Voted Best Answer
Sep 05, 2018 - 07:44 AM
I think there were maybe 2 policy clauses that they refused to include because they couldn't find an 'InfoSec' spin.
In achieving this I had sponsorship from the CIO to work with the CISO. The Info Sec analysts resisted at first, but because the sponsorship for this was so senior, they co-operated, and I think that they did end up seeing the value. There was huge benefit for me because it avoided the need for a separate policy approval process, and the Info Sec policies were approved at Board Level, so they had a great deal of weight.
The CISO was great. He knew that the broader ITAM piece I was doing was hugely valuable for Info Sec, and in fact my biggest challenge was persuading the Info Sec anlaysts that yes, we really did need to change the wording and add in the couple of extra clauses. They thought the Asset Management section would cover everything, and of course it didn't.
Regarding the broader implementation of ITAM, it also meant that the CISO was a vocal sponsor in meetings where the ITAM design was discussed and approved by the teams that needed to implement it. It shuts down a lot of arguments when you can say that what you want to implement is part and parcel of implementing the broader 27K agenda.
Info Sec don't want to be burdened with ensuring the minutae of the asset management aspects of InfoSec are being implemented - their more immediate concerns are pen testing and access and network controls, so they appreciate it when an asset manager engages them and uses their own language to explain that they are implementing what is an important area of 27K, but which to isn't really core to their day to day jobs.
I hope this helps a little!