Are your policies, standards, incident response call-out rosters and procedures known by those who need to know? Are they understandable and available for anyone to reference? Policies and procedures gathering dust? Is there too much bureaucracy? Are policies and procedures poorly written? Do users seem confused? Have you had incidents resulting from these shortcomings? If the answer to any of these questions is "yes," you need to examine program complexity.

The military concept of command unity is a key concept. Ideally, the information security group should not be placed within the operations staff of a company's information resources group. Rather, it should be a special office with a direct link to the corporate Chief Information Officer where it is not burdened with layers of administrative and operational bureaucracy. In world capitols, how well you are perceived and paid attention to depends on "where you stand" within the organization.

Again, I refer back to my activities at the US House of Representatives. The Information Security Program Office was located immediately under the Chief Information Officer at the division level, right alongside the Client Support, Internet, Enterprise Computing, and Integration Groups. This allowed the Security Group senior-level access across the entire IT organization while providing a clear, unfettered, line of communication to the Chief Information Officer on sensitive issues. This level of interaction among the various division managers fostered a cooperative spirit between the Security Team and other divisions.