Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

The Need for Independence

Technology within an organization is normally headed by a Chief Technology Officer (CTO) or a Chief Information Officer (CIO). He is supported by others like IT Managers and operations staff such as system administrators, database administrators, network administrators; development staff such as programmers and support staff; and others, as relevant. Many organizations also provide information security responsibility for the same role as a CTO/CIO. It is possible in some organizations that this may not create any significant conflict of interest or issue because of the maturity of such a person, the size of the organization, or because of the maturity of others in the organization. However, it is possible in many organizations because of a conflict of interest primarily due to a lack of adequate maturity in such a person, that he may not give adequate attention to information security either because of “confirmation trap or functional fixation”.5 He may also find the need to cover up or not to publicize information security incidents in order to save himself, his personnel, or to increase the investment in information technology tools, rather than on information security related aspects. We strongly feel that there should be a clear segregation of duties between IT and information security. We strongly advise that there should be a role similar to Chief Information Security Officer (CISO) or Information Security Officer (ISO) in any organization to ensure effective independence and a non-biased view on information security. In our opinion, as the organizations and their interfaces with the external world increase in complexity, the segregation of duty in information security is also important like in any other functional areas, including finance and human resources. This segregation of duties also provides an additional view point on the same aspect.

Specific Roles and Responsibilities

Ideally, for successful implementation of the information security, it should follow a top-down approach with a clear commitment from the top, including the board of directors. If this is not the case, information security may only be seen as implemented or being implemented on paper without much success at the ground level. Even though there is no uniformity of approach as far as how various organizations have organized the information security related roles, many organizations who are serious about the implementation of information security with real intentions (not to just show the outside world or to get the certification) will have clearly assigned specific roles which handle information security in earnest.

Audit Committee or Information Security Committee at the Board Level

If we take the top-down approach, we should have at the board level, either as a part of an audit committee or as a part of a separate information security committee, a person from the board responsible for looking into information security implementation at the organization level. She should be such a person who need not be a technological expert, but who has her ears and eyes open to the external world and assimilates all issues related to information security at the global and various organizational levels. She should be a person who is actually interested in information security, and asks the tough questions on any proposal for new information processing facilities, modifications to the existing information processing facilities, new acquisitions of critical pieces of software of significant influence on the business, or of any information security aspects. These questions should not be asked just for the sake of asking them, but with all the seriousness of really understanding what the information security risks that an organization is undertaking/undergoing at any point of time or is likely to undergo in the future. She should advocate for and be the representative at the board meeting for the need for information security and convince other board members on filling the gaps related to information security.

Information Security Sponsor or Champion

The CEO or the president of the organization himself has to demonstrate commitment to information security by being the sponsor or champion of information security. This ensures that information security gets automatic buy-in in the organization when it is publicized that the CEO or the president himself is the champion of information security and he takes it very seriously. It is not enough that such a person only becomes a champion by designation or nomination, but also that he takes information security seriously and demonstrates it by his practice. It is necessary that such a role leads by example. The role of such a CEO or president as the information security champion or sponsor is primarily to:

• Promote the culture of information security in the organization

• Communicate strongly and sincerely the need for information security

• Appoint/assign other such roles so as to effectively implement information security within the organization

• Support the funding of information security projects

• Demonstrate a high commitment to information security

Chief Information Security Officer or Information Security Officer

There should be a senior person at the top management level, well empowered by the board, CEO, or the president of the organization, to head the information security cell, that is, a Chief Information Security Officer or an Information Security Officer. Ideally the role of such a person is to:

• Understand the information security risks to the entire organization, including to the business, information processing facilities, IT environment, and physical environment, both from the external and internal perspective

• Ensure that the risk assessment is carried out and the risk mitigation plans are put into effect when necessary

• Guide the entire organization on the need for information security

• Determine appropriate policies in the context of various areas of relevance to information security

• Determine and publish various procedures or work instructions to implement the policies of relevance to information security

• Educate and motivate internal and external stakeholders, including the suppliers and contractors to effectively implement information security requirements

• Analyze information security incidents and take the corrective actions as appropriate to information security related incidents

• Ensure that personnel of the organization, suppliers, contractors, and customers as necessary are educated or are made aware of the means of ensuring information security

• Coordinate with external agencies/forums to understand the prevailing or possible information security issues

• Report the status of information security in the organization to the CEO, the president, or the Board, as required

In the interest that information security is successfully implemented in the organization, the CISO/ISO has to consult with and involve other functional heads, including IT personnel, suppliers, contractors, and others. The greater the extent of involvement of various people on all levels, the greater the success of the implementation of information security in any organization. Periodic risk assessment, ongoing diligence, regular training of the staff on information security, and motivating staff and others to bring information security events to the organization's knowledge are very important in the entire list of responsibilities. He should have a good reporting mechanism of the various security events or incidents, so that they get his requisite attention and appropriate corrective actions can then be determined.

Information Security Forum

We have seen that in many organizations, there is a forum created, usually known as the Information Security Forum, consisting of the CTO, the CISO, the Business Representatives and department/functional heads to ensure that there is always an exchange of information and discussion on the implementation of different action plans related to the information security risks that the organization is facing at that point in time or is exposed to in the future. Business representatives are important constituents of this forum as they provide the business goals, how the technology needs to enable business, and business requirements of information security, thus providing the mandatory piece of information for planning and the implementation of any effective information security system. Such a forum can be both educational and action oriented. Having such a forum at the organization increases the buy-in factor for information security projects or information security related action plans in the organization and provides a better, more positive push in the direction of information security implementation. We strongly feel that such a forum needs to be created in every organization.

Information Security Specialists

The CISO/ISO should be assisted by either independent security specialists from outside or inside the organization. It is necessary that their views are heard with attention, considered adequately, and are acted upon where found relevant, applicable, and useful. If their recommendations are not implemented, the CISO/ISO should be informed. They should be encouraged to come up with their own views and bring them to the table. They should be motivated to speak of current or potential issues. With them being active on various relevant forums, they can bring up any new

issues or which are being discussed as potential issues to the organizational CISO/ISO's knowledge, so that depending upon the relevance and severity of such issues, the organization can proactively decide on the actions to avoid, deter, prevent, detect, research, investigate, and eliminate. They also advise the CISO/ISO on technologies and products related to information security. Some of them can take roles like security architects, security designers, or security auditors.

Project Managers

Each project manager in the organization, whether he manages an infrastructural project, an IT project, a software development project, or any other type of project, should always look for the kind of information security risks he may be leading the organization to and take any necessary risk mitigation action that's necessary. Thinking of information security risks should be an integral part of project management from the initial planning stage and should continue to be considered throughout the life cycle and through design and development phases – until the successful completion of the project. Interestingly, this is one of the controls that was newly brought in by the recent revision of information security management systems – Requirements (ISO 27001:2013 – Control number A.6.1.5).2 The need for this change was amplified in the Frost & Sullivan Market Survey (sponsored by (ISC)2 and prepared by Robert Ayoub, CISSP Global Program Director) on information security, which claims that 73% of application vulnerabilities are one of the top security issues.11

Data Owners

Data owners should decide who needs access to which data. Restriction from or access to data may arise from an agreement with concerned customers. Data owners should regularly review access that is granted to users and check for the continued relevance of such access to ensure that the applications accessing the data, modifying the data,

or deleting the data do so appropriately as per the business requirements.

Data Custodians

Data custodians are not owners of the data, but by their job roles, they are designated as the custodians of the data, such as database administrators. They have access to the entire set of data, but have to be very careful to ensure that such access is utilized only as per their role and primarily should be used to preserve the confidentiality, integrity, and availability of the data to the rightful and authorized persons. They should act on authorization requests based on the approval of the data owners. They should also exercise caution and due diligence in all their activities.

Users of the data

Users of the data have a huge onus in protecting and ensuring information security. They should be guided by their terms of access and the need for access. They should access only such data which is of relevance to them in completing their assigned roles and responsibilities. They should follow all the policies, procedures, work instructions, and guidelines to ensure that they protect information security. They should take information security seriously and be vigilant to ensure that even others do not violate these policies, procedures, work instructions, and guidelines. Some roles and important responsibilities are described in Table 3-4.

Table 3-4. Important information security roles and responsibilities

Role Responsibility

Audit Committee of the Board

Information Security Champion or Sponsor

• An advocate of information security at the board level and convince other board

members of the importance of information security

• Bring sufficient focus on information security aspects in various decision making processes

• Promote the culture of information security within the organization

• Assign/appoint appropriate roles to effectively support information security

• Promote strongly and sincerely the need for information security

CISO • Ensure proper risk assessment and determination of appropriate controls

• Ensure the definition of appropriate policies, procedures, and processes

• Coordinate with other agencies and forums to understand threats to information security

• Report the status of information security to the management

• Motivate and train employees, contractors, and suppliers on information security do's

and don'ts

Information Security Forum

Information Security Specialists

Ensure collaboration across all functions/departments-including business

• Ensure a focus on the execution of information security across the organization

• Provide an unbiased and frank opinion on current or potential risks related to

information security

• Assist the CISO in an effective understanding and implementation of information

security requirements, risks, architecture, products, and technology


Table 3-4. (continued)

Role Responsibility

Project Managers • Consider information security related risks and mitigate them throughout the project

life cycle

Data Owner • Understand the characteristics and sensitivity of the data and provide the appropriate

access/restrict access

• On a periodical basis, review the access granted to ensure its continued appropriateness

Data Custodian • Ensure the safety of the data and act as per the directions of the data owners

Users of the Data • Ensure that data is used only for the purposes for which it is intended

• Follow all the policies, procedures, and processes diligently to ensure the security of

information assets

Authority for Information Security

Empowerment or authority should be vested as appropriate in each of the above roles in order for them to be effective. Definitely the CISO or the ISO should have the authority to stop any activity which is going to lead the organization into severe information security lapses or issues. Everyone in the information security forum should have the authority to demand information security primarily to protect the business, its customers, and its partners. Information security specialists in the organization should have the authority to demand that they be heard. Such an authority should be vested in such roles by the board, CEO, or the president of the organization and make it clear across the organization.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science