The Sphere of Control Organizations of this type have a centralized security function for most technology, while allowing some business units to independently manage business-unit-specific security...


The Sphere of Control Organizations of this type have a centralized security function for most technology, while allowing some business units to independently manage business-unit-specific security measures. These distributed security functions usually have varying degrees of compliance with centrally published policies and procedures. However, when regulators and auditors come through, they are introduced to a person who is responsible only for security functions that


overlap all business units, a central security officer, who proudly displays their metrics program while not mentioning that it does not cover 100% of the organization. In contrast to the LOB-specific measures in Figure 6A-9, the central security function will gloss over technical differentiations in the data-gathering function. For example, measurements with respect to Windows operating systems are different than measurements concerning Linux. So normalizing these distinct measurements into industry-standard agreed-upon criteria for security measures seems like a commonsense exercise. For example, Figure 6A-10 shows a set of security functions broken down by measureable features of operating systems that reflect them in a given environment. It does not necessarily matter that some operating systems implement security features better than others or that some instances of a given operating system are beyond the sphere of control of the central authority who generates the reports. It just demonstrates, whether, in the judgment of the central organization, these features are well implemented on the machines in scope. Such reports are meant to convey that the organization at least knows how to secure and measure things and that there should be no technology that requires security that would be beyond organizational expertise to deliver. Central security organizations often feel justified in displaying this type of fuzzy target metric because they want to display true information but have been conditioned to allow the independent business units to evade their sphere of control. Where this is the case, they feel no responsibility to comment on the fact that their own management has allowed the independence. The lack of authority over LOBs could be perceived to indicate a lack of faith on the part of that management with respect to the security organization’s ability to handle the special needs of the suborganization in the centralized program. The sub organization is acknowledged to be a stepchild under special care, like a child that is acknowledged to require special education whose efforts should not be averaged into the rest of the classroom because it would bring down the ratings for the school as a whole.





Jan 13, 2022
SOLUTION.PDF

Get Answer To This Question

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here