Decisions, Decisions, and the Role of Authorization
Military and space operations have always maintained a strong policy of decision-making and authorization by the book. In movies and archival footage, we can watch and listen to commanders and specialists follow carefully written and well-rehearsed procedures for every activity. Commands are issued by the individual currently in the position of authority. The commands are repeated back to ensure they are fully heard and acted upon, and in the case of emergencies, specific manuals or plans are broken out to ensure the vital steps of mitigation and rescue are followed to the letter. Every mission depends on a set of clear plans along with the assignment of the right person to take command.
What we see in those scenes is a world of decisions and authorization – a place where nothing should come as a surprise, and where everything has been planned and practiced, even the most extreme of contingencies. The military, and its traditional offshoots, such as space programs and cybersecurity, follow these practices because they are vital to the successful application of people and resources to achieve a goal or to manage a crisis.
In the world of business and technology, decisions must be made, and crises must be handled. The world has become a place where people are not only connected physically through technology, but they are also connected in real time. The speed by which data travels means that no news is ever more than a few seconds from every person on earth. This means that handling crises within an organization is something that faces significant, immediate challenges and serious ongoing repercussions.
An oil terminal failure on the Louisiana coast, or a cargo ship beached in the Suez Canal can immediately affect world markets which themselves are based on high-speed communication. A ransomware or DDoS attack on a company can do the same, and the impact can be felt even if the failure was not within the company, but with a DNS or content delivery network with which it works. The damage caused is not limited to data lost, but to reputation, share price, liability and stability, possibly even human lives.
Assigning the decision making and authorization roles within an organization represent vital influences on its survival strategy, but it has been traditionally approached at different speeds and in different ways, depending on the culture of the individual company. But the nature of business today is that technology and cybersecurity cannot be thought of as the responsibility of a siloed IT department – it is the lifeblood of the organization. In day-to-day operations, as well as during moments of crisis, a company’s different functional areas must be able to collaborate and must know who to turn to for leadership.
Overall leadership is often assigned to a senior executive – a person who has insight into all departments, more so that individual managers do, and who has the authority to resolve conflicts and ensure that teams work together, even if they have different mandates or are even opposed to each other. Board members are also becoming more attuned to the need to understand the wide-ranging dangers of cybercrime.
If not clearly identified, as in clearly written and communicated, the potential for confusion remains high. The roles of the CIO and the CISO, for example, might be clear when written out on an organizational chart, but it still may not be clear who has decision-making authority when facing a serious cyber threat. There are some who suggest that a shift may be coming, in which a CIO will report to the CISO. But that may get muddled further, for example, when a data breach occurs, at which point, both must step aside to make way for the Chief Privacy Officer.
System Authorization and the NIST Tradition
The art of successful management in general and crisis management comes from clear planning, recording policies and steps within a playbook, and practicing scenarios to ensure ongoing physical learning. This gives companies and their officers and employees genuine experience in deploying necessary procedures and making correct decisions. In addition, it also helps ensure all policies and actions comply with a diverse set of laws and regulations within an industry, region, and country.
In the United States, for example, following regulations set out by the Department of Homeland Security (DHS), a CISO “bears the primary responsibility to ensure compliance with Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB), and all applicable laws, directives, policies, and directed actions on a continuing basis.”
The need for compliance and adherence is the reason why the practice of system authorization exists within the procedural pipeline. Although developed for use within the government, especially the DHS, it is spreading out into the private sector.
Patrick Howard, CISSP, CISM, and author of The Official (ISC)² Guide to the CAP CBK, describes it as follows:
System authorization has been employed in government for over 20 years, and it is becoming recognized outside government for the promise it holds as a practical approach for identifying and documenting business requirements for security, for ensuring that cost-effective controls are functioning appropriately, and for ensuring that weaknesses in protective controls are managed effectively.
Based on NIST (National Institute of Standards and Technology) standards, system authorization formalizes the decision-making process, placing clear directives and accountability up front where they can be communicated and clearly documented. It becomes the responsibility of the Certified Authorization Professional (CAP) to take on this role or to assign it under the title of Authorizing Official (AO) to an appropriately qualified individual.
In short, the AO makes authorizing decisions based on documented considerations affecting operations, security, privacy, and potential impact. The AO must weigh each decision against external dependencies, risk, and risk tolerance, and must present a contract of operation that details the scope of the authorization and the activities that follow. The AO can also devise and deploy event-driven triggers to manage new and emerging threats, changes in business requirements, and changes in risk assessment findings.
An authorizing official need not be the highest-ranking member of the Security program, or of the company. Their decision-making process comes from a solid understanding of the documentation and procedures already in place, the implications of moving ahead with a decision, and the terms by which actions can be carried out. The AO’s authority and responsibility cannot be delegated.
How the CAP Certification Can Help You to Succeed
The role of the authorizing official is vital to the life of an organization. It is a role with a great responsibility. The CAP Certification from (ISC)² has been designed to help individuals attain the credibility and practical knowledge that will enable them to take on this role with confidence and competence.
To find out more about CAP and implementing controls, download our guide, Mitigating Evolving Risk with the Right Security Framework.