Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next

Section 4-3
Organization Architecture

Chapter 4-3-1
New Organizational Model for IP Practitioners

Bill Boni


Today the IPS (Information Protection Services) organization must manage an ever-increasing array of threats to critical information systems and contribute to the protection of vital intellectual property, often in a global enterprise. These threats must be managed in an era of limited or sometimes shrinking budgets. To deal with these changes the author recommends a strategy which formally combines regular staff-assigned resources with internal (but nonsecurity) resources and carefully selected external resources, including both paid consultants/contractors as well as other sources of expertise/assistance. These elements are managed through the use of a risk assignment matrix. The matrix is a valuable tool which can be used to educate senior management and increase their appreciation of the trade-off between cost and protection.


Downsizing and Rightsizing

Most Fortune 500 companies and many other corporate and governmental organizations have been forced to dramatically reduce overall expenses. Many have done so through a painful process of re-engineering and associated layoffs or staff reductions.

The staff which survives this traumatic process often develop a sense of personal insecurity which in some cases contributes to a reduction in overall corporate/organization loyalty. The predominant management edict appears to be “Do More With Less”. Even profitable, growing organizations are under intense pressure from competition to wring maximum productivity out of all resources, especially with “overhead” resources like the information security staff.

One disturbing strategy is to “outsource everything possible” to keep the organization focused on core competencies and create the “virtual corporation”. The bonds of shared mutual interest of today may not even exist tomorrow as the Web of contractors and “least-cost providers” coalesces to accomplish the current priority then changes to meet the next business challenge. Ensuring the information shared with such temporary allies is appropriate and necessary is an increasingly important role for the IPS group in an organization which is following this strategy.

The rapid growth in the “contingent” workforce is another major trend which adversely impacts IPS. The extensive use of temporary staff and consultants to accomplish work that previously would have been done by “career” or “regular” staff employees creates a potential vulnerability that cannot be overlooked, while at the same time business pressures for such measures are irresistible. Assigning such staff to highly sensitive or mission-critical tasks creates major vulnerabilities for information assets, since they lack the promise of continuity and yet can often move comfortably throughout the organization.

Exploitation of temporary staff and temporary or consultant access for gathering sensitive information is commonly identified in business intelligence circles. This precise tactic was discussed by the principal of a business intelligence organization, when he boasted to an undercover news reporter posing as a potential client that he could insert one of his employees as a temporary staff member at the target organization and exploit such access to quickly obtain valuable information1. Similarly, a major hacker underground publication recently advised prospective hackers who were unable to penetrate the network or systems security of a given organization to consider obtaining employment with the firm, supporting temporary agencies, or even becoming a security guard or janitor, as all these positions allow for easy access to the organization’s systems and information2.

1Prime Time Live Broadcast 1/17/96, ABC, “The New Spies” segment.
22600 The Hacker Quarterly.

Ensuring that the contingent staff (both temporary clerical as well as contractors/consultants) of the organization have received appropriate security briefings, sign nondisclosure documents, are closely supervised during their assignments, and that all proprietary information is recovered from them upon termination of the assignment are vital elements in the new programs to safeguard organizational information against losses.

Together these trends have significantly increased the scope of the information security challenge inside the organization. No longer is it prudent (if it ever was) to assume that the “bad guys” come from the outside and that only “good guys” are on the payroll and premises. Thus IPS needs to ensure security measures are enacted to address a wide range of personnel- and staff-related issues.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.