3. Planning and implementation of risk controls - Development of mitigation strategies is often best performed at the unit level, where processes are understood most intimately and changes can be implemented more efficiently. The central governance body may be able to offer objective ideas for controls that have not been considered, but it should not dictate how the unit will achieve policy compliance.

4. Management, monitoring and ongoing measurement - Managing the controls once implemented is generally a unit-level function, however monitoring and measuring the effectiveness of the controls should be shared. While the business unit will likely want to monitor the results, the central governance group will need insight as well. Reliable, objective metrics will be required to assure senior leadership that the program is effective. To ensure unbiased reporting, unit personnel should have reporting relationship to the central governance body.

Companies with similar products and customers across units will likely have a strong need for uniformity, and will naturally adjust their model toward more centralization. Conversely, those with diverse business models and dissimilar customers may have very different security requirements, and thus may lean toward a more distributed model by shifting more responsibility to the unit level.

No matter which model your organization chooses to adopt, senior leadership and the board of directors must stay involved. Management must communicate clearly that it values and embraces the InfoSec program to motivate the same response among staff. The responsible InfoSec group, whether at the corporate level or the unit level, can only be successful in their initiatives if constituents are held accountable for compliance with the program. Policy violations should be taken very seriously, and must have repercussions.

Further, the organization must be willing to be flexible and adjust the program based upon feedback and results. Solid Information Security programs dont just happen; organizations must take a well-considered, collaborative approach when deciding which model is best in meeting their business objectives.

Audry Agle, CISSP, CBCP, MBA, is Vice President of Information Security for The First American Corporation. In her current role she is responsible for assisting in the development and maintenance of the corporation's information security program.