Re: Re: Who should the Information Systems Security Officer report to?

[sfmailsbm () gmail com]

my 2 cents:

Understand what we are doing: Information Security vs Information Risk

We must understand the subtle difference between the 2, are we doing pure IT Security stuff, i.e. focussing only on the 
technical issues and controls, e.g. patching, antivirus, root access, dba acess, etc - or are we considering afunction 
which is considering a holistic information risk management aproach that takes on board all types of information 
assets, on PC, Server, hardcopy, review the way it is being managed, identify threats and vulnerabilities and recommend 
mitigating controls

Info Risk Mgmt, requires more involvement of the Business, since we are evaluating their business processes and 
recommending ways to secure the way they work, and ensure the business take 'ownership' of this risk and followup till 
it is reduced to an acceptable level

IT Security will liase mostly with IT Admins to secure the technical infrastructure


The way I see it, is that Info Risk mgmt will require more management support to be successful than IT Security 
activities (although both may be done by the same team)

Mgmt support is needed to 'force' business to take on board Information Risk tasks, in addition to their day-to-day 
business, and this is not an easy stuff to achieve

Info Risk Mgmt need an appropriate level of authority so that their recommendations are taken 'serously'

Hence, i will conclude that there is a central Risk Management unit grouping all risk management bodies (e.g. credit 
risk, market risk, etc), then Info Risk Mgmt should report to this guy

Else report to the CEO directly, since ultimately it is Top Management who is the ultimate owner of the organisation's 
information and its associated risk. In case of a security breach affecting customer data, financial data, it is the 
Top management who must ultimately answer!

hope this helps!

Ronish

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------