Page 12 - CITP Review
P. 12

Organizational structure is a foundational component of the information security strategy. Determining
            how security fits into the existing structure of an organization is a starting point in the development of an
            organization’s information security strategy. Organizational structure includes the following three primary
            categories:

              Centralized
              Decentralized
              Hybrid

            In a centralized security structure, security is managed in one location, often the corporate headquarters.
            Characteristics of a centralized security structure include the following:

              No need for multiple trained experts in multiple locations
              Easy to manage
              Information and related decisions can be made in one location
              Network and security systems are vulnerable to single point of failure risk
              Can have slower response times

            In a decentralized security structure, security is managed in multiple locations. Characteristics of a
            decentralized security structure include the following:

              Requires multiple trained people and resources at multiple locations
              Avoids single points of failure
              Faster response times
              Can make centralization of a security operations center more difficult
            A hybrid security structure, which includes elements of both centralized and decentralized security
            structures, is characterized by the following:

              A central authority
              Regional or local actors with the expertise and permission to act locally


                                                                 1
            Alignment with organizational strategy, IT strategy
            It is imperative that an organization’s information security strategy align with both the overall strategy of
            the organization and the organization’s IT strategy.

            Alignment of the information security strategy and the organizational strategy starts with clearly
            communicated organizational goals and objectives. From there, organizational strategy alignment is
            accomplished through the creation of information security key performance indicators (KPIs) that
            directly tie to business key imperatives (KIs).

            Alignment of the information security strategy and the IT strategy requires a full understanding of the IT
            assets within the organization, and the development of KPIs that are tied to technical metrics.






            1  Source: Information security governance course materials, Module 1 – Information security governance.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-4
   7   8   9   10   11   12   13   14   15   16   17