Security Basics mailing list archives
Re: Re: Who should the Information Systems Security Officer report to?
From: MAlMozaiyn () alfransi com sa
Date: Tue, 14 Sep 2010 09:22:25 +0300
Hello,
New org (small org) may start by having Info-Sec as a function within IT.
As maturity level raises (and perhaps size grows), Info-Sec should no
longer be within IT but reports to CCO (Chief Control Officer).
Furthermore, considering the same growing (maturity) factors, they might
become an independent entity that reports directly to CEO (Chief Executive
Officer) and their head becomes a CSO (Chief Security Officer) or CIPO
(Chief Information Protection Officer).
Thanks and regards,
Mohammed Almozaiyn, CISSP, GCIH
Senior Security Analyst
———————————————————
———————————————————
From: sfmailsbm () gmail com
To: security-basics () securityfocus com
Date: 11-09-2010 12:57 AM
Subject: Re: Re: Who should the Information Systems Security Officer report to?
Sent by: listbounce () securityfocus com
my 2 cents:
Understand what we are doing: Information Security vs Information Risk
We must understand the subtle difference between the 2, are we doing pure
IT Security stuff, i.e. focussing only on the technical issues and
controls, e.g. patching, antivirus, root access, dba acess, etc - or are we
considering afunction which is considering a holistic information risk
management aproach that takes on board all types of information assets, on
PC, Server, hardcopy, review the way it is being managed, identify threats
and vulnerabilities and recommend mitigating controls
Info Risk Mgmt, requires more involvement of the Business, since we are
evaluating their business processes and recommending ways to secure the way
they work, and ensure the business take 'ownership' of this risk and
followup till it is reduced to an acceptable level
IT Security will liase mostly with IT Admins to secure the technical
infrastructure
The way I see it, is that Info Risk mgmt will require more management
support to be successful than IT Security activities (although both may be
done by the same team)
Mgmt support is needed to 'force' business to take on board Information
Risk tasks, in addition to their day-to-day business, and this is not an
easy stuff to achieve
Info Risk Mgmt need an appropriate level of authority so that their
recommendations are taken 'serously'
Hence, i will conclude that there is a central Risk Management unit
grouping all risk management bodies (e.g. credit risk, market risk, etc),
then Info Risk Mgmt should report to this guy
Else report to the CEO directly, since ultimately it is Top Management who
is the ultimate owner of the organisation's information and its associated
risk. In case of a security breach affecting customer data, financial data,
it is the Top management who must ultimately answer!
hope this helps!
Ronish
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your Apache
web server. Throughout, best practices for set-up are highlighted to help
you ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Current thread:
- Re: Re: Who should the Information Systems Security Officer report to? sfmailsbm (Sep 10)
- Re: Re: Who should the Information Systems Security Officer report to? MAlMozaiyn (Sep 14)