Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Mitigating the impact of organizational change: a risk assessment SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mitigating the impact of organizational change: a risk assessment



It is a well established fact that insiders and employees can be the largest threat to an organizations information security. Management and organizational change and decisions can exacerbate these insider risks and due to poor management introduce new unanticipated threats as well. Organizational change can take many forms such as mergers, relocations, or closing of facilities. 
During these changes risk profiles increase and technical staff who are responsible for managing these risks are often not as focused as they would be during more normal times. This is a situation that management has to recognize and plan for before contemplating change to the organization. Management is not well known for listening to technical staff on these topics.
Movement of a portion of a company when poorly planned and organized can lead to loss of key staff, additional poor planning, and loss if institutional knowledge, and ultimately loss of revenue related to loss of confidence by customers, or damaged customer relations. 
The primary elements to organizational redesign are:
  - Time line
  - Key roles
  - Project plan and milestones
Having a realistic time is the best place to start. Knowing what facilities are required, and where they are required and making sure they are in place when needed will smooth out any change. While not directly related to information security, planning for office moves which involving construction, have to  include time lines for getting permits, and construction delays. Mitigation plans for facilities that are not ready are part of the up front planning as well. When people are relocating this can cause delays as well as a different attention level from staff as they make their own living preparations.
People will show up expecting to do their jobs the way they did prior to a move. Presumably people are either living in a new place, or new to the company. In either case certain processes will take longer due to the newness of location, office space, or integration of new employees.
Identifying key staff roles in advance is critical, this is a task best performed at lower levels, high level managers and owners don't have the visibility of what roles are really critical. Ensuring that continuity of key roles is preserved either the role is filled with either someone relocating or a new staff member with time to onboard and learn the organization before major change takes place reduces risk of significant changes, particularly when that change is within the new staff members department.
This entire process should really start by examining the steps and milestones that need to take place and ensure the amount of time needed for each step is clearly understood prior to embarking on the change path. The old adage that too much change at one time is poor engineering applies to many companies across the board.
To mitigate risks procedures and documentation needs to be maintained at all times rather than in the midst of change. This includes knowing who the key architects for information systems are, and ensuring that those roles are spread across multiple individuals. Planning for change needs to include staff members at all levels to make it successful. Additionally involving staff may even increase the number of staff members who make the transition as an added benefit. 

42 Posts
Dec 18th 2012

Sign Up for Free or Log In to start participating in the conversation!