In a decentralized organization, individual organization units fully provide their own IT services or provide most of their IT services with supplementation from an enterprise shared service organization. The level of decentralization that an organization presents is highly dependent on the history and culture of the organization and how it has grown and changed over the years. In the following example, the HR and Finance groups receive shared services from the corporate service provider, while the manufacturing group provides its own IT services. The exception in this example is denoted by the dotted line. The dotted line represents a shared service of email that the corporate shared service provider has implemented for the entire company.

In this type of environment, your information security program will:

• Interface with the various organizations within your organization that provide IT, ensuring that common security policies are followed.
• Separations of corporate IT can be due to compliance requirements. Ensure that you fully understand the reason behind the multiple IT functions and plan accordingly.
• Business users may have different expectations of service depending on the culture of the organization unit. You will need to take these expectations into account as you plan your information security program: