The management of information security requires good teamwork and communication as well as technical skills. Mobile devices, laptops, easy remote access to databases and emerging technologies mean that the context and the risks being faced have to be fully understood if the information security strategy is to be effective.
The risk profile of a business or government agency varies from one to the other. Risks are fluid, are affected by new economic realities as well as personnel and the risks acceptable to senior staff.
When a government agency is merged with another, the security strategy will have to address the new environment. New controls (detective, preventive and corrective) will need to be established to maintain the security required in the new environment.
The United States’ National Institute of Standards and Technology (NIST) provides standards for a variety of information technologies. See: http://www.nist.gov/information-technology-portal.cfm for the standards available.
The key challenge is in communicating with senior staff, who have not been trained in the current technologies, of the risks to which the agency is subject, and how the IT section is proposing to ensure the agency maintains the level of security and risk profile acceptable to senior management.