The document discusses planning for information security. It identifies key roles in the planning process and explains the components of information security system implementation planning. There are different types of planning, including strategic planning, tactical planning, and operational planning. Strategic planning guides organizational efforts with a long-term focus, while tactical planning breaks strategic goals into incremental objectives over 1-3 years. Operational planning organizes day-to-day tasks. The chief information security officer interprets strategic goals into specific security objectives and helps create a strategic security plan with elements like a mission statement and performance goals. Information security governance provides strategic direction, establishes objectives, and measures progress at the highest management levels.
The document discusses planning for information security. It identifies key roles in the planning process and explains the components of information security system implementation planning. There are different types of planning, including strategic planning, tactical planning, and operational planning. Strategic planning guides organizational efforts with a long-term focus, while tactical planning breaks strategic goals into incremental objectives over 1-3 years. Operational planning organizes day-to-day tasks. The chief information security officer interprets strategic goals into specific security objectives and helps create a strategic security plan with elements like a mission statement and performance goals. Information security governance provides strategic direction, establishes objectives, and measures progress at the highest management levels.
The document discusses planning for information security. It identifies key roles in the planning process and explains the components of information security system implementation planning. There are different types of planning, including strategic planning, tactical planning, and operational planning. Strategic planning guides organizational efforts with a long-term focus, while tactical planning breaks strategic goals into incremental objectives over 1-3 years. Operational planning organizes day-to-day tasks. The chief information security officer interprets strategic goals into specific security objectives and helps create a strategic security plan with elements like a mission statement and performance goals. Information security governance provides strategic direction, establishes objectives, and measures progress at the highest management levels.
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra Objectives • Upon completion of this material, you should be able to: – Identify the roles in organizations that are active in the planning process – Explain the principal components of information security system implementation planning in the organizational planning scheme – Differentiate between strategic organizational InfoSec and specialized contingency planning
Management of Information Security, 3rd Edition
Objectives (cont’d.) • Upon completion of this material, you should be able to: (cont’d.) – Describe the unique considerations and relationships between strategic and contingency plans
Management of Information Security, 3rd Edition
Introduction
Figure 2-1 Information Security and Planning
Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning
The Role of Planning • Successful organizations utilize planning • Planning involves – Employees – Management – Stockholders – Other outside stakeholders – The physical and technological environment – The political and legal environment – The competitive environment
Management of Information Security, 3rd Edition
The Role of Planning (cont’d.) • Strategic planning includes: – Vision statement – Mission statement – Strategy – Coordinated plans for sub units • Knowing how the general organizational planning process works helps in the information security planning process
Management of Information Security, 3rd Edition
The Role of Planning (cont’d.) • Planning is creating action steps toward goals, and then controlling them • Planning provides direction for the organization’s future • In the top-down method, an organization’s leaders choose the direction – Planning begins with the general and ends with the specific
Management of Information Security, 3rd Edition
Values Statement • Establishes organizational principles – Makes organization’s conduct standards clear • RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments • The values, vision, and mission statements together provide the foundation for planning
Management of Information Security, 3rd Edition
Vision Statement • The vision statement expresses what the organization wants to become • Vision statements should be ambitious – Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use
Management of Information Security, 3rd Edition
Mission Statement • Mission statement – Declares the business of the organization and its intended areas of operations – Explains what the organization does and for whom – Random Widget Works, Inc. designs and manufactures quality widgets and associated equipment and supplies for use in modern business environments
Management of Information Security, 3rd Edition
Figure 2-2 Microsoft’s Mission and Values Statement
Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning
Example • A CEO might develop the following general statement of strategy: – Providing the highest quality health care service in the industry. • The CIO might respond to the CEO’s statement with this more specific statement: – Providing high-level health care information service in support of the highest quality health care service in the industry.
Management of Information Security, 3rd Edition
• The chief operations officer (COO) might derive a different strategic goal that focuses more on his or her specific responsibilities: – Providing the highest quality medical services. • The CISO might interpret the CIO’s and COO’s goals as follows: – Ensuring that quality health care information services are provided securely and in compliance with all local, state, and federal information processing, information security, and privacy statutes, including HIPAA.
Management of Information Security, 3rd Edition
Strategic Planning • Strategy is the basis for long-term direction • Strategic planning guides organizational efforts – Focuses resources on clearly defined goals – “… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.”
Management of Information Security, 3rd Edition
Creating a Strategic Plan
Figure 2-3 Top-down Strategic Planning
Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning
Creating a Strategic Plan (cont’d.) • An organization develops a general strategy – Then creates specific strategic plans for major divisions – Each level or division translates those objectives into more specific objectives for the level below • In order to execute this broad strategy executives must define individual managerial responsibilities Management of Information Security, 3rd Edition Planning Levels • Strategic goals are translated into tasks • Objectives should be specific, measurable, achievable, reasonably high and time- bound (SMART) • Strategic planning then begins a transformation from general to specific objectives
Management of Information Security, 3rd Edition
Planning Levels (cont’d.)
Figure 2-4 Planning Levels
Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning
Planning Levels (cont’d.) • Tactical Planning – Has a shorter focus than strategic planning – Usually one to three years – Breaks applicable strategic goals into a series of incremental objectives
Management of Information Security, 3rd Edition
Planning Levels (cont’d.) • Operational Planning – Used by managers and employees to organize the ongoing, day-to-day performance of tasks – Includes clearly identified coordination activities across department boundaries such as: • Communications requirements • Weekly meetings • Summaries • Progress reports
Management of Information Security, 3rd Edition
Planning and the CISO • Elements of a strategic plan – Executive summary – Mission statement and vision statement – Organizational profile and history – Strategic issues and core values – Program goals and objectives – Management/operations goals and objectives – Appendices (optional)
Management of Information Security, 3rd Edition
Planning and the CISO (cont’d.) • Tips for creating a strategic plan – Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference – Embrace the use of the balanced scorecard approach – Deploy a draft high level plan early, and ask for input from stakeholders in the organization
Management of Information Security, 3rd Edition
Planning and the CISO (cont’d.) • Tips for creating a strategic plan (cont’d.) – Make the evolving plan visible – Make the process invigorating for everyone – Be persistent – Make the process continuous – Provide meaning – Be yourself – Lighten up and have some fun
Management of Information Security, 3rd Edition
Information Security Governance • Governance of information security is a strategic planning responsibility – Importance has grown in recent years • Information security objectives must be addressed at the highest levels of an organization's management team – To be effective and offer a sustainable approach
Management of Information Security, 3rd Edition
Information Security Governance (cont.) • Information security governance includes – Providing strategic direction – Establishing objectives – Measuring progress toward those objectives – Verifying that risk management practices are appropriate – Validating that the organization’s assets are used properly
Management of Information Security, 3rd Edition
Information Security Governance (cont’d.) • Actions of the Board of Directors – Inculcating a culture that recognizes the importance of information security – Aligning management’s investment in information security with organizational strategies and risk environment – Assuring comprehensive development and implementation of an information security program
Management of Information Security, 3rd Edition
Information Security Governance (cont’d.) • Actions of the Board of Directors (cont’d.) – Demanding reports from the various layers of management on the information security program’s effectiveness and adequacy