Management Structure:

Management Structure:

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

The above description of military requirements for information protection analysis implies management responsibility and activity. Most installations are painfully shy of management involvement until they have suffered their first detected severe loss. In many cases, the warning signs show when an extraordinary effort by one or more people manage to barely avoid a disaster. In these cases, high level managers have a tendency to believe that they have made the right decisions because they worked out in the particular case that occurred, but it is not a rational basis for decision making to rely on extraordinary employee efforts on an ongoing basis. Literally hundreds of articles appear every year that list techniques, give checklists, describe techniques applied at various organizations, and describe management principles and structures. Just to keep up with the technology and techniques would require several full time employees. It is foolish to think that this information will be assimilated into an organization without an organizational structure to support it. At a minimum, there should be three levels at which responsibility for protection is taken.

At the top levels of management, there should be a person who has global responsibility for information protection. This person will typically establish policy, supervise and direct risk analysis, have budgeting and personnel responsibility for information protection, and be closely connected with the management of the EDP facility. In large organizations, this responsibility will often be shared by several employees with a supervisor high in the management chain, while in small organizations there may be a single person with their responsibilities. Failure to attain an adequate level of coverage for corporate resources may result in personal liability of top level management. It is therefore imperative to address this issue at some level.

At the operational level, there should be someone at all times who is actively responsible for protection. This person typically responds immediately to protection problems with actions which are prespecified by the organization's protection policies and plans. In large organizations, there are typically people at each site who are actively responsible for protection at any given moment, while in small organizations, there may be a single person with 24 hour responsibility.

At the user level, individuals should be held responsible for their conduct. This typically requires training of employees in proper conduct, supervision of conduct, regular checking of audit trails for misuse, and well defined punishments for abuse. In large organizations, training programs are often held regularly, supervisors are always available, auditing is performed on an ongoing basis, and disciplinary boards are set up for cases of abuse. In small organizations, social pressure is the main method of training, there is no ongoing supervision, happenstance detection is often the only cause for audit, and punishment is set by supervisors on a case by case basis.

Most organizations are woefully lacking in their information protection personnel and budgeting before risk analysis is performed. As a critical step towards information protection, it is necessary to have an employee at a high level whose direct responsibility is the protection of information. Such an individual should have the ear of the CEO, and sufficient funding and decision making power to make and enforce policies within the company. This includes the availability of enough resources to make accurate assessments of protection requirements, to carry out any technical or administrative actions that may be required in order to have a cost effective program of protection, and to determine the need for additional resources and acquire them as appropriate.

In many cases, it is helpful to bring a company up to speed by bringing in external experts and carrying out an extensive internal education program. A comprehensive program should include high level management education, education suited for those with direct technical responsibility for information protection, a training for maintaining expertise and awareness among ongoing employees, indoctrination for incoming employees, and debriefing for departing employees.

It is critical that employees understand and recognize the company policies with respect to information (and other asset) protection, and that violations of policy be punished in a swift and meaningful manner, so that an air of leniency is not apparent. It is also important to avoid oppressive management behavior. After a disastrous loss, many companies alienate their employees by over compensating. It is much more sensible to provide an adequate program in a consistent and ongoing manner. Employees should have input to the policy and explanations of the motives behind decisions so that they feel that they are an important part of information protection within the organization.