As introduced above, organizational management provides the executive and leadership team with the oversight that is necessary to ensure the entire security program is meeting expectations. As such, this embodies a number of strategic and tactical elements of security management that are important to the overall program, and also support elements of security that are necessary but not addressed directly by other features. Moreover, organizational management has the responsibility of establishing a coherent security strategy, one that is supported by a mission statement, charter, and objectives. It is important because it defines the security organization’s identity to others, helps those within the security group to understand their role and the direction of the group, and acts as a reference when the group is challenged to take on something different that may or may not be in alignment with the intended role of the security group. Clearly, this goes beyond just the ASMA; it should be reflected at the strategic level so that the business can resonate with the service delivery identity of the group (Table 9.1 and Figure 9.1). Organizational management interconnect table












Organizational Management

Risk Posture Management

Risk Management

Ensure that the overall program and all the features are contributing to the management of the risk posture

Results from the rapid risk assessment and related documentation provided to governance on the overall risk posture and methods for measuring and managing via security services

Perform an analysis of the findings and activities and how they are being applied by compliance and services management


A review of risk management’s rapid risk assessment processes and reporting standards to the other features, and the methods for monitoring risk posture in how services are executed

A report on the alignment of risk management’s activities to the intended role and the level of effectiveness and efficiency in monitoring and addressing dynamics in risk relative to feedback from services, compliance, and capability maturity management

Governance, Compliance Management

Organizational management must have an understanding of risk posture and the interpretations of risk relative to service delivery. This is needed for policy, standards, and resource management and to ensure risk management is performing as expected and collaborating effectively with other features

343Compliance Posture Management

Compliance Management

Ensure that the program and features are promoting compliance activities and meeting business demands for compliance and are being communicated effectively to customers

All the results from compliance management’s analysis of the other features, recommendations, activities, and methods for measuring compliance status

A review of compliance management processes, methods, interactions, reporting processes, and interactions with the other features

Risk Management

Compliance management’s processes and standards concerning management, reporting, tracking, and interactions, and includes specific methods for determining and monitoring improvements

A report on the overall management of compliance, compliance management’s adherence to processes, standards, and policy, role in the enforcement of compliance by collaboration with service and risk management

Governance, Risk Management

Assurance that the overall program is compliant and the security program is meeting expectations concerning corporate compliance to promote capacity and resource management

344Performance Improvement and Management

Capability Maturity Management

Gain awareness on the state of effectiveness and efficiency in the realization of policies and standards, and resource capability in delivery and management across the program

All the results from capability maturity management assessments, findings, improvement activities, and innovative approaches

A review of capability maturity management’s activities, processes, and improvements to processes, standards, tools, methods, and resources

Compliance Management

Focus on specific improvement and innovation activities and how these relate to measuring their impact on how security is applied and achieving stated program goals and objectives

A report on capability maturity’s effectiveness in promoting improvements and innovation within the security organization and in how services are defined, deployed, applied, tracked, and measured within the business

Governance, Risk Management, Compliance Management

In close collaboration with governance on the establishment of measurements and reporting concerning program performance and organizational integrity

345Policy and Standards Management

Compliance Management

Ensure tight collaboration on the regulatory demands, internally established expectations (policy), and program compliance

All compliance management’s activities across all the features in determining adherence to management practices and processes for standards and policy support and enforcement

An evaluation of compliance management’s role in assuring overall compliance to program standards and polices within the security program and how these resonate in service delivery and feature activities


Compliance management’s reports on organizational compliance, process compliance, risk and service management compliance and regulatory compliance, including processes for measurement, tracking, and monitoring

A report on the overall management of compliance activities and interactions with all the other features of the security program and the interpreted effectiveness in compliance activities in managing the posture of the organization and business

Governance, Risk Management, Capability Maturity Management

Ensure the alignment to program expectations and overall policy compliance and enforcement by working with services management and governance

346Services Management and Orchestration

Services Management

Work with services management in the identification of gaps and opportunities in the development and management of the service catalog and the necessary capabilities—skills, partners, etc.—in the delivery of services

Results from all the other feature interactions concerning a review and analysis of service catalog and orchestration of service models and types

An overall analysis of service structure and effectiveness in making necessary overall adjustments to the service catalog based on information from the other features

Risk Management

Working closely with governance, risk management, and capability maturity management, organizational management performs a customer-based review of service models drawing from performance, quality, risk, and capability, and capacity reporting

A report on the overall ability, effectiveness, and efficiency in incorporating demands from customers and inputs from other features in assuring the adaptation of service delivery methods to meet the goals and objectives of the security organization and the business

Governance, Services Management, Capability Maturity Management

Oversee and manage the service catalog, customer interactions, and quality management. Working closely with governance and services management to ensure expectations are met and performance is monitored

Organizational management interconnect process map. https://s3-euw1-ap-pe-df-pch-content-public-u.s3.eu-west-1.amazonaws.com/9780429119095/409415fb-1bab-459d-a330-4eccb1ed2335/content/fig9_1.tif"/>