Terminology Overview for Documenting Security Governance

It’s very possible that title is the most boring 6 words I’ve ever composed and I used to have to write lines on the chalkboard in school. A lot.

For the purpose of Information Security governance and studying for various management-level Infosec exams, though, this terminology is very important. Understanding not only the terminology but more importantly how the terminology relates to one another helps guide the entire governance and policy process.

If you’re anything like me, you struggle with documentation. Policy is not something I tend to enjoy, especially when I have the workload of 5 people. Actual physical tasks tend to win out over documentation, organization and proper structure. That’s not something to strive for. We all need to make time for documentation.

First and foremost, understanding one’s role in an organization is key. Information Technology, Information Security, Help Desk, QA, Development, etc. all support the business. In most cases they are not the business itself. As a result, support departments need to align their planning with the overall mission of the organization. Doing so makes buy-in from upper management much more likely and easy to acquire. So the top of the governance food chain belongs to:

Mission Statement: This is a simple and straightforward expression of what the company endeavors to do, for whom and the values it applies to that end. It’s a concise overview of the how the organization sees itself. (A personal mission statement might be: I wish to be healthy so that I can live a long and happy life with my wife.)

How does the organization plan to achieve that mission? That’s what the strategy is for. The strategy is there to explain how the organization plans to accomplish it’s mission. If the mission statement explains the What?, Why? and Who?, the strategy covers the How? A mission statement generally remains the same, a strategy changes often in an effort to adapt to fluid business environments and landscapes. (A personal strategy related to the above mission statement could be: I am going to eat in a healthy manner and exercise to lose weight.)

A strategy is a high-level plan for execution. It will cover the plan of attack, so to speak, without getting into the actual details. To describe the actual details of execution, an organization establishes goals. This is a term we’re all fairly familiar with but for these purposes it may be a little more narrowly defined than we’re used to. A goal, in this terminology, is a relatively intermediate-term desired outcome. It’s unwise to establish goals that are too broad or long-term as they tend to be less attainable. (Personal goals might include: a) Lose 10 lbs. and b) Incorporate more vegetables into my diet.)

The final rung on this ladder is the objective. The objective allows us to define shorter-term, more finite tasks for the purpose of reaching the goal. We often have numerous objectives with quick deliverables so that we can continue seeing progress on our way to achieving a goal. (Personal objectives might include: a) Go to the gym on Monday, Wednesday and Friday for at least 30 minutes, b) make a meal plan for this week and c) purchase the necessary vegetables at the grocery store.)

Now you may often find that goals and objectives are used interchangeably. I had to actually strive not to use them to describe each other as I wrote this! But for this purpose, they are distinct structures for the purpose of proper organization with defined time periods.

Mission Statement and Strategy (LONG TERM) are carried out by setting specific Goals (INTERMEDIATE TERM) which are executed by setting and achieving Objectives (SHORT TERM).

Hopefully that made sense 🙂 In the following article, we’ll talk about how the strategy is not only accomplished through the execution of goals but also the establishment of policies, standards and procedures.

  1. No trackbacks yet.

You must be logged in to post a comment.
%d bloggers like this: