Security Basics mailing list archives
Re: Re: Who should the Information Systems Security Officer report to?
From: MAlMozaiyn () alfransi com sa
Date: Tue, 14 Sep 2010 09:22:25 +0300
Hello, New org (small org) may start by having Info-Sec as a function within IT. As maturity level raises (and perhaps size grows), Info-Sec should no longer be within IT but reports to CCO (Chief Control Officer). Furthermore, considering the same growing (maturity) factors, they might become an independent entity that reports directly to CEO (Chief Executive Officer) and their head becomes a CSO (Chief Security Officer) or CIPO (Chief Information Protection Officer). Thanks and regards, Mohammed Almozaiyn, CISSP, GCIH Senior Security Analyst ——————————————————— ——————————————————— From: sfmailsbm () gmail com To: security-basics () securityfocus com Date: 11-09-2010 12:57 AM Subject: Re: Re: Who should the Information Systems Security Officer report to? Sent by: listbounce () securityfocus com my 2 cents: Understand what we are doing: Information Security vs Information Risk We must understand the subtle difference between the 2, are we doing pure IT Security stuff, i.e. focussing only on the technical issues and controls, e.g. patching, antivirus, root access, dba acess, etc - or are we considering afunction which is considering a holistic information risk management aproach that takes on board all types of information assets, on PC, Server, hardcopy, review the way it is being managed, identify threats and vulnerabilities and recommend mitigating controls Info Risk Mgmt, requires more involvement of the Business, since we are evaluating their business processes and recommending ways to secure the way they work, and ensure the business take 'ownership' of this risk and followup till it is reduced to an acceptable level IT Security will liase mostly with IT Admins to secure the technical infrastructure The way I see it, is that Info Risk mgmt will require more management support to be successful than IT Security activities (although both may be done by the same team) Mgmt support is needed to 'force' business to take on board Information Risk tasks, in addition to their day-to-day business, and this is not an easy stuff to achieve Info Risk Mgmt need an appropriate level of authority so that their recommendations are taken 'serously' Hence, i will conclude that there is a central Risk Management unit grouping all risk management bodies (e.g. credit risk, market risk, etc), then Info Risk Mgmt should report to this guy Else report to the CEO directly, since ultimately it is Top Management who is the ultimate owner of the organisation's information and its associated risk. In case of a security breach affecting customer data, financial data, it is the Top management who must ultimately answer! hope this helps! Ronish ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Re: Who should the Information Systems Security Officer report to? sfmailsbm (Sep 10)
- Re: Re: Who should the Information Systems Security Officer report to? MAlMozaiyn (Sep 14)