The following example represents a model style of organizational

security. XYZ Corporation has chosen an organizational security

model that features a distributed security environment with
security departments at each operating location responsible for
local security. Their policies will be governed by logical
requirements with oversight from the corporate security
department. Discuss in details organizational security goals,
concepts, practices and process for this organization. Ensure that
you align security management goals with business goals. Identify
the application of security concepts to sustain effective
management goals and fortify the security infrastructure of this
organization.

Organizational security goals

The main goal of an organization / corporate security governance should be
to develop a dynamic and flexible security posture by developing the right
security governance processes and structures at the enterprise level.
Therefore organization XYZ should consider reducing the complexity of IT
infrastructure where the security factor comes in. IT architectures and
information systems with security in mind are just as important for
Information Security as the organizations security posture. However, in the
current context of security governance we will concentrate on the goals and
objectives related to direct security in this organization.

Establishing a security culture

Most papers on security governance will give a useful definition of security

culture, but few give it the importance it needs or define how you can
establish a good security culture. Unfortunately, most papers on security
culture itself will lead you in the wrong direction by equating security culture
with security awareness. This can lead to a costly mistake when you invest in
an expensive awareness training to enforce the wrong security culture.
Information security culture is much more than security awareness and
establishing a good security culture that is aligned with your organizational
culture should, in our view, be underlying all your efforts in developing your
information security governance and management.

Developing a security assessment framework

To evaluate the success of your security governance and to assist in

prioritization of your security investments, you will need to develop a
suitable security assessment framework. While obviously the previous two
goals of security governance are extensive enough to need some serious
prioritization, this can often be achieved in direct negotiation/consultation at
the executive management level. To assist in prioritization at other levels of
security management, the organization will need to develop a set of
prioritization guidelines as part of its security strategic context to
complement this security assessment framework. The development of
prioritization guidelines is, therefore, another security governance objective
that deserves early attention. Our investigation of current security standards
and guidelines found no practical advice on how to prioritize security
investments apart from the current flawed risk based approach. We also did
not find an example of non-risk based prioritization guidelines in any of the
organizations we visited as part of our extensive case-study based
information security research over the last decade. Hence, while our
research into this area is still in its early stages, we will present some of our
initial ideas here to assist you in your endeavors to develop your own
prioritization framework.

Plan on how security measures undertaken will influence cost incurred

by the organization

If you adopt the cost business model, you can set a goal such as becoming
the lowest cost security provider in your area. Your key operational objectives
would include reducing your costs or improving productivity. Your marketing
objective would be to position your company as a security firm offering value
for money. Your financial objective would be to control your costs so that you
maintain your target profit margin.

Concepts
In order to align security management goals with business goals , several concepts needs to be
considered.

Assess

Analyze Strategize Align Communicate Assess, understand and define

securitys current and future role in your organizationwhere security
capabilities in people, processes and technologies reside across the

enterprise today, and what security needs to achieve for the organization
in the future.

Strategize

Translate this information and analysis into an actionable, repeatable and

reportable strategy that identifies the business case supporting project
creation, project prioritization and investment optimization while also
generating a strategic implementation roadmap.

Communicate

Communicate securitys current status, vision, strategic roadmap and

progress to-dateat any point in the annual or quarterly business cycle
and in a manner best suited to the different communication needs of a
wide range of internal and external security constituents. This is done by
assessing the organizational current status and write a document that will
be a reference whenever a security concern arises.

Competencies

Business alignment often requires skills not normally associated with

information security specialists such as architecture practice, personal
communications, business knowledge and marketing skills.

Practices of the organization

The practices that the organization should put in place to ensure that
the security measures undertaken aligns with business goals are as
follows.

Planning

The strategic and tactical planning activities of the information security

organization provide ample opportunity for aligning the resultant projects
and actions to actual business requirements. For example, a key strategy
is to leverage enterprise architecture principles in security planning
practices.

Alignment of activities

Alignment is a challenge that cannot be addressed in a piecemeal fashion.

The organization should invest time and resources into a comprehensive

strategy for improving business alignment. The actions and projects

resulting from this strategy must be executed in conjunction with, and not
in place of, existing security projects.

Establishment of relationships

The importance of establishing and maintaining effective relationships

with other roles and individuals within the organization is that alignment
depends on the cooperation and support of key influencers, decision
makers and other stakeholders.