Information Security Organisation

IT Security Delivery Organization

The way in which the security is delivered within the IT division is important for the effectiveness of the security mechanisms. Too many organisations do not place enough emphasis on defining the correct responsibilities and providing the appropriate skills and experience for the delivery of security.

Security Services and Components

Security can often be thought of as multiple components that do not interact or rely on other components but this is untrue. These components normally provide defence-in-depth and should be considered as a security service of interacting and co-operative components, as show below.

Security-Service-Component-Relationship

Figure 9: Security Service/Component Relationship

These security services themselves combine together to provide the overall security for an organisation. the organisation has adopted a decentralised or federated organisational approach, then it is important to ensure these services and their capabilities are correctly configured to supply this service.

Security-Security-Services-and-Component-Relationships

Figure 10: Security, Security Services and Component Relationships

IT service delivery organisations tend to be organised as a series of delivery teams focused on the type of IT component being used for delivery rather than the function being delivered by a service. In some IT organisations this reliance on IT components is balanced through the use of a service management organisation that pulls together cross-component services. This is shown in the diagram below.

Security Service Delivery

Security-Service-Delivery

Figure 11: Security Service Delivery

The extent of the role of service management depends on the maturity and understanding of crosscomponent based services. Service management often looks after cross-component services that manage the operation of components and do not provide direct business benefit, such as capacity management and backup/recovery.

Security can also be considered a management function but it also provides security services that provide functions that are visible in managing the risk of a business and are made up of co-operative IT components. Often a service management organisation will consider the management of security but not the appointment of an individual responsible for the delivery of a security service.

In a service management based organisation that did not have a focus on service-based security, the platform-based competency had some issues with their component of a security service and delayed resolving the issues because they were relying on two other security components as a fall-back. Unfortunately, the other two components had also had failures at the same time and their delivery teams were making the same assumption. This left the organisation exposed, as all three levels of defense were not working.

No matter what organisational approach is adopted, to ensure that this does not happen, there needs to be:

  • An agreed understanding of the roles and responsibilities and interaction
  • a set of measures to enable the performance of security services to be measured
  • compliance checking to ensure legal, regulatory and corporate governance needs are being satisfied
  • an effective security organisation with appropriate skills and experience
  • hours of service appropriate to the threat to the business
  • governance to ensure continual end to end coverage, interaction, vitality and ownership