IT Security Decision Process

IT Security Decision Process

Security PoliciesThe IDG Enterprise Role & Influence of the Technology Decision-Maker survey helps CIOs understand their evolving roles and influence in today’s business environment. The study shows that top CIOs are much more involved in every stage of the IT purchasing process than their business management colleagues.

Other findings include:

  • CIOs partner with business executives in the decision-making process and are involved in decisions outside of IT purchases.
  • The number of IT influencers within enterprises continues to grow rapidly.
  • Eighty-five percent of line of business managers view their IT department as a key resource for achieving strategic goals.
Order Security ManualTable of Contents

It is the CIO’s and CISO’s job to identify and present the risks the business may face, but it’s up to the board of directors to make the final decision on the acceptable level of risks. Security decisions should be made taking into consideration all relevant business, economic, organization and technology issues. Factors that could influence the decision-making process include:

  • Economic — the financial risk exposure of a given techinical process or application. IT spending is an investment with real potential benefits, as well as real security risks.
  • Organizational — prior experience with making similar decisions; background knowledge about security in the company; internally established standards; maturity of existing security management processes.
  • Technology — existence of known technical vulnerabilities and risks in the technology stack.
  • Business — relate to the security knowledge and awareness of C-level executives and board members. It is impossible to make meaningful decisions if they don’t realize how security issues may occur at each enterprise level.

The Security Manual is over 240 pages in length. All versions of the Security Manual Template include both the Business IT Impact Questionnaire and the Threat Vulnerability Assessment Tool (they were redesigned to address Sarbanes Oxley compliance).

In addition, the Security Manual Template PREMIUM Edition  contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO security domains, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, HIPAA, FIPS 199, and CobiT.

Author: Victor Janulaitis

M. Victor Janulaitis is the CEO of Janco Associates. He has taught at the USC Graduate School of Business, been a guest lecturer at the UCLA's Anderson School of Business, a Graduate School at Harvard University, and several other universities in various programs.