CASE STUDIES

Smooth transition of Information Security Management from an IT Technology basis to Business Led requirements basis
By GSMiT
September 8, 2008

How a Local Government organization implemented a simplified process which ensured communication and consensus was maintained between the Business and IT, in a time of Information Security Management transition.

Client Challenge

When a local government organization appointed a new Director of Corporate Services, he made the decision to align Information Security Management with the International Standards best practices. This meant moving away from decisions primarily based on technology solutions to a method where decisions were made primarily on business requirements, and changing the ownership of Information Security from I.T. to the Senior executives.  The major challenge he faced was finding a simplified methodology that gave the Senior Executives the knowledge and confidence  to make business led decisions regarding Information Security without needing the technical know-how or language.
Other challenging aspects for this client were successfully transferring ownership of Information Security from the IT Department to the Senior Business Executives of the local government organization, whilst maintaining a good level of communication and concensus between both parties.  Seeking a better understanding of how to implement a methodology based on business requirements, the Director Of Corporate Services turned to GSMiT for answers.

GSMiT's Advisory Solution

GSMiT Consulting focused on providing this client with an Information Security Analysis process that was repeatable, actionable, and reportable and provided a framework for strategic security planning. Using the Linus Secure methodology in our process, the GSMiT team conducted workshops and interviews separately with both the Senior Business Executives and Control Owners (IT).  We initially worked with the Business Executives to identify relevant regulatory and Industry standards, the information crucial to the organization from a regulatory and organizational perspective, how they would rate information if a breach of either  Confidentiality, Integrity, Availability and Accountability occurred,  and the access into this information (how, when, who, devices, storage). This essential step was performed with the key Business stakeholders who were then provided with summary reports of the above information for validation before we moved onto the second phase.
Working in partnership with the Control Owners (in this case the IT Department), we identified all controls currently utilised from a holistic perspective. The strength and effectiveness of each control was discussed and decided without any product or industry bias, enabling a true representation of current and proposed controls. 
At the completion of these two phases, we then independently analysed the controls against the ratings that the Business had provided and identified gaps that existed in the protection of key information.  A comprehensive final report was produced for the key Business and IT Stakeholders. This contained the key information from both the Business and IT phases, defined any current  Gaps, and provided mitigation recommendations from a holistic, cost-effective and vendor  independent  perspective.

Impact on Client's business

As a result of our work, this client gained a strategic security framework and a process which enabled all security solutions to be based primarily on business requirements.  Once the framework was completed, it was then utilised to model new application requirements, and\or the affect adding or removing controls would have on the ratings provided by the Business. 
Business and IT gained consensus on security direction and the required protection, without having to understand each other's areas of expertise.  This process allowed Business to define what was required in regards to their Organisation's information, and the Control owners to come up with appropriate holistic solutions which matched what had been stipulated.