The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

IWC's Departments of Primary Importance to the ISSO

Since the InfoSec organization is a service and support organization, all the IWC departments and personnel are important to the ISSO. However, there are several departments that the ISSO must work with closely and rely on to successfully provide that service and support. In addition, several are an integral part of helping to ensure that the CIAPP is successfully implemented and managed. At IWC, these departments are as follows:

• Ethics Department: This small organization reports to the CEO and is managed by a director. This organization is responsible for working with the training department to provide ethics training to the employees. In addition, it manages the IWC Ethics Hotline. The Ethics Hotline was established to receive complaints and conduct inquiries into allegations of wrong-doing, such as unethical conduct, by employees or others who may be associated with IWC. The complainants may remain anonymous if they so choose. If they provide their names, that information is kept IWC-Private. If an allegation is received that requires more detailed inquiry where possibly evidence, more in-depth interviews, and interrogations are required, the Ethics Director provides that information to the Security Department's Manager of Investigations, who works directly for the Security Director and who conducts the inquiries and reports the results back to the Director of Ethics, who is defined as the internal customer for such matters. The Director of Ethics chairs a monthly ethics meeting whose members include the ISSO's representative, the Manager of Investigations, a legal representative, a Human Resources representative, and the Manager of Audits. The ISSO is to be called on to support these investigations and inquiries through technical support, such as computer forensics.

• Audit Department: IWC's Audit Department is similar to other corporate audit departments. The auditors in this department conduct audits to ensure that IWC is operating, and that its employees are performing their duties, in accordance with applicable federal, state, and local laws, as well as corporate policies and procedures. The audit manager and the ISSO share information of mutual interest, such as audit findings related to the lack of protection of information and systems.

• Legal Department: This department is responsible for performing all duties commonly associated with any corporation's legal department, such as providing advice and assistance to the ISSO as requested or deemed appropriate.

• Employee Relations, Human Resources Department: As its name implies, this organization within the Human Resources Department deals with employee issues, such as employees' complaints about managers, and provides guidance to managers relating to employee discipline.

Within the structure of IWC, you will find that it is no different from most other corporations. The corporate environment (or corporate office) differs from that of a business unit. The corporate environment has a strategic outlook, managing the overall business performance and strategy of the company. The focus is on strategic direction of the enterprise, making the company profitable and producing shareholder value. A corporate office generally does not develop and deliver products and services. That is done by its business units, although they maybe colocated, as some are at IWC.

In support of its vision, the corporate office will establish the overall strategy for the company, determining the type and scope of business. The corporate office will also develop policy, provide performance and compliance oversight, and exercise its fiduciary obligations to the board of directors and the shareholders. The corporate office usually does not get involved in the daily operations of a business unit. However, there are exceptions or conditions such as poor performance where the corporate office will intervene in the operation of a business unit.

A business unit functions much differently than a corporate office, They operate in an environment where goods and services are designed, developed, produced, and delivered. It is a tactical operation in support of the company business strategy. The day-to-day focus is on getting the product out. Typically, many different business units operate independently of each other and report to a corporate office (see Figure 4.1, above). Each business unit has different strategic objectives that fit into the overall company strategy.

IWC, like every company, regardless of size, has its own special culture. Some companies encourage competition between business units. Here rivalries as well as aggressive behavior are encouraged and rewarded. In other companies, teamwork is encouraged.

Social scientists tell us that cultures are built upon behavioral "norms" which are defined as a set of expectations as to how people will behave in a given situation.^[4]

The culture of a company can differ between the corporate environment and the operations environment just as much as it differs between companies. Subcultures within an organization exist which may differ significantly from the larger organization. Understanding the company culture is essential for success.

Although assigned under the CIO, at IWC's corporate office, the ISSO has information and information systems protection authority within all corporate and business units of IWC.

^[4]Golin, Mark, Bricklin, Mark, and Diamond, David, Secrets of Executive Success. Rodale Press, Emmaus, PA, 1991.