How To

Information Security Governance: Centralized vs. Distributed

Audry Agle, VP at The First American Corporation, on creating a model that works for your business

By Audry Agle

September 03, 2008CSO — The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?

If alignment across business units is important, a centralized model would seem the proper choice. By directing and managing the program within a central governance body, all business units would be forced to abide by the same unified vision and policy set. This structure gives executive leadership and board better oversight as there's only one place to go to assess the posture of the organization. Centralized governance is generally most efficient as resources can be leveraged in a cost effective manner across the organization, thereby limiting duplication of effort and better utilizing talent and tools. This model also offers some sustainability in that shareholders can be assured that the profitability of an individual unit isn't likely to compromise the quality of the program. Finally, should an incident occur, it can be handled in a uniform manner with full corporate oversight.

However, there are issues with the centralized approach that can better be addressed with a distributed model, in which each business unit is responsible for its own InfoSec program. As they will develop their own policies and standards, they are far more likely to embrace the program, assign the necessary resources to it, and fully implement. Rather than having a generic set of policies that can apply across the organization, this model has the advantage of producing policies that are aligned with each units specific business model. Further, the business unit can act autonomously, and thus theoretically more efficiently when policy changes or incident investigations are necessary.

We are all familiar with the accountability issues that arose during the Enron situation. As a result, today's shareholders demand that corporate leadership be well-versed on the conduct of the organizations they lead. Immediately following a significant information security incident, these leaders will likely be called upon for details. In order to address this issue, while leveraging the benefits of business unit autonomy, many organizations are adopting a hybrid approach. The best of both models is achieved by providing for a central governance body focused on program results, while the business unit has control over the methods. These groups work together to achieve the overall program objectives. Following describes how the establishment of a hybrid program and sharing of responsibilities might be realized.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Ponemon Study: How Much Does a Data Breach "Cost"?

Data Protection: Challenges for the Traveling User

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

Configuration Audit and Control for Virtualized Environments

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Solving Online Credit Fraud Using Device Reputation

Take our CSO role survey and receive a copy of the results

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Revolutionizing Endpoint Security with a Single Agent

Prepare for (ISC)2® Certification With Villanova - Online

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

Rolling the dice with your security? Take the Self-Assessment Test now

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage