1. What of the following best describes “management intent”?
A. Create a dedicated position of CISO and delegate the CISO in charge of information security.
B. Wake up the awareness of the CEO and the board of directors that they are liable for including information security into the agenda of corporate strategy
C. Mitigate risks to the acceptable level of senior management to achieve confidentiality, integrity, and availability.
D. Govern or manage information security with a business mindset to deliver values.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answers are as follows:
1. D. Policy
2. D. Govern or manage information security with a business mindset to deliver values.
- Mission and vision often come hand in hand, but there is no consistent definition between them. Some may argue that vision comes first, while others think the mission exists before vision. In my opinion, it depends on your role and perspective.
- As an entrepreneur, I have to think about the values in which I believe and the purpose or the reason why I want to start the business. The values and purpose are the primary parts of my mission statement. To some extent, my mission to start a business is commissioned by God.
- My mission/vision statement is:
To Inspire People – A Share Point of People and Knowledge.
- Based on the mission statement, I start to envision the story of success, search for the business direction, set long-term goals, and develop strategies to achieve them.
- So, what is the mission or vision? I won’t define them literally but I explain them through the practical example that I have been doing for years so that I can share my definitions with you to communicate effectively.
- What’s the difference between a goal and objective? There’s no consistent definition either. However, people tend to classify them in terms of time scale.
- As far as I am concerned, goals are long-term objectives which can be broken down to short-term objectives.
- How long is long enough to be long-term? You define your scale. Typically, the period of a goal ranges over one year, while some agree with three years; you name it.
- A goal or objective is the statement of the desired outcomes.
- A well-developed goal or objective meets the SMART criteria.
- A strategy is a high-level plan or approach that addresses mission and vision. You break down the mission and vision into (strategic) goals which drive your strategic planning process.
- You apply strategic thinking skill to develop or formulate the strategy and initiate portfolios or programs to implement or execute the strategy.
- SWOT analysis, BCG matrix, Porter’s five forces analysis, and PEST analysis are common tools to develop strategies, while PMI Organizational Project Management (OPM) is a strategy execution framework to implement them.
- Overall intention and direction as formally expressed by management. (ISACA)
- A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. (ComplianceForge)
- A security policy is a general statement of management’s intent regarding how the organization manages and protects assets. (ScienceDirect)
A function transforms something into another to deliver values. It may take input or consume resources to conduct the activities to produce something as output.
Security function protects assets and delivers confidence; it consumes resources as input, such as people, budget, time, system and processes, and so forth.
Security Function in Small Companies
As far as I am concerned, I will treat the security function as the unofficial security department. For companies that can not afford a security manager or CISO, they do have security needs to be addressed by someone or some function; I will say that they have an unofficial security department or security function.
Security Department in Big Companies
Security function can be conducted or fulfilled by an official or formal organization (business unit, department, or any other level of the organizational unit) headed by a manager or officer. In this situation, the security function is a formal organization.
It’s a good practice to govern or manage information security with a top/down approach. The governance level (the board and the senior management) has to be aware of the importance and ramifications of information security and includes it into the agenda of strategy. The position of security function has to be determined and the budget to be allocated.
If an official security organization is created and a security manager or CISO is delegated to govern or manage the security function (department), he or she has to align the information security strategy with the business and corporate strategies.
The information security strategy is developed and implemented to protect assets from threats in order to achieve the objectives of confidentiality, integrity, and availability, so as to support organizational mission and business process, and create and deliver values.
- A. Create a dedicated position of CISO and delegate the CISO in charge of information security.
Security function may be implemented with an unofficial or official security department, roles, and responsibilities.
- B. Wake up the awareness of the CEO and the board of directors that they are liable for including information security into the agenda of corporate strategy.
Awareness at the governance level is necessary but not sufficient. It does not fully address the strategic alignment and security function issues.
- C. Mitigate risks to the acceptable level of senior management to achieve confidentiality, integrity, and availability.
This is about risk management, or risk mitigation specifically.
- D. Govern or manage information security with a business mindset to deliver values.
This is my favorite perspective that deals with information security governance and management. This is an umbrella term and implies the topics, such as the purpose of governance, InfoSec organization, R&R, strategy development, strategy alignment, program execution, resource optimization, and performance monitoring.