The information-security strategy
5.10 Agreement and publication of final strategy
Once the strategy has been produced, we need to ensure that it is formally adopted. As we have used a consultative approach to create the strategy, we do not anticipate too many difficulties here, but given the importance of obtaining the necessary approval, we will manage this aspect carefully.
The first step in this process is to distribute the document to stakeholders for comment, allowing a reasonable time for them to provide their feedback.
Common mistakes here include asking for feedback too quickly or trying to impose implicit signoff after a certain date. Asking for feedback too quickly would be a sign of bad management on our part—if the planning slips, it is better to negotiate an extension to the deadline rather than try to cut cor-ners at the expense of others. Implicit signoff is hardly ever a good idea, especially where important deliverables such as this are concerned. A better approach is to remind reviewers that have not responded a certain number of days before the deadline and to suggest a meeting to discuss problems if appropriate.
5.10 Agreement and publication of final strategy 127
In addition to planning for a reasonable delay to receive comments, it is also necessary to plan for a delay to introduce the necessary modifications.
On the contrary, it is reasonable to require a rapid response for the amended version of the document, as this should only require a quick verification that the required modifications have been carried out. At The Secure Bank, we allowed stakeholders 2 weeks to respond with comments, and we planned for a further 2 weeks to introduce the modifications. Stakeholders were then given 1 week to approve the final version.
The approved document was submitted for approval by the information-security steering committee, who approved the document in the second meeting in month seven. Following this final step, the strategy document was published on the organization’s intranet.
5.11 Summary
The information-security strategy is the blueprint for the current strategic-planning period. The strategy identifies and describes those initiatives that contribute to moving the enterprise up the path of maturity (see Figure 4.1).
For less mature organizations, first attempts to define a strategy may be hampered by an inability to predict the impact of initiatives that modify cul-tural values or significantly change working practices. For such organiza-tions, the experience gained in trying to get to the final goal may be as valuable as the effort to define that goal.
There are several inputs into the information-security strategy. One of the most important inputs consists of a summary of the strong and weak points of the current approach to securing information. In this chapter, we have concentrated on weak points, but it is evident that any strengths should be retained when introducing a new approach. The business strategy also provides valuable input by identifying the direction that the business as a whole is taking. Modified business plans can lead to significantly different requirements for protecting data and systems. Similarly, a modified strategy can require major changes to the IT infrastructure and supporting applica-tions, thereby indirectly affecting the approach to securing information.
Legal and regulatory requirements often have a major impact on infor-mation security. Commonly encountered legal requirements include data protection laws and privacy laws, and some sectors may be subject to fur-ther legislation. In the financial sector, certain countries have passed legisla-tion relating to banking secrecy, and this is often interpreted by regulatory bodies.
Finally, a coherent strategy should take into account events happening in the outside world, such as economic and political events and technical evolution. Mergers and acquisitions present special challenges, as they are likely to force staff to question core values and often modify corporate culture.
The final strategy defines a number of strategic initiatives, which collec-tively satisfy requirements arising out of an analysis of these areas. The
strategic initiatives are prioritized according to a set of predefined criteria, typically reflecting the degree to which they mitigate risk, degree of diffi-culty, and cost. The final prioritization will also take into account any syner-gies that can be realized with other defined activities. While it is a good idea to construct a high-level plan in order to derive the prioritization of initia-tives, the plan itself is not part of the strategy. However, the strategy is the major input to the strategic plan, which is described in Section 4.5.3. This approach is adopted to keep the strategy document free of volatile informa-tion (i.e., informainforma-tion that is likely to change regularly).
It is important to carefully plan the approval process, as failure to do so is likely to result in reduced commitment from stakeholders. In particular, suitable time should be planned to allow stakeholders to correctly review the document and request modifications. Similarly, it is important to allow time to make the necessary changes once feedback has been received.
Following approval, the information-security strategy should be pub-lished in a location visible to all staff. The company intranet is an ideal chan-nel for achieving this.
References
[1] Katoh, T., “Bank of Tokyo-Mitsubishi Announces New Business Strategy, News Release, Bank of Tokyo-Mitsubishi, Ltd. (1999),” August 2003, http://
www.btm.co.jp/html_e/news/news_53e.htm.
[2] “Bank’s Strategy 2002,” August 2003, www.kookmin.lu/page3.html.
[3] “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,” September 2003, http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnu mdoc&lg=EN&numdoc=31995L0046&model=guichett.
[4] “Data Protection Act 1998,”August 2003, http://www.dataprotection.gov.uk/
dpr/dpdoc.nsf.
[5] “Freedom of Information Act 2000,” August 2003, http://www.hmso.gov.uk/
acts/acts2000/20000036.htm.
[6] “Information Commissioner: Responsible for Data Protection and Freedom of Information,” August 2003, http://www.dataprotection.gov.uk.
[7] “The Consumer and Investor Access to Information Act of 1999,” September 2003, http://thomas.loc.gov/cgi-bin/query/D?c106:2:./temp/~c106CvLWUH::.
[8] “The Collections of Information Anti-Piracy Act of 1999,” September 2003, http://thomas.loc.gov/cgi-bin/query/D?c106:2:./temp/~c1062J7m15::.
[9] “Bill Number 1386 Chaptered: Bill Text,” September 2003, http://info.sen.ca.
gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.
[10] “Welcome to the Safe Harbor,” August 2003, http://www.export.gov/
safeharbor/index.html.
[11] Cowles, R. and M. S. Singh, “Internet Privacy Issues: How Should They Be Resolved?” Gartner Note, 2002.
5.11 Summary 129
[12] Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications), September 2003, http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_201 20020731en00370047.pdf.
[13] “Children’s Online Privacy Protection Act of 1998 (COPPA),” August 2003, http://www.cdt.org/legislation/105th/privacy/coppa.html.
[14] “The Privacy Act of 1974,” August 2003, http://www.usdoj.gov/04foia/
privstat.htm.
[15] “The Health Insurance Portability and Accountability Act of 1996,” August 2003, http://aspe.hhs.gov/admnsimp/pl104191.htm.
[16] “The Electronic Privacy Information Center,” August 2003, http://www.epic.org.
[17] Thiel, L., “Le Secret Bancaire Démystifié,” August 2003, www.uae.lu/Secret_
demystifie.pdf.
[18] Aubert, M., “Swiss Banking Secrecy: General Extent and Recent Developments,”
Geneva Financial Center Foundation, 1997.
[19] Koops, B. J., “Crypto Law Survey,” August 2003, http://rechten.uvt.nl/koops/
cryptolaw/index.htm.
[20] Van der Hof, S., “Digital Signature Law Survey,” August 2003, rechten.kub.nl/
simone/ds-lawsu.htm.
[21] Sylvestri, M., “European Links,” August 2003, http://www.wowarea.com/
english/help/cryeuro.htm.
[22] “E-Commerce Law Resources,” Baker and McKenzie Global E-Commerce Law Website, August 2003, http//www.bakerinfo.com/ecommerce.
[23] Merrill, C.,“PKI Law: Public Key Infrastructure and the Law,” August 2003, http://www.pkilaw.com.
[24] “Federal Information Processing Standards Publications: FIPS Home Page,”
August 2003, http://www.itl.nist.gov/fipspubs.
[25] “Department of Defense Trusted Computer System Evaluation Criteria (1985),”
Department of Defense Standard, DoD 5200.28-STD.
[26] “Information Technology Security Evaluation Criteria,” August 2003, http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=18.
[27] Boni, W. C., MBA, CISA, “The Dark Side of E-Commerce—The Threat of Cyber Sabotage,” August 2003, http://www.shockwavewriters.com/Articles/WCB/
dark7.htm.
[28] Roberts, A., “September 11 in Context: The Changing Faces of Terrorism,”
August 2003, http://www.bbc.co.uk/history/war/sept_11/changing_faces_01.
shtml.
[29] Hasson, J., and D. Frank, “Bush Budgets $52 Billion for IT,” August 2003, http://www.fcw.com/fcw/articles/2002/0128/web-budget-02-01-02.asp.
[30] “Why Do Mergers and Acquisitions Fail to Create Synergy? Is the Situation Redeemable?” August 2003, http://mworld.mce.be/artPrint.php?article_id=449.