagement model is a process designed to facilitate the bidirectional flow of tasks and activities around a team and in this case, your organization's information security team. This process is an enabler for providing the information security team the ability to respond in an effective manner in support of organization-wide and IT-specific projects. It also supports the convergence of business units where matrixing has not occurred on a formal basis. Use of an engagement model will ensure expectations are set, timely execution of tasks and effective delivery.
As with any process, a security framework that may be followed is based on your operating capacity. In the name of efficiency and lower cost of ownership for your programs, we will review a model that consists of a four-phased approach:
Phase I: Initiation -- Identify the business partners who converge with information security or require your support. Next, develop the preferred method of communication that convergence partners will use to communicate with your team. This is the engagement kick-off.
Phase II: Analysis -- Meet with partners to discuss their needs, gather requirements and review project goals. You should provide the services your team offers, such as architecture, analysis and consulting. A member of the team as well as an alternate should be assigned based on their expertise. The analysis phase consists of the following sub activities:
- Research and evaluation: The team will research all aspects of the project, including but not limited to, propose technology (this may require engaging the vendor), customer needs, existing and proposed infrastructure, existing and proposed documentation (e.g .policies or standards), and risk posture.
- Assurance recommendations: Based on the above findings, prepare a recommendations document. This documents goal is to provide the project team and or convergence partner with the ability to accept or reject the recommendations of the information security team.
- Exceptions: Based on feedback from the project team and or convergence partner, any recommendations rejected in the assurance recommendations document will be documented along with the rationale or mitigators for the rejection. The purpose of the exceptions document is to capture why a particular risk that could possibly result compromise of your organization's infrastructure has been chosen. This document is a first draft as there may be changes to requirements throughout the lifecycle of the project.
Phase III Engagement -- Appropriate information security staff from your team will begin providing the agreed upon services from Phase II to your convergence partner to meet the projects goals. Any changes to the project affecting the assurance recommendations and or exceptions should be noted through the accepted method of communication from Phase I.
Phase IV Delivery -- Projects are dynamic in nature and therefore subject to change to accommodate last minute business requirements or unidentified technology limitations. Therefore, a final meeting with the convergence partners should be held to amend the Exceptions document. This is the final draft of the Exceptions document and can serve as a statement of record should questions arise in the future as to decisions and final outcomes.
Think of engagement as the cleaner version of Six Sigma and Lean. It will provide the results you seek and others will respect it.
Ravila Helen White is senior IT security analyst for the Bill & Melinda Gates Foundation.