In the last post, I started this exploration as an attempt to break the writer’s block and discuss an IT security governance model. This entry, I continue that thread and discuss a strategic framework. Hopefully, the writer’s block does not return!!
The Framework is Strategic
Your customers have a security governance framework, whether they actively engage it or not. An IT security governance framework is a strategic model. If you were to try and hang tactical projects off the framework, it wouldn’t hold. By definition, the governance framework is a tool to define the bounds or scope of an information security program. It documents the rules of operation, lines of communication, and the drivers that enable the security program to be aligned with the rest of the enterprise. So, if you were to take a security department initiative, such as a new Identity and Access Management implementation and try to find where to place it on the framework, it wouldn’t fit. At that point it would be possible to think that the framework was broke.
Strategic Drives Tactical
The reason there is no place to hang the IdM implementation used in the example above, is this: By design, there is no place for a tactical project on a strategic plan. The framework is designed to actually drive the tactical projects of the security organization as well as the rest of the enterprise. In other words, the strategic framework does not state what tactic (or technology) is to be used. It defines the scope, bounds and limitations of the business requirement. Let’s continue with the example of the Identity and Access Management implementation better illustrate this relationship.
The first question you should ask yourself and/or customer, (and not only because it will be asked when the request for funding goes to management), is why is this new IdM needed? The response may be any or all of the following: 1.) Faster onboarding; 2.) Better reporting; 3.) Cloud support and; 4.) Integration with multi-factor authentication. At first brush, you might ask where are any of these requirements in the framework? You know, just by being in the business for so many years that these things just need to be done. So how does the framework help?
The framework drives each of these four rationales for the implementation. Let’s look closer.
Faster Onboarding: This may be driven by Internal or External Drivers (Contractual Obligations).
Better Reporting: This may be driven by the Security Program Driver (Service Metrics).
Cloud Support: This could be driven by several drivers, including External Driver, (Contractual Obligations, Industry Standards and Best Practices), and the Security Program Driver (Standards).
Multi-factor Integration: This justification may be driven by a security program driver (Security Policy) to strengthen security through the use of improved authentication technologies.
In this example, there is a many to one relationship of the strategic framework to the tactical plan. There are many strategic reasons for everything we do in this profession and as well as in your customer’s organization. We need to understand and document what they are in what we do. A well-designed security governance framework assures that any tactical implementation is aligned with and supports the business goals and objectives of the customer’s enterprise.
It sounds fairly basic, but it always amazes me when a customer cannot clearly articulate why they are doing what they are attempting, other than a blanket, dismissive, “Because someone bought it…”
Help your customer (and yourself) by relating what we are doing to their IT security governance framework.