Accountability

Developing Objectives - Part IV

MBO is a participative behavioral approach to managing employees. One of the primary MBO assumptions is that employees prefer to work hard once they are provided with employer expectations. Intuitively, sustaining accepted expectations necessitates employees believe stated intentions are achievable. Therefore, MBO imposes consideration and incorporation of employee views concerning objectives to enable effective and efficient information assets protection processes.

“View Part I of the Developing Objectives series here“

Developing Objectives - Part III

A system for disseminating information security management objectives is considered fundamental to obtain employee commitment. One way to communicate entity-centric information security objectives is clear and concise policies. Information security management’s role in policy formulation includes considering the control environment, risk assessments, information, communication, and activities. Though policies are an important means to convey expected behavior, even more critical is determining the effectiveness of adopted IT safeguarding objectives. Effectiveness evaluation requires measurement against established information security standards. Consequently, ratiocinative information security standards must be designed and implemented.

“View Part I of the Developing Objectives series here“

Developing Objectives - Part II

Within behavioral management theory, entity leaders have alternative approaches available to accomplish information assets safeguarding objectives development — including participative, consultative, free rein, and autocratic models. Participative behavioral management emphasizes consideration and incorporation of employee views in decisions, while maintaining managerial decision authority. Consultative behavioral management stresses consideration of employee views, without incorporation, while maintaining managerial decision authority. Free rein management allows employees to make their own decisions concerning subject matters. Lastly, autocratic management underscores dictating decisions to employees. Based on empirical evidence, most entities currently prefer deploying a participative approach to managing entity-centric objectives development.

Setting objectives and establishing processes to accomplish designed objectives is a managerial responsibility. Tactically, the manager responsible for a plan’s implementation should set objectives with advice obtained from the entity’s planning committee, top-level executives and line subordinates. To this end, the Management by Objectives (MBO) methodology normally drives employee consensus building. However, an entity’s planning committee and top-level executives may be too removed from daily information security operations to yield reasonable objectives. Furthermore, line subordinates may have limited knowledge concerning organizational intricacies to permit adopting recommended information security objectives. Therefore, a security manager may have to rely on evaluating generally accepted information security frameworks to develop entity-centric objectives.

“View Part I of the Developing Objectives series here“

Developing Objectives - Part I

There exist various theories regarding managing employees. Behavioral management theorists believe leadership traits are not genetic. Thus, leaders assume distinct behaviors that can be studied and applied according to individual perceptions of assigned responsibility. When an individual is consigned leadership, managerial responsibility for the assignment’s duration is implied, if not explicitly stated.

Access Control Convergence - Part 2

Integrated policies improving access control are needed to increase safeguarding capabilities. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale. Potential candidates for access control convergence include Tokens, Biometrics, Smart Cards and Tracking Systems. When physical and logical penetration protection mechanisms are converged under a unified access control policy, the resulting combination can operate as a baseline, customized to redress entity-centric needs for effective threat countermeasures. Beneficially, regarding operational complexity, access control convergence can simplify security administration. To enable organizational coexistence with technological convergences, an entity’s security function should assume responsibility for implementing and sustaining blended physical and logical controls.

Physical information security is a critical aspect to adequate perimeter and interior controls. Yet, physical controls alone cannot ensure that information assets are protected. For this reason, it is important to establish logical security controls that rebuff information confidentiality, integrity, and availability threats. Both control types should have as their primary objective appropriate asset protection, particularly information in electronic form. Consequently, where feasible, entities should deploy cost-effective processes for protecting the network infrastructure through converged physical and logical security controls.

Access Control Convergence - Part 1

Computer technology continues to advance toward a tiered decentralized world of distributed platforms for entering, processing, and retrieving information. Technological implementations are diverse and complex; however, all IT deployments should be protected from unauthorized usage utilizing suitable information asset access controls. Given IT interconnectivity, entities should also protect information assets from unauthorized manipulation to safeguard investments from risks associated with resource misuse. Consequently, information assets access control is typically viewed from two abstraction perspectives: physical and logical security.

Physical security provides tangible assets protection whether an item is at rest or in transit. Sub-categorically, information physical security involves reducing technological vulnerabilities, usually by limiting access to the buildings and rooms where information assets are housed, or by installing mechanical locks on devices. However, physical access controls should address not only the area containing hardware, but also wiring locations utilized to connect system elements, supporting services, backup media, and other items required for IT operational effectiveness.

Distinctively, logical security focuses on safeguarding intangible assets whether data is at rest or in transit. Logical access controls are the manual and electronic policies, procedures, and organizational structures deployed to safeguard symbolic objects. Essential elements for adequate logical access control are identification, authentication, authorization, and accountability.