Wed Nov 26 09:45:09 PST 2014

Management: Influence: What power and influence should the IP Lead have?


Options:

Option 1: The Infomraiton Proteciton (IP) Lead should have adequate power and influence to affect process and procedure.
Option 2: The IP Lead should have the right to inspect protection process and procedure.
Option 3: The IP Lead should have the capacity to meaningfully analyze feedback to determine actions to induce.
Option 4: The IP Lead should have direct management control over protection functions.

Decision:

IF the Information Protection (IP) Lead has duties to specify in this area, THEN the IP Lead should have adequate power and influence to affect process and procedure.
IF the IP Lead has duties to examine in this area, THEN The IP Lead should have the right to inspect protection process and procedure.
IF the IP Lead has duties to manage in this area, THEN The IP Lead should have direct management control over protection functions.
IF the IP Lead has duties to specify and examine in this area, THEN the IP Lead should have the capacity to meaningfully analyze feedback to determine actions to induce.

Fill in from the following table or the table resulting from "IP Lead Duties" identified earlier.

TypeItemPower and InfluenceDirect controlRight to InspectionAnalysis Capacity
BusinessPolicy .
BusinessControl Standards .
BusinessProcedures .
BusinessHR .
BusinessLegal .
BusinessRisk Management .
OperationsTesting .
OperationsChange Control .
OperationsPhysical technical safeguards .
OperationsLogical technical safeguards .
OperationsIncident handling .
AssuranceAudit .
AssuranceKnowledge .
AssuranceAwareness .
AssuranceDocumentation .
Power and influence of the IP Lead

Basis:

The Information Protection Lead (IP Lead) should have adequate power and influence to affect process and procedure.

This generally means the ability to create and operate the group processes that generate policies and control standards in any appropriate arena.

The IP Lead should have the right to inspect protection process and procedure.

This implies the uninhibited, and unfettered access to information, including the people and systems containing that information, to the extent necessary to gather but not alter content and metadata. Generally, this must be able to happen without the knowledge or consent of anyone operating the systems that control that content in order to perform investigative process and stop subversion of measurement processes.

The IP Lead should have the capacity to meaningfully analyze feedback to determine actions to induce.

Adequate analytical capability includes both personal skills and knowledge in context of the enterprise and the availability of adequate resources in the form of external expertise, computational resources, and tools.

The IP Lead should have direct management control over protection functions.

While it is often inadvisable for the IP Lead to have direct control over operations, direct control of other aspects is common. This implies that the IP Lead has staff that works for them and over which they have hiring and termination responsibilities as well as all other related management control and power.

There is usually an individual in charge of the overall information protection program, and often titled as the Chief Information Security Officer (CISO) - which we identify as the IP Lead. In order for the protection program to be effective, the IP Lead has to have (1) the power and influence within the enterprise to effectively control the protection program and process, (2) the information and access to find out what is going on within the enterprise, and (3) the knowledge and skills necessary to understand and apply the actuators effectively to get the process and program to meet the duties to protect. Many enterprises have high cost plus loss because top management fails to: (1) understand the role of the IP Lead, (2) place the IP Lead properly in governance, (3) provide adequate power and influence for the IP Lead, or (4) grant the IP Lead adequate access to information.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved