- Email: [email protected]
Centralized and decentralized staff
Computer Fraud & Security Bulletin
'Auditing Personnel: A human resource approach to information systems control', The Journal of Managerial Auditing, (forthcoming) April 1993: Vol 6. The Woolwich Computer Crime Research Centre Database (forthcoming).
WHY HAVE DECENTRALIZED INFORMATION SECURITY COORDINATORS? Centralized and decentralized staff Charles Cresson Wood, Information Integrity, USA
There is simply too much for a centralized information security staff to do. It is neither cost-effective nor prudent for all substantive information security work to be performed by a centralized group. While policy making, standard setting, and other guidance should emanate from a centralized group, it is advisable for computer related contingency planning and other functions to be decentralized. This article explores the reasons why decentralization of the information security function makes sense. To leverage the scarce talent found in an information security group, it is wise for many of the repetitive information security tasks to be delegated to people in other groups. For instance, rather than using centralized staff to administer LAN access controls. this task can be given to departmental LAN administrators.The processof delegation should be accompanied by special training and awareness raising efforts. Also necessary are periodic check-ups to make sure that those to whom information security functions have been delegated are doing their duty. Without such efforts, delegation is equivalent to abdication.
12
August 1992
It is no coincidence that organizations which have been serious about information security for several years typically have decentralized coordinator. Most organizations are not taking advantage of the benefits of decentralized coordinators. Those organizations that do not yet have decentralized coordinators, and those organizations that do not yet use coordinators to best advantage, would be well-advised to re-evaluate the role decentralized information security coordinators play. Benefits of using decentralized coordinators
Consider how your organization could benefit if decentralized coordinators took on a more active information security role. Coordinators could contribute in the following ways: (a) Decentralized coordinators can interpret information security policies, guidelines and standards, in light of local business practices andcomputing environments.This means that decentralized coordinators will develop a unique local view about information security. This local view will be essential to successfully convincing end-users that they are to conduct their computer-related activities with the prescribed control measures. (b) Decentralized coordinators can provide special information security support services applicable to a certain department, division, or subsidiary. Their local view can be used to design, select and/or implement controls in a manner uniquely responsive to local conditions. For example, more stringent physical access controls may be appropriate for the Research & Development (R & D) department, but not elsewhere in the organization. A decentralized coordinator in the R&D department can work on these controls without the involvement of information security specialists in a centralized group. (c) Decentralized coordinators can manage staff members in a local department, division, or subsidiary, who are working on informationsecurity projects. Onefrequently
©1992 Elsevier Science Publishers Ltd
August 1992
encountered instance of this in contingency planning. Becausea centralized group does not have the resources to monitor and manage all local groups involved in contingency planning efforts, such activities must be the responsibility of decentralized information security coordinators. (d) Decentralizedcoordinators can represent a department or division on an organization-wide information security task force or committee. Such a group may be established to prepare organization-wide policy, develop a network security architecture, or otherwise arrive at information security practices that work for all the people involved. (e) Decentralized coordinators can provide knowledgeable assistance as a local information security administrator. defining access control privileges, issuing new computer log-ins. IDs and passwords, and the like. Uke many other activities of the decentralized coordinator, this takes some of the burden off a centralized group.
(f)
Decentralized coordinators can act as members of a Computer Emergency ResponseTeam (CERT), which is mobilized in the event of virus infestation, hacker break-in, or computer related disaster. Centralized people are often too far away, working in differenttime zones, or otherwise unavailable to handle information security problems when they demand immediate attention.
(g) Decentralized coordinators can provide end-user support, such as fulfilling requests for additional information. Simple questions like 'What's the difference between proprietary and confidential information?' are best handled locally rather than by a centralized group. This means that end-users get faster responses and the demands on the centralized group are reduced.
©1992 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
(h) Decentralized coordinators can conduct local security reviews and submit reports about local information security conditions to a centralized group. A centralized group may otherwise never be aware of the real security conditions in the many units that make up the organization.
(i)
Decentralized coordinators can conduct customized local information security training and awareness raising efforts. A centralized group can create basic training materials and decentralized groups can modify these materials to suit local conditions. Customization might include translation of documents into other languages or tailoring documents to reference the type of computers used locally. The centrallzed group in this case trains the trainers.
(j)
Most importantly, the use of decentralized coordinators can shift budgets for information security from a centralized group to decentralized groups. In overall terms, the use of decentralized information security coordinatorshelps (1) line business functions pay for information security, (2) line businesses appreciate that information security makes a contribution to their organizational unit. and is not just a centralizedoverheadfunction, and (3)these line businesses increasingly view information security as a standard part of doing business.
While there are many aspects to organizational structure for information security that have not been mentioned here, the use of decentralized coordinators is increasingly coming to be perceived as a part of the standard of due care. Information security practitioners wishing to increase the effectiveness of their efforts should consider the use of coordinators, if their organization does not already use them. If their organizationalready has such coordinators, they should consider whether these coordinators are being used to best advantage.
13
'Auditing Personnel: A human resource approach to information systems control', The Journal of Managerial Auditing, (forthcoming) April 1993: Vol 6. The Woolwich Computer Crime Research Centre Database (forthcoming).
WHY HAVE DECENTRALIZED INFORMATION SECURITY COORDINATORS? Centralized and decentralized staff Charles Cresson Wood, Information Integrity, USA
There is simply too much for a centralized information security staff to do. It is neither cost-effective nor prudent for all substantive information security work to be performed by a centralized group. While policy making, standard setting, and other guidance should emanate from a centralized group, it is advisable for computer related contingency planning and other functions to be decentralized. This article explores the reasons why decentralization of the information security function makes sense. To leverage the scarce talent found in an information security group, it is wise for many of the repetitive information security tasks to be delegated to people in other groups. For instance, rather than using centralized staff to administer LAN access controls. this task can be given to departmental LAN administrators.The processof delegation should be accompanied by special training and awareness raising efforts. Also necessary are periodic check-ups to make sure that those to whom information security functions have been delegated are doing their duty. Without such efforts, delegation is equivalent to abdication.
12
August 1992
It is no coincidence that organizations which have been serious about information security for several years typically have decentralized coordinator. Most organizations are not taking advantage of the benefits of decentralized coordinators. Those organizations that do not yet have decentralized coordinators, and those organizations that do not yet use coordinators to best advantage, would be well-advised to re-evaluate the role decentralized information security coordinators play. Benefits of using decentralized coordinators
Consider how your organization could benefit if decentralized coordinators took on a more active information security role. Coordinators could contribute in the following ways: (a) Decentralized coordinators can interpret information security policies, guidelines and standards, in light of local business practices andcomputing environments.This means that decentralized coordinators will develop a unique local view about information security. This local view will be essential to successfully convincing end-users that they are to conduct their computer-related activities with the prescribed control measures. (b) Decentralized coordinators can provide special information security support services applicable to a certain department, division, or subsidiary. Their local view can be used to design, select and/or implement controls in a manner uniquely responsive to local conditions. For example, more stringent physical access controls may be appropriate for the Research & Development (R & D) department, but not elsewhere in the organization. A decentralized coordinator in the R&D department can work on these controls without the involvement of information security specialists in a centralized group. (c) Decentralized coordinators can manage staff members in a local department, division, or subsidiary, who are working on informationsecurity projects. Onefrequently
©1992 Elsevier Science Publishers Ltd
August 1992
encountered instance of this in contingency planning. Becausea centralized group does not have the resources to monitor and manage all local groups involved in contingency planning efforts, such activities must be the responsibility of decentralized information security coordinators. (d) Decentralizedcoordinators can represent a department or division on an organization-wide information security task force or committee. Such a group may be established to prepare organization-wide policy, develop a network security architecture, or otherwise arrive at information security practices that work for all the people involved. (e) Decentralized coordinators can provide knowledgeable assistance as a local information security administrator. defining access control privileges, issuing new computer log-ins. IDs and passwords, and the like. Uke many other activities of the decentralized coordinator, this takes some of the burden off a centralized group.
(f)
Decentralized coordinators can act as members of a Computer Emergency ResponseTeam (CERT), which is mobilized in the event of virus infestation, hacker break-in, or computer related disaster. Centralized people are often too far away, working in differenttime zones, or otherwise unavailable to handle information security problems when they demand immediate attention.
(g) Decentralized coordinators can provide end-user support, such as fulfilling requests for additional information. Simple questions like 'What's the difference between proprietary and confidential information?' are best handled locally rather than by a centralized group. This means that end-users get faster responses and the demands on the centralized group are reduced.
©1992 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
(h) Decentralized coordinators can conduct local security reviews and submit reports about local information security conditions to a centralized group. A centralized group may otherwise never be aware of the real security conditions in the many units that make up the organization.
(i)
Decentralized coordinators can conduct customized local information security training and awareness raising efforts. A centralized group can create basic training materials and decentralized groups can modify these materials to suit local conditions. Customization might include translation of documents into other languages or tailoring documents to reference the type of computers used locally. The centrallzed group in this case trains the trainers.
(j)
Most importantly, the use of decentralized coordinators can shift budgets for information security from a centralized group to decentralized groups. In overall terms, the use of decentralized information security coordinatorshelps (1) line business functions pay for information security, (2) line businesses appreciate that information security makes a contribution to their organizational unit. and is not just a centralizedoverheadfunction, and (3)these line businesses increasingly view information security as a standard part of doing business.
While there are many aspects to organizational structure for information security that have not been mentioned here, the use of decentralized coordinators is increasingly coming to be perceived as a part of the standard of due care. Information security practitioners wishing to increase the effectiveness of their efforts should consider the use of coordinators, if their organization does not already use them. If their organizationalready has such coordinators, they should consider whether these coordinators are being used to best advantage.
13