Putting the information assurance programme into practice

The Pareto principle is a theory that states that for many outcomes, approximately 80% of consequences come from 20% of causes.

This rule is also known as the '80/20 rule' or the 'law of the vital few'. You will see in this section on the implementation process that you're always going to be searching for the most benefit in the shortest possible time. So, a rule like the 80/20 rule can help us when choosing what to focus on first, so to get the best return on our time and resources. It's important that you try to keep this in mind throughout the process from audit to baseline and onto actual risk. 

An example of the 80/20 rule can be seen in computing, where Microsoft noted that by fixing the top 20% of the most-reported bugs, 80% of the related errors and crashes in a given system would be eliminated. This kind of insight can be invaluable when it comes to dealing with risk and achieving optimum results in the shortest possible time. 

Planning and control

Planning should be the focus of the initial stages of an implementation programme. Creating a realistic plan will ensure the management team buys into what the organisation’s trying to achieve before it’s implemented. The project should start with an audit of the existing systems and infrastructure to ensure the baseline is as accurate as possible. This will help identify which aspects of the implementation programme carry the highest risk. The plan should be structured so the organisation gains the most benefit in the shortest time frame, so tasks should be undertaken in order of importance. This order should be set by the management board and be focused on risk reduction. 

The information assurance manager is responsible for the outcomes of the programme and, therefore, should set the tasks and define the controls. As you know, they should focus on the issues which will give the company the greatest improvement in the shortest possible time, with focus being risk reduction.

Skilled project manager

Implementation of the project should be managed by a skilled project manager, either from within or outside the organisation. Again, optimisation of time and resources is key to getting the best result so a skilled PM can make sure that this happens. 

The goals of the programme will have been set in the analysis phase, based on the governance, compliance, and organisational requirements as they relate to information handling and security. The other areas that then need to be established are firstly the baseline. An accurate through audit will show exactly where the organisation is at in its journey to optimised Risk reduction. It will show the strengths and weakness of the existing system. This provides a complete context, showing the scale of the task and necessary changes needed. With this as a clear orientation and starting point, creating the right plan can be done accurately and efficiently. 

Identifying the controls

Once you’ve established the baseline and seen the areas which need attention, you then need to identify the individual controls to be deployed, for example, resources, technology, purchasing, integration, testing and installation. 

Having done these things, you’re in a good position to begin the distribution of tasks and responsibilities to the relevant members and departments. As you’ll see there are many interested parties, so you need to involve them in the most positive and useful way. And you also need to do this in the best interests of the project and the company. 

Useful theories or formulas

Do you think the Pareto principle is a useful theory? 

Do you use any kind of formula(s) or rule of thumb like this? What are they? 

What's next?

You've looked at project implementation in this article, next you'll be examining project workstreams and the importance of stakeholder involvement.