Information Security Governance Papers
| Paper Title | Information Security Governance Structures |
|---|---|
| The Abstract of The Paper |
Information security governance structures can be characterized in a number of ways. There are two basic models of information security governance structures: centralized and decentralized. While agency heads are ultimately responsible for managing and governing their respective agency, the authority and responsibility over information security differs in the two types of structures. Key characteristics of the two structures are:
•Centralized. Departmental CIO or, in some instances, the SAISO has line-item budget control over all information security activities throughout the department. All information security practitioners within the department report to the departmental SAISO, who is responsible for ensuring implementation and monitoring of information security controls throughout the entire department. •Decentralized. Departmental SAISOs have policy development and oversight responsibilities. Departmental SAISOs have budget responsibilities over the departmental information security program, but not over the operating units’ information security programs. Operating unit SAISOs report to the unit head, not to the departmental SAISO. Operating unit SAISOs are responsible for implementing and monitoring information security practices within their respective operating units. Completely centralized or decentralized information security governance implementations are quite rare. In reality, the variety of implemented information security governance structures spans the continuum from a centralized structure at one end to a decentralized structure at the other. Agencies usually adopt hybrid structures that include some characteristics of both centralized and decentralized types of structures, and they adopt the particular mix of these characteristics to fit their agency mission, size, homogeneity of their components, and existing governance structure. Agencies in the process of establishing or changing their information security governance structure should consider the following key factors to determine the optimal extent of the centralization or decentralization: •Agency size; •Agency mission and its level of diversification or homogeneity; •Existing agency IT infrastructure; •Existing federal and internal governance requirements; •Size of agency budget; •Agency information security capabilities; •Number of, and distance between, physical locations; and •Decision-making practices and desired rate of change in information security practices. To the degree that these factors are limited or varied, an organization’s hybrid information security governance structure will fall somewhere between the extremes of a completely centralized or decentralized structure, as depicted in Figure 2-3. An organization’s placement on this continuum may also shift over time in response to changing internal factors or external requirements. Since information security governance structure is highly dependent on the overall organizational structure, organizations are often limited in their choices about how to organize their information security governance activities. Agencies should be cognizant of the characteristics and challenges that a centralized or decentralized structure presents and work within their respective organizations to ensure the best use of information security resources within the boundaries of their own structure." |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |