Chapter 26

From Vision to Reality: Implementing Information Security

John M. Millican

In order to be effectively aligned with the enterprise's objectives, the information security (IS) function must be implemented from a top-down basis. Unfortunately, IS is an afterthought for too many organizations. This leads to a patchwork approach prone to significant gaps and ineffective controls. If the enterprise information security (EIS) team is treated merely as the final gate check in the development of new processes and technologies in the organization, insecurities within the process and technologies end up forcing the EIS to block it from implementation. This leads to EIS being perceived as a barrier to accomplishment that in turn reinforces the tendency to avoid involving the team in the development of the next initiative. Additionally, controls that are bolted on at the end are generally less effective and more burdensome than those that are built in from the inception.

Enterprise Information Security Architecture: Bridging the Conceptual to the Actual

How do you take the high-level goals and strategies described in the previous chapter and make them real in your organization? That is the role of the enterprise information security architecture (EISA). Its purpose is to bridge the high-level vision of executive managers with the tools available to frontline contributors responsible for actually implementing the IS function.

The EISA is the framework that takes the high-level vision ...

Get The Chief Information Officer's Body of Knowledge: People, Process, and Technology now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.