Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Energy
Drained, weary
Mission
Attitude
Set goals
Plan
Haphazard actions
Prioritize
Synergize
Organize
Optimize
Act now
Engage the process owners and make the program as selfgoverning as possible. Establishing processes in which the
process owners are engaged in the overall process makes it
more successful. A self-assessment process is one effort that
can help in this. It should be a systematic and ongoing process
that will enable the process to be self-governing.
People make the difference. While people, process and
technology all make the information security management
process, the people component is the most crucial among
these. Engaging the people with appropriate awareness
and training programs right from the beginning is among
the crucial steps to success. This results in an appropriate
culture of accountability and responsibility throughout the
organization
Ensure effective continuous improvement. Continuous
improvement is the hallmark of a successful information
security program. Information security is a journey, and
the information security program needs to be constantly
cost
reduction
Financial
Perspective
value for
money
Customer Perspective
How should employees, business unit managers and
external users perceive security?
continuity
of funding
Internal
Perspective
process
optimization
Performance
continuity
of revenue
Customer
Perspective
Objectives:
User satisfaction
Alignment with the business
Service level performance
continuous
improvement
process
improvement
Innovation
and Learning
Perspective
customer
needs
Target
Actual
Status
Score
Financial perspective
Average cost of a security incident
$800
$750
Green
40
$10,000
$15,000
Yellow
20
15 minutes
20 minutes
Yellow
20
Red
4 hrs
4.5 hrs
Yellow
20
12
18
Yellow
20
100%
80%
Yellow
30
Yes
External audit
in progress
Yellow
30
1 month
2 months
Yellow
30
Speed of dealing with a new threat (measured by the number of security incidents
due to the threat.)
Yellow
20
Customer perspective
Overall Score
58.75%
Note: Targets and actual are hypothetical figures for the purpose of this example. Categorization into Green, Yellow and Red is done on a
predefined basis. The scores are arrived at based on an assessment by a team; maximum score for each indicator is 40 and the overall score is
calculated by giving equal weight for the 10 indicators.
Figure 4Overall Scorecard for the Implementation of Information Security Program (cont.)
Sl No
Description
Q2
Q3
Q4
Q1
Q2
Target
80
80
80
80
80
80
Actual
58.75
67.5
75
80
82.5
82.5
26.56
15.63
6.25
-3.13
-3.13
Red
Red
Yellow
Green
Green
Green
Q3
Remarks
Q4
(Green if actual equals target or better; Yellow if shortfall is less than 10 percent; Red for all
other cases)
Characteristics of Information Security Program (on 1 to 10 scale; 1 equals worst case and
10 equals best case)
Energy
IS organization strengthened;
CISO and information security
council (ISC) put in place, senior
management involvement enhanced
Mission
IS strategy in place
Attitude
Set goals
Framework selectedISO
27002/27001
Plan
Prioritize
Synergize
Organize
Optimize
Act now
Implementation approach
Appropriate use of a
relevant framework
ISO 27002/27001
Use of a sound
risk management
methodology
Integration of security
strategy with business
strategy
Figure 4Overall Scorecard for the Implementation of Information Security Program (cont.)
Sl No
Description
Q1
Q2
Q3
Q4
Q1
Q2
Q3
Remarks
Q4
Integration of security
strategy with business
strategy
Integration of security
program with
governance framework
Appropriate metrics
program
Self-governing nature of
the program
Culture of accountability
and responsibility
Establishment of a
continuous improvement
process
Conclusion
Overall, it is the establishment of a sound information security
program that is derived from effective information security
governance and an appropriate risk management methodology,
along with its brilliant execution and ever-improving excellence
in operations, that enables an organization to succeed in
information security on a continual basis.
Endnotes
1 Dictionary.com, The American Heritage Dictionary of the
English Language, 4th Edition, Retrieved 14 April 2008,
http://dictionary.reference.com/browse/success
2 ThinkTQ.com Inc., The Power of TQ, www.thinktq.com/
products/books/tqs_ptq.cfm
3
ThinkTQ.com Inc., Commentary, 15 September 2008. www.
thinktq.com/training/commentary/tqs_current_commentary.
cfm?id=BDD5C589D9BCC67B7EB9EC449378970E
4 Schneier, Bruce; Crypto-Gram Newsletter, 15 May 2000,
www.schneier.com/crypto-gram-0005.html
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving ITgovernance professionals, entitles one to receive an annual subscription
to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content.
2009 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.
www.isaca.org
ISACA JOURNAL VOLUME 5, 2009