"We guide our network team and approve security actions that they implement," says John Kramer, information security manager at the University of Pennsylvania Medical Center. "Local understanding always outweighs corporate-level decision making lest the users get impacted by broad-brush decisions that are not viewed from a local business-needs perspective."
Surveyed security managers expressed confidence in their understanding of business goals. Kramer finds success in pushing out accountability to business managers by deploying security liaisons who act as a conduit between the security office and the business units.
"Security can only be adequately interpreted at the local level to be most accommodating to the users and their business needs," Kramer says. "Centrally, we cannot do justice to these disparate and specific local needs. We provide the high-level direction, and they interpret and implement local solutions that best meet the needs of both the central direction and the local quirks."
The integration of risk into the security operation is an offshoot of the need to comply with regulations. For most public companies, complying with SOX, HIPAA, GLBA and other industry-specific regulations is an ongoing initiative. As the routines are ingrained in everyday operations, confidence grows that the compliance challenge will lessen.
ConAgra Foods, for example, has created a homegrown risk-assessment methodology called the System Security Plan, based on NIST Special Publication SP-800-30 and the Microsoft Security Risk Management Guide. New systems or applications must adhere to the plan before it's put into production. The plan has three components that describe the new system and any risks associated with that system, and a 10-point checklist that determines its compliance with policy.
While 72 percent of respondents said they'll be spending more time and money on compliance-related activities in 2006, Woerner says ConAgra's initial push is over.
"The cost for compliance is dropping as it becomes a regular activity," Woerner says. "Now that the processes and procedures are in place, there are fewer costs involved. Most of the expense is on outside auditors to attest compliance."
