How To

Information Security Governance: Centralized vs. Distributed

Audry Agle, VP at The First American Corporation, on creating a model that works for your business

By Audry Agle

Page 2

1. Development of baseline policies and standards - In order to assure consistency, many organizations centralize this process. Business units, however, should have significant input into the development of these materials as acceptance will be critical to adoption. By defining consistent baseline requirements across the organization, leadership can understand the framework of the program. The unit is then encouraged to develop their own business-specific set which augments the corporate baseline, and addresses any unique needs they may have.

2. Assessment of gaps - This may be performed by internal security and audit resources, external vendors or consulting agencies. Centralizing this function will help ensure an objective picture of each unit's conformance to baseline policy.

3. Planning and implementation of risk controls - Development of mitigation strategies is often best performed at the unit level, where processes are understood most intimately and changes can be implemented more efficiently. The central governance body may be able to offer objective ideas for controls that have not been considered, but it should not dictate how the unit will achieve policy compliance.

4. Management, monitoring and ongoing measurement - Managing the controls once implemented is generally a unit-level function, however monitoring and measuring the effectiveness of the controls should be shared. While the business unit will likely want to monitor the results, the central governance group will need insight as well. Reliable, objective metrics will be required to assure senior leadership that the program is effective. To ensure unbiased reporting, unit personnel should have reporting relationship to the central governance body.

Companies with similar products and customers across units will likely have a strong need for uniformity, and will naturally adjust their model toward more centralization. Conversely, those with diverse business models and dissimilar customers may have very different security requirements, and thus may lean toward a more distributed model by shifting more responsibility to the unit level.

No matter which model your organization chooses to adopt, senior leadership and the board of directors must stay involved. Management must communicate clearly that it values and embraces the InfoSec program to motivate the same response among staff. The responsible InfoSec group, whether at the corporate level or the unit level, can only be successful in their initiatives if constituents are held accountable for compliance with the program. Policy violations should be taken very seriously, and must have repercussions. Further, the organization must be willing to be flexible and adjust the program based upon feedback and results. Solid Information Security programs don't just happen; organizations must take a well-considered, collaborative approach when deciding which model is best in meeting their business objectives. ##