It’s a safe bet no organization anywhere can be 100 per cent secure. A constantly changing cyberscape helps guarantee this. It’s also why security and IT managers can never run and hide from risk management and threat assessment.
Among the many elemental, technical details of the federal government’s Management of IT Security (MITS) standard, one overriding theme has ruled them all: IT security is very much about making sure there’s good awareness of business risk management.
A key aspect to MITS, since its inception in May 2004, has been to get all the government’s business leaders on board. Assistant deputy ministers and deputy ministers have to be well aware of the risks around their program delivery and then translate that risk management into their IT security posture.
“MITS is founded fully on a risk management approach,” says Jim Alexander, the federal government’s deputy CIO. “It’s about dealing with this as a business risk management piece, as opposed to some technical thing and, ‘You better make sure nothing ever goes wrong.’”
More than 100 federal core public service departments and agencies are subject to MITS and every one is expected to comply with the standard by the end of next month.
But if senior management engagement and identifying the real business risk management presented challenges, the sheer volume of work towards compliance — and exactly what form that compliance would take — has proved daunting.
MITS is viewed by and large as a high-level document, at least as far as standards are concerned. It attempts to define the baseline requirements to achieve a minimum