Summary

Now that the organization’s risk and vulnerability assessment is completed, many organizations are left with gaps and voids in the overall security of their IT infrastructure and assets as defined by the organization’s goals and objectives and minimum acceptable level of risk for the seven areas of information security responsibility. These gaps and voids are compounded with the lack of experience and capabilities of the organization’s IT staff given their expanded information security roles, tasks, responsibilities, and accountabilities that they must now take ownership of to ensure the confidentiality, integrity, and availability of the IT infrastructure and assets.

IT organizations must create and implement an IT security architecture and framework to get a handle on how to implement the security goals and objectives of the organization. This IT security architecture and framework must then be communicated to the IT staff, the managers that are held accountable for ensuring the confidentiality, integrity, and availability, and the end users who work for the organization. Without a collective and all-encompassing plan for communicating the organization’s information security policies, standards, procedures, and guidelines, creating the IT security architecture and framework is moot.

Obtaining buy-in and acceptance for an IT security architecture and framework must start with the IT organization and IT staff that are responsible and accountable for information security. This typically requires changing and updating the job descriptions or creating new ones so that the organization can hire trained, certified, and qualified information security professionals for its IT staff. IT managers must work with the human resources department in an effort to upgrade current job descriptions as well as create new ones to support the information security initiatives and programs that the results of the risk and vulnerability assessment and recommendations report identified and prioritized. After this is done, organizations stand a better chance of making an impact on the information security of the IT infrastructure and assets.

Many organizations expand the roles, tasks, and responsibilities of their IT staff and merely add it to their already overloaded workload and responsibilities. This is not an effective strategy to ensure that information security initiatives and priorities are implemented properly. Obtaining buy-in and acceptance must start with the IT organization and then must permeate to the end users in an effort to get a collective and all-encompassing information security campaign moving in an organization.