The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

IWC's fiscal year and calendar year both end on December 31st. The ISSO decides that the beginning of the fourth quarter (October) is a good time to start planning for the coming year and begin evaluating the current year.

In order to plan for the coming year, the ISSO must first determine how successful the CIAPP and the InfoSec staff have been for this past year. Of interest would be:

• What was accomplished?

• What was planned but never completed, and why?

• What was planned but never started, and why?

• What was successful, and why?

• What wasn't successful, and why?

• What processes are current?

• What processes require updating?

• If a process was outdated, why was it not updated as needed?

• Is the InfoSec organization operating within budget?

• If not, why not?

• What budget is required for the coming year, as well as 2 or 3 years from now?

• If more budget is required, why?

• If more budget is needed, are there other measures that can be taken to minimize the need for a larger budget? (Remember that as an ISSO, you get paid for results and not the size of your InfoSec staff or the size of your budget.)

Level-of-Effort Activities

The ISSO has tasked each InfoSec functional lead to form a project team with selected members of the InfoSec functional staff and evaluate the processes used for completing their assigned LOE function. Of course, if the InfoSec function was a one-person job, that person would conduct the review by him- or herself and ask for input as needed from other staff members and the ISSO. Remember that the level-of-effort (LOE) activities are those activities or functions that are the day-to-day InfoSec tasks performed by the InfoSec staff. These activities are those identified as the ISSO responsibilities previously discussed and include:

• Access control;

• Awareness program;

• Noncompliance inquiries; and

• Security tests and evaluations program, etc.

This is to be accomplished by each functional team sitting down together to determine:

• What worked;

• What didn't work;

• Why it worked (process may be useful for other functions);

• Why it didn't work;

• How much time they spent doing each task, sub-task on the average;

• How the job might be done better;

• How the processes might be changed, why, and identified potential savings;

• Which forms, if any, should be modified or eliminated; and

• Other considerations.

The ISSO directed that any recommended changes be quantified in time and/or cost savings, as applicable. If the changes could not be quantified, the staff members would have a difficult time changing the process. The ISSO reasoned that with few exceptions, process changes that did not save time or money were probably not worth making, as nonquantified changes cost money with usually no return value.

The ISSO directed that all members of each function support their functional lead in this endeavor and provide a briefing to be held the first week in November as part of the ISSO's expanded staff meeting where all InfoSec staff attended. During that briefing, the functional processes would be discussed and modifications approved where necessary. If the modifications could not be accomplished within 30 days, a formal project plan would have to be developed and briefed at that November meeting.

Projects

During the first week of October, the ISSO will also begin the evaluation of the CIAPP for the past year. The ISSO, in concert with the InfoSec staff, will review the projects that were begun this year, as well as those projects that were begun last year and completed this year.

The ISSO will determine the following:

• Did each project accomplish its objective?

• Was the project completed in accordance with the project plan?

• For those projects not completed on time, what was the cause of not meeting the completion date?

• For those projects completed ahead of schedule, why was it completed ahead of schedule? (The ISSO wants this information because it may be due to poor project planning which must be corrected, or it may be due to a unique approach that could be used on other projects.)

• What was the cost of each project?

• Were the projected benefits of the projects realized and if not, why not?

The ISSO will, in concert with the InfoSec staff, analyze all the projects, and based on that evaluation, modify the process used for initiating, determining costs, determining resource allocations, and determining schedules for all new projects.

Also of importance is feedback from IWC employees: their evaluation of service and support provided to them by the ISSO and InfoSec staff. The employees' opinions as to what improvements can be made in the CIAPP to minimize costs and provide the necessary level of information environment protection are also important. The ISSO and staff developed a survey to be sent out to all departments. The feedback received will also be incorporated into the year-end evaluation-analysis. Some ISSOs may not want to take this survey approach, because they may be reluctant to receive criticism and complaints from non-InfoSec professionals about how the ISSO and InfoSec staff can better do their jobs. However, such feedback is important and should be welcomed and considered at all times.

Once the analysis is complete, the ISSO and staff members will determine what new projects will be required for the following year. Those projects, once identified, will be assigned to the applicable member of the staff as the project lead. The staff members will then be given 30 days to complete a draft project plan. That plan will identify the specific objective to be accomplished, all tasks, milestones, resources required, etc.

During the staff meeting held during the first week of November, all the project leads will present their project plans to the ISSO and the staff. The project plans will be evaluated and discussed by the ISSO and the staff. Any recommended changes to the project plans will be cause for actions to be taken to change the plans as appropriate. In addition, the overall project plan process will be discussed and modified as needed.

It is the responsibility of the ISSO to ensure that adequate resources are allocated for the completion of the projects as planned. Where several members of the InfoSec staff are assigned to lead or support multiple projects, the ISSO will prioritize the projects and then allow the project lead and project support staff to work out the details. Where conflicts in work arise, the matter will be discussed with the ISSO, who will make the final decision based on the input of all those concerned and the proper allocation of resources.

This approach follows the management philosophy of having decisions made at the lowest possible level where the required information on which to base a decision is known. It also meets the ISSO's philosophy of trusting your professional InfoSec staff and treating them as part of the professional InfoSec team.