Chapter 1: Enterprise Security Management Practices (13/15)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Enterprise Security Management Practices ◾ 61

Monitoring and Controlling Process Group: Regularly measures and monitors

progress to identify variances from the project management plan so that cor-

rective actions can be taken when necessary to meet project objectives

Closing Process Group: Formalizes acceptance of the product, service, or result

and brings the project or a project phase to an orderly end

Note that the above groups are similar to the other security cycles using dier-

ent names but very similar functions (see Figure1.15).

As can be seen from Figure1.14, the nine knowledge areas have processes that

are about managing specic key functional elements, some of which were identied

in previous security cycles. Scope, quality, and risk management are areas that are

very similar. Others related to managing costs, time, personnel, procurement, and

communications between groups are areas in which successful management skills

could very much support the various actions that need to be managed in any of the

development and security cycles previously discussed.

e success of ISSMPs can depend on how well they understand the above 45

processes, because this knowledge will allow them to manage projects and work with

project managers more eectively. ISSMPs looking to move to senior management posi-

tions should seriously look at becoming a certied Project Management Professional.

SECURITY PROFESSIONAL’S GOALS ARE TO:

Provide risk-based system security.

Recommend cost-eective security.

Deploy practical and acceptable security.

PM Processes

Initiating

Planning

Controlling and

Monitoring

Executing

Closing

Project Procurement Management

Project Risk Management

Project Communications Management

Project Human Resource Management

Project Quality Management

Project Cost Management

Project Time Management

Project Scope Management

Project Integration Management

Knowledge Areas

Figure 1.14 PMI Body of Knowledge.

62 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

Inuencing resources is a required skill for every ISSMP, because all security

programs must have funding to operate. Understanding the process for obtaining

the necessary funding to support existing security needs (i.e., personnel, infrastruc-

ture, services, specialists, supplies, training and education, etc.), initiatives, and

emergencies is very important. Seeming very complex at rst, the processes are easy

to learn, and this learning process can provide an advantage for the ISSMP if han-

dled correctly. Of all the individuals in an organization, the people who control or

contribute to the organization’s budget process are most important to the ISSMP,

because they have a large say as to what gets funded and what does not.

It is recommended that the ISSMP contact the budget personnel and request

a tutorial on how the budgeting and execution of funds are accomplished in the

organization. is initiative serves two purposes: it provides an understanding of

the process and schedule and establishes a cooperative relationship with these inu-

ential individuals. is is very important, because these individuals will provide

formats and information that will make the ISSMP successful.

SECURITY PROFESSIONAL’S GOALS ARE NOT TO:

Assume risk.

Build a 100% secure system.

Have the largest budget or sta possible.

Deploy the most technical solutions.

PM, Development, and Security Cycles

PM Processes SDLC RMF Generic

Initiating Initiation Categorize System Initiation

Planning

Development

Acquisition

Select Controls

Veriﬁcation

Implement Controls

Executing Implementation

Assess Controls

Approval

Authorize System

Controlling and

Monitoring

Operation

Maintenance

Monitor Controls

Maintenance

Closing

Disposition

Disposal

Figure 1.15 Cycle comparison.

Enterprise Security Management Practices ◾ 63

Basically, the funding process has four phases: Planning, Programming, Budgeting,

and Execution. e following provides an overview of each of these phases:

Planning Phase: During this phase, senior management identies the organi-

zation’s strategies, goals, and objectives for the future. Depending on the

organi zation, this projection can be anywhere from 2 to 10 years out. ese

projections are the results of changes in laws and regulations, business trends,

market analysis, growth and nancial projections, and so forth. Using these,

senior man agement issues guidance (including future goals, objectives, priori-

ties, strategies, etc.) to the organization’s managers, so they can identify what

they need to do in the future to support the successful accomplishment of the

future goals and objectives.

Programming Phase: In the programming phase, functional managers review

alternatives to expand or reduce existing projects and programs or develop

new initiatives to support senior management’s guidance. Senior manage-

ment will review these alternatives and determine which have the best poten-

tial of success and which are the most cost eective. e outcome of this

phase is some type of a program decision from senior management.

Budgeting Phase: e budgeting phase is where the functional managers

develop detailed budget estimates for the changes approved in the decision

memorandum. e budget personnel will review these budget estimates for

accuracy, completeness, and compliance with the decision memorandum.

Senior management resolves any issues and promulgates a budget decision.

Execution Phase: With the budget decision, senior management allocates fund-

ing to the functional managers to fund the approved programs. Typically the

funding allocations support one year’s eorts, but sometimes the funding

supports a specic phase of a project. e budget includes funding for person-

nel, utilities, facilities, services, materials, advertising, infrastructure, and so

forth, for both direct and indirect costs.

Figure1.16 illustrates the timing, organization’s interactions, and outcomes of

each phase. e specic time required to accomplish each phase is totally dependent

on the organization. In some organizations a phase may take a year, and in others,

weeks or days. e size of the organization, geographic diversity of management,

complexity of the business environment, level of competitive demands, uidity of

the marketplace, and so forth, can have major impacts on how long and how fast

the process moves. is is why ISSMPs must gain awareness of their specic orga-

nization’s funding process from the individuals who control the budget process.

Once the process is understood, the ISSMP can anticipate budget requests in

support of the process and become very responsive to related management actions.

It is recommended that the ISSMP request the budget individual review and com-

ment on inputs prior to the inputs being requested to ensure that the inputs are

correct and demonstrate awareness of the process. Additionally, determine when

funding reviews occur during the Execution Phase, because this is an opportunity to

64 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

identify the need for additional funding or highlight savings initiated by the ISSMP.

An example of this is in the government, whose goal is to spend all allocated fund-

ing within the scal year (1 October to 30 September), so government organizations

conduct a mid-year review in the spring and expedited contract funding at the end

of the summer. ISSMPs should take advantage of these times to gain resources for

unfunded improvements. In the commercial sector, ISSMPs should look for times

of large cash inputs to the company, for example, at the end of every quarter when a

large contract renewal check is received from clients. Each organization is dierent.

However, the information can be gained from the budget or nancial personnel.

One nal comment on gaining resources: funding is almost always available for

proposals that have a major impact on reducing risk or increasing prots, but the

ISSMP must be credible and have a strong justication to gain them.

Selling senior management on approving a solution for a security issue is one of

the hardest jobs that an ISSMP will have to do. For many people, selling is not easy

for many reasons: they are asking for money; they have to give a presentation; they

nd it dicult to write a justication or determine the ROI; the audience will ask

questions; and many others.

Building on the concepts presented in the Hierarchy of Needs and the Laws

of Organizations, ISSMPs will need to build a strategy for selling to their specic

senior management. A key rule in selling is that one must sell on the buyer’s needs,

not the seller’s needs. Just like organizations, the individuals in the organization are

dierent, so the ISSMP will have to understand the needs of the boss, the boss’s

boss, the Board, and anyone else who inuences purchasing decisions. Justications

and presentations need to follow the 0–5 approach to selling, based on the selling

techniques presented in the book KNOW Cyber Risk: By Managing Your IT Security

Planning Phase

Programming Phase

Budgeting Phase

Executing Phase

Guidance

Program

Decision

Funding

Allocation

Budget

Decision

Senior

Management

Functional

Managers

Timeline

Goals, Objectives, Strategies….

Review, Questions, Decisions….

Changes, Alternatives,

Cost Estimates….

Hire, Procure, Contract….

Justiﬁcations….

Review, Questions, Decisions….

Oversight, Modiﬁcations….

Trends, Suggestions, Projections

Figure 1.16 Planning, programming, budget, and execution cycle.

Enterprise Security Management Practices ◾ 65

Table1.6 provides the details of this approach.

e approach is just like security: simple, practical, and ecient. Note how the

approach uses the Laws of the Organization:

Senior managers are decision makers, so give them options and recommendations.

Senior managers have limited time, so give them one-page and ve-minute

presentations.

e higher up in the organization the more resources; therefore, also know the

boss’s boss.

Typically, new ISSMPs have diculties with implementing the 0–5 approach

because of the following concerns:

How can I present everything in ve minutes? e majority of senior man-

agers are not technical and they are all about making decisions. ey will

appreciate the fact that you understand and respect the time that they have

given you. Give them the basics, and if they have questions they will ask. e

presenter wants them to ask questions, because it gets them involved with the

problem and the solution, giving them the feeling of owning the solution.

How can I present everything on one page? Justications for additional

resources should be no longer than one page, again because senior managers

do not have lots of time. Whenever possible base the justication on mission

or business needs.

Where do I get the format for the one-pager? Get the format from the nan-

cial or budget personnel. Remember, they are the ones who will be getting

the approval for changing the allocation of the funds, so why not use their

format and save everyone time?

How do I know what the audience’s needs and goals are? e best way is to talk

to the executive assistant to know who will be in the meeting and what their

backgrounds and roles are. Do a Web search and read articles about them, pre-

sentations and papers from them, and so forth. Also, ask the nance or budget

personnel and your mentor for advice. Many people think that the way to sell

to senior management is to present a solid return on investment (ROI), but

remember Maslow’s Hierarchy of Needs. Some people are more driven by needs

other than ROI; sometimes being successful and being recognized by their

peers at a conference or in an article is what drives them—Esteem. Or know-

ing that they will not get into trouble with their evaluators, the Board, or

their boss is their goal—Safety. Remember, everyone is dierent, present to

the whole audience, and not all problems need to have an ROI component.

How do I nd a mentor? It is recommended that when you are picking a men-

tor always pick someone who is positive and successful in the organization

and does not always agree with you, because you want someone who will

challenge you and give an honest opinion.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 1: Enterprise Security Management Practices (13/15)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 1: Enterprise Security Management Practices (13/15)