Coordinating Among Organization Security Leaders
I entered my first job in computing security in 1982 coincident with the publication of the company’s first computing security requirements manual. The protection in the requirements were grouped by those assigned to managers responsible for systems and those assigned to users. Each contained sentences that described the requirement listed in no particular order. I know nothing of the origin of the requirements, but they could be described as best practices of the time.
After about a decade it became apparent that a complete overhaul of the requirements manual was needed, after years of complaint particularly about who was responsible. The organization also lacked any easy way to report compliance in part due to a lack of titles for the many detailed requirements.
A few years earlier I had championed the development of a computing security section for the company’s security manual for government classified information. I learned about working with technical writers, and the methods for organizing and presenting written procedural information. When I was reassigned to the unclassified computing security function, I made a point of getting to know the information technology managers who were members of the computing security working group.
The process of writing the new computing security manual involved a technical writer, technical computing security staff and perhaps most important, the computing security working group who would approve the document. Our first breakthrough was establishment of a high-level outline for the requirements, in essence the security control framework. A writing approach was established to articulate the high-level requirement, then to label and describe each detailed requirement. Finally, the existing requirements were rewritten in the new style, plus many new requirements to fill-in obvious gaps. The approval process involved individual communication with each steering committee member in advance of the detailed review meetings. While the process was protracted, the document was ultimately approved. The resultant document has had both minor and major revisions over the years but stands as one of the first computing security control standards.