Responsibilities for IS
- responsibilities for information security span across the whole organization
- everyone dealing with information assets is responsible (or even accountable) for information security:
- programmer in it department is responsible for coding securely to maintain it and information security (responsible for sql injections)
- An employee in the sales department contributes to information security through sending encencrypted email about trademarks
- Top down approach, only effective with full management support
Information security is a process and everyone needs to be involved at all times
CISO
Central resource and primary responsibility for the assessment, management and implementation of information security within the Organization
- Often not at the executive level but should report directly to a board member with overall responsibility
- The CISO should not be part of the it department but be independent (it department wants to buy easier software which is easier to use but not secure)
- in smaller organizations, the CISO role may be combined with other roles -> potential for conflicts (Goals are different)
CISO responsibilities
- Drafts and approves information security policies
- Investigates information security incidents
- Works with the CIO on strategic plans. develops tactical plans, and works with security managers on operational plans
- sets priorities for information security projects and purchase and implementation of security technology based on available budget (prioritize projects)
- Acts as the spokesperson of the information security team
CIO
executive level position that oversees the organization’s computing technology and strives to create efficiency in the processing and access of the organization’s information
- > gives advice to CEO
- > translates company strategy into strategic information plans for the information systems or IT department
- > Works with subordinate managers to develop tactical and operational plans
- > ensures that projects are conducted, ensures proper management, pushes acceptance throughout the organization
Information Security Steering Committee
- is a working group to coordinate information security activities across the organization
- It is a cross section of individuals from the entire organization enterprise:
- > Board member with overall responsibility for information security
- > CISO
- > Stakeholders of information security (e.g. internal auditors, HR Managers)
- > those who carry significant responsibility for ensuring information security (e.g- security professionals, it managers)
- meets regularly to review current level of information security and plan future activities
Data Protection Officer
is responsible for ensuring an organizations adherence to laws and actions to protect individuals personal data
Responsibiliets
- > implements data protection measures and controls data protection compliance
- > Advocate for data protection throughout the organization
- > collaborating with authorities
conflict of interest with cio (data protection hinders information processing)
additional roles
it security manager
- > support CISO in large organizations
- > technical implementation of IT security
Project security managers:
- > one time nature of projects
- > responsible for information security in large projects
Audit and compliance group
- > evaluate current and target performance
- > policies, standards and legal requirements
But: IT manager not IT security Manager not Information Security manager (CISO)
Firm Networks
Third parties process information, offer support, services etc.:
an organization must have policies for third party arrangements:
- > ensure that appropriate controls have been put into place
- > third party must confirm that it complies with obligations
Third party may work with further subcontractors as well:
- > cambridge analytica
- > weakest link is where the chain will break
There is little sense in comprehensive and expensive protection of parts of network if other part of a network have low levels of security
