Information Security Governance: Centralized vs. Distributed

Audry Agle, VP at The First American Corporation, on creating a model that works for your business

The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?

If alignment across business units is important, a centralized model would seem the proper choice. By directing and managing the program within a central governance body, all business units would be forced to abide by the same unified vision and policy set. This structure gives executive leadership and board better oversight as there's only one place to go to assess the posture of the organization. Centralized governance is generally most efficient as resources can be leveraged in a cost effective manner across the organization, thereby limiting duplication of effort and better utilizing talent and tools. This model also offers some sustainability in that shareholders can be assured that the profitability of an individual unit isn't likely to compromise the quality of the program. Finally, should an incident occur, it can be handled in a uniform manner with full corporate oversight.

Also see Information Security Management Basics by Micki Krause, et al

However, there are issues with the centralized approach that can better be addressed with a distributed model, in which each business unit is responsible for its own InfoSec program. As they will develop their own policies and standards, they are far more likely to embrace the program, assign the necessary resources to it, and fully implement. Rather than having a generic set of policies that can apply across the organization, this model has the advantage of producing policies that are aligned with each units specific business model. Further, the business unit can act autonomously, and thus theoretically more efficiently when policy changes or incident investigations are necessary.

We are all familiar with the accountability issues that arose during the Enron situation. As a result, today's shareholders demand that corporate leadership be well-versed on the conduct of the organizations they lead. Immediately following a significant information security incident, these leaders will likely be called upon for details. In order to address this issue, while leveraging the benefits of business unit autonomy, many organizations are adopting a hybrid approach. The best of both models is achieved by providing for a central governance body focused on program results, while the business unit has control over the methods. These groups work together to achieve the overall program objectives. Following describes how the establishment of a hybrid program and sharing of responsibilities might be realized.

1. Development of baseline policies and standards - In order to assure consistency, many organizations centralize this process. Business units, however, should have significant input into the development of these materials as acceptance will be critical to adoption. By defining consistent baseline requirements across the organization, leadership can understand the framework of the program. The unit is then encouraged to develop their own business-specific set which augments the corporate baseline, and addresses any unique needs they may have.

2. Assessment of gaps - This may be performed by internal security and audit resources, external vendors or consulting agencies. Centralizing this function will help ensure an objective picture of each unit's conformance to baseline policy.

3. Planning and implementation of risk controls - Development of mitigation strategies is often best performed at the unit level, where processes are understood most intimately and changes can be implemented more efficiently. The central governance body may be able to offer objective ideas for controls that have not been considered, but it should not dictate how the unit will achieve policy compliance.

4. Management, monitoring and ongoing measurement - Managing the controls once implemented is generally a unit-level function, however monitoring and measuring the effectiveness of the controls should be shared. While the business unit will likely want to monitor the results, the central governance group will need insight as well. Reliable, objective metrics will be required to assure senior leadership that the program is effective. To ensure unbiased reporting, unit personnel should have reporting relationship to the central governance body.

Companies with similar products and customers across units will likely have a strong need for uniformity, and will naturally adjust their model toward more centralization. Conversely, those with diverse business models and dissimilar customers may have very different security requirements, and thus may lean toward a more distributed model by shifting more responsibility to the unit level.

No matter which model your organization chooses to adopt, senior leadership and the board of directors must stay involved. Management must communicate clearly that it values and embraces the InfoSec program to motivate the same response among staff. The responsible InfoSec group, whether at the corporate level or the unit level, can only be successful in their initiatives if constituents are held accountable for compliance with the program. Policy violations should be taken very seriously, and must have repercussions. Further, the organization must be willing to be flexible and adjust the program based upon feedback and results. Solid Information Security programs don't just happen; organizations must take a well-considered, collaborative approach when deciding which model is best in meeting their business objectives. ##

Audry Agle, CISSP, CBCP, MBA, is Vice President of Information Security for The First American Corporation. In her current role she is responsible for assisting in the development and maintenance of the corporation's information security program.

Copyright © 2008 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.