Security Basics mailing list archives
Re: Who should the Information Systems Security Officer report to?
From: Dan Anderson <dan-anderson () cox net>
Date: Wed, 30 Sep 2009 14:42:07 -0500
Hi, On Wed, Sep 30, 2009 at 11:15 AM, Jens C. Laundrup <laundrup () verizon net> wrote:
I agree that there should be a dotted line to the Board, but I disagree with the Chief Legal Officer/Counsel. Typically, Compliance falls under the Chief Legal officer which would create a conflict of interest, Audit falls under the CFO which would also create a conflict of interest. Thus, the CIO is not a bad spot for the CISO/ISSO, or the CISO/ISSO should work for a Chief Security Officer who would be a peer of the CIO, CFO and Chief Legal Officer/Counsel.
I'm not sure we share a common definition of "conflict of interest". A conflict of interest in this situation is when you have someone in charge of a function that their interests may run counter to. A classic example is when security works for the CIO. The CIO's role is often primarily motivated by IT strategy, implementation, cost and timeliness of delivery which can run counter to the security needs of a system/organization. In my experience, CIO's often "manage to their motivation" and brush aside security concerns as "something we will come back to". Compliance and audit more often have goals/interests that are well aligned with security - not in conflict. The CSO/CISO should be a peer to the CIO. Barring that, IMO, Audit, Ethics or legal are better options then the CIO. Reporting directly to the board may be excessive unless the CIO reports there. The CEO should be able to manage their company and you don't enable that by having everyone report directly to the board. Dan ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Who should the Information Systems Security Officer report to? Keith Tomler (Sep 29)
- Re: Who should the Information Systems Security Officer report to? Mike Hale (Sep 29)
- RE: Who should the Information Systems Security Officer report to? Bahrs, Art (Sep 29)
- RE: Who should the Information Systems Security Officer report to? Jens C. Laundrup (Sep 30)
- Re: Who should the Information Systems Security Officer report to? Keith Tomler (Sep 30)
- Re: Who should the Information Systems Security Officer report to? Dan Anderson (Sep 30)
- RE: Who should the Information Systems Security Officer report to? Bahrs, Art (Sep 29)
- Re: Who should the Information Systems Security Officer report to? Mike Hale (Sep 29)