Why is the top down approach to information security superior to the bottom

The higher-ups want a plan on paper, and our security manager's plan resides in her head. But in the end, hers covers more of the bases than theirs.

In all my career, whether in the public or private sector, I have never seen a top-down information security plan in place. In other words, I've seen nothing that would show that someone at the highest levels of the organization is thinking about information security and has integrated it into the mission, goals and objectives of the organization. Instead, information security has developed -- or should we say stumbled along? -- from the bottom up, with IT managers or infosec managers simply trying to get individual projects approved and implemented.

So it came as a surprise this week when a template for an information security plan appeared in my in-box, with a note from my chief to fill in the blanks and have it back to him within a week. This was a real top-down effort: The governor had issued an executive order requiring that the state's chief information security officer (CISO) gather plans from all the state agencies.

Setting the Pace

Now, I guess you could say I'm a bottom-up kind of person, because I usually set the pace for information security initiatives rather than wait for someone to hand them down. I would have to take a look at this template and see how my bottom-up approach meshed with this top-down directive.

After a quick perusal of the document, I realized that it had been generated by the National Institute of Standards and Technology. NIST has done a great job of supplying such templates for government bodies. My only complaint is that they are more like rough starting points than definitive guides. Of course, I don't know how you could publish a definitive guide when it comes to anything related to technology, since the rate of change is phenomenal and there are so many variations on the theme.

You have to give the state CISO a pat on the back for even trying to bring myriad agencies into some form of compliance with federal and state guidelines.

I was most curious to know if "filling in the blanks" of the document was going to show our agency lacking in any important areas. We have a plan, but it resides in my mind. Now I was faced with an exercise that would force me to document and audit our information security efforts.

First up was the stated purpose of the plan: to document the security controls that are in place or planned, delineate responsibilities and expected behavior, identify state and individual agency technical assets, and establish a means of classifying protective measures in three categories: prevention, detection and reaction. (This last part wasn't too different from what we used to say in the private sector, where we talked about the three D's: defend, detect and deter. No matter how you slice it, there are categories of things you have to do to protect information assets.)

Filling in the Blanks

Then came the blanks, which the template arranged in eight major sections. The first section merely required me to document the number of locations we operate in, provide the name of the information security officer (that's me), and describe the agency's critical business functions.

The second section concerned information security management. The previous ISO had spent a year developing and documenting a comprehensive information security manual based on NIST guidelines that contained agency policy and procedures.

I scored our agency at 100% complete for the first section, but for the second section, I had to give us 50%. There was a lot of work to do in the area of risk assessment and audit, even though we had plenty of policies in place. We hadn't had an external audit of our environment in a few years.

The third section was on information security awareness and training. Technically, we could score 100% complete in this area, but as you may know from a previous column , what we have for training is boring and ineffective. We are in the process of creating on-demand, Web-based, full-motion video training modules to address both security and privacy concerns. I scored us at 90% complete. And I chuckled to myself as I thought about the state-level training program, which is on-demand and Web-based but worse than a PowerPoint presentation.

We scored equally high on personnel security. We have a badging system -- though it's manual -- and we run background checks before hiring anyone. We have a process that allows us to immediately disable accounts when an employee is terminated, and a process for tracking access control levels and secured areas where people without keys aren't allowed.

The next section, data and application security, was short. The only requirement was that we have a way to grant access to data and applications on a need-to-know basis. Check. I was surprised that nothing was mentioned about secure coding methods or a requirement to have Web-based applications audited.

The section on software security was also short, the only requirement being that we comply with software piracy and copyright laws. Check.

Communications security was not much better and concerned itself only with LAN and voice security. This assumes that the state-level security folks take responsibility for the WAN. Check.

Physical security and environmental controls were the usual fare. There's not much you can do when you are housed in an old, drafty building that experiences frequent power outages. Check.

Not so bad. If I had to grade myself, we would get an A. The conclusion I came to was the one I had before: It's a rough starting point. Our bottom-up efforts are superior to the top-down efforts because security folks understand security. Administrative-legislative types don't.

What do you think?

This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at , or join the discussion in our forum: QuickLink a1590

To find a complete archive of our Security Manager's Journals, go to computerworld.com/secjournal

Copyright © 2005 IDG Communications, Inc.