Re: Who should the Information Systems Security Officer report to?

[Mike Kizerian <security () kizerian net>]

The CISSP material suggests that a CISO should report to the CEO.

Security touches every aspect of business and it is important that  
someone with that knowledge has the CEO's ear.  He/She should be at  
meetings with the other 'C' level execs to ensure that all aspects of  
the business have the appropriate security considerations.

--
Mike Kizerian, GPEN, GCFA
210.218.9750
mike () kizerian net






On Sep 30, 2009, at 1:42 PM, Keith Tomler wrote:

> Thanks for the feedback.
>
> Four (4) people think the Informations System Security Officer should
> report to the CIO.
>
> Six (6) people think otherwise (responses include The Board of
> Trustees, CEO, CSO (who is a peer of the CIO), and CIA (Chief of
> Internal Audit)).
>
> But as the ISSO, you are technically reporting on an area that is
> under the governance of the CIO.
> If the CIO bottom lines your eval, doesn't this effect objectivity and
> impartiality?
>
> I tried to find a best practice, but the best I could find were ISACA
> articles that said:
>
> "..."The CISO’s domain has traditionally been the IT function, usually
> reporting to the CIO or another senior IT manager. The broadened focus
> on information security has begun to alter this reporting line. The
> CISO now often reports to a business function such as the chief
> financial officer or chief operating officer, or occasionally directly
> to the CEO.  Another increasingly common line of reporting is to the
> chief risk officer..."
>
> However, this article was over two years old.  A separate (but
> undated) article on ISACA said:
>
> "...Information security should have an independent reporting
> structure to ensure that concerns, accomplishments and views on
> governance are properly represented to those ultimately responsible to
> the stakeholders..."
>
> If you were setting up shop today, who would you have the ISSO/CISO  
> report to?
>
> Thanks again.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------