International Organization Foundation Is Enforcement Necessary for Effectiveness? A Model of the International Criminal Regime Author(s): Michael J. Gilligan Source: International Organization, Vol. 60, No. 4 (Autumn, 2006), pp. 935-967….
Determining the effectiveness of the ISSP
In order to ensure the confidentiality, integrity and availability of corporate information
systems, each organization must implement a comprehensive Information Systems
Security Program (ISSP). Determining the effectiveness of the ISSP requires
evaluating each module individually, as well as its relationship to other components.
Unilateral analysis, while often necessary due to time and resource constraints, results
in a fragmented snapshot of the defenses of the enterprise. Often the non-security
community does not fully comprehend the scope, breadth and impact of the ISSP which
can result in either a false comfort level or undue concern over the degree to which their
corporate resources are protected. To aid in the management of the plan, an annual
calendar of major activities, including due dates, dependencies and responsibilities
should be compiled, maintained and communicated to all parties with accountability for,
or participation in a component of the plan.
As the expertise, ingenuity and persistence of attackers increases (re: NIPC July 2002
article: “Swarming Attacks: Infrastructure Attacks for Destruction and Disruption”), it
becomes exponentially more important that the ISSP and its assessment utilize a
defense in depth approach. This can be accomplished via redundancy or drilled down
security. The program and its appraisal should include assurance that multiple layers of
protection are present and adequate. Executives must understand the risks associated
with operating in today’s environment and certify their acknowledgement and
acceptance of that environment. The results of the analysis of one component must be
considered and mitigated when completing other ISSP components. The CIO should be
briefed annually on the overall ISSP, understand the methodology used to develop it,
and certify that s/he accepts the risk under which it operates. The CIO then briefs the
President or CEO who accredits the ISSP.