Presentation is loading. Please wait.

Presentation is loading. Please wait.

Placing Information Security within an Organization

Published byKristopher Patterson Modified over 8 years ago

Similar presentations

Presentation on theme: "Placing Information Security within an Organization"— Presentation transcript:

1 Placing Information Security within an Organization
Chapter 5

2 Management of Information Security, 2nd ed. - Chapter 5
Option 1: IT Department From Information Security Roles and Responsibilities Made Easy, used with permission. Management of Information Security, 2nd ed. - Chapter 5

3 Option 1: Information Technology
Information Security Department reports to Information Technology Department CISO reports to CIO Advantages: CIO has influence with Top Management CIO understands information systems technological issues Involves only one manager between CISO and CEO Convenience: Information Security Department staff must daily spend time with Information Technology Department staff Disadvantages: Resource allocation: Conflict of interest between CISO and CIO Implied conclusion that information security is strictly a technological issue, which is not the case

4 Option 2: Broadly Defined Security Department
Management of Information Security, 2nd ed. - Chapter 5 From Information Security Roles and Responsibilities Made Easy, used with permission.

5 Option 2: Security Information Security Department (Information Protection Department) reporting to the Security Department Advantages: Facilitates communication with others who have both a security perspective and related security responsibilities Establishes longer term preventative viewpoint to information security activities Which in turn lowers overall information security costs Disadvantages: Information security function perceived to be primarily protective in nature, and therefore comparable to Physical Security Department & Personnel Security and Safety Department Culture difference between information security and physical security functions Information security staff see themselves as high-tech workers Physical security staff see themselves as participants in the criminal justice system Budget for information security escalating vs budget for physical security constant Security Dept Manager poor communicator to CEO re: information security - lacks appreciation of information systems technology Indirectly communicate that Information Security Department is new type of police Prevents Information Security Department to establish consultative relationships with other departments

6 Option 3: Administrative Services Department
Management of Information Security, 2nd ed. - Chapter 5 From Information Security Roles and Responsibilities Made Easy, used with permission.

7 Option 3: Administrative Services
Information Security Department reports to Administrative Services/Support Department CISO reports to VP Administation Advantages: Only one middle manager between CISO and CEO Acknowledges that information and information systems found everywhere throughout organization & all workers to work with Information Security Department Supports efforts to secure information in any form: paper, verbal, etc. Disadvantages: VP Administration does not know much about information systems technology Hampers efforts of VP Administration to communicate with CEO about information security Desirable for organizations NOT highly information intensive, e.g. chain of restaurants

8 Option 4: Insurance & Risk Management Department
From Information Security Roles and Responsibilities Made Easy, used with permission. Management of Information Security, 2nd ed. - Chapter 5

9 Option 4: Insurance and Risk Management
Information Security Department reporting to the Insurance and Risk Management Department CISO reports to Chief Risk Manager (CRM) Advantages: Fosters an integrated risk management perspective – all risks prioritized and compared across the organization Involves assessing potential losses and likelihood across all functional departments Only one middle manager between CISO and CEO Prevention orientated Adopt longer term viewpoint Engage CEO in intelligent discussions about risk acceptance, risk mitigation and risk transfer Disadvantages: CRM often not familiar with information system technology, may need extra coaching/ background research from CISO to convey msg to CEO Focus is strategic, causing operational & administrative aspects of information security may not get deserved attention from CRM Recommended for information intensive organizations, e.g. banks, stock brokerages, telephone companies and research institutes

10 Option 5: Strategy & Planning Department
From Information Security Roles and Responsibilities Made Easy, used with permission. Management of Information Security, 2nd ed. - Chapter 5

11 Option 5: Strategy and Planning
Information Security Department reports to the Strategy and Planning Department Advantages: Information security function viewed as critical to success of organization Involves only one middle management between CISO and CEO Supports the need for documented information security requirements (policies, standards, procedures) Acknowledges multi-departmental and multidisciplinary nature of infosec tasks – risk analysis and incident investigations (also option 3 & 4) Information Security Dept work with others sharing scenario-oriented view of the world Communicates that infosec is a management and people issue, not just a technological one Disadvantages: Focus is strategic, and the operational and administrative aspects of information security may not get attention deserved from VP Strategy & Planning Appropriate for Internet merchant or credit card company – both critically dependent on success of information security function.

12 Option 6: Legal Department
Management of Information Security, 2nd ed. - Chapter 5 From Information Security Roles and Responsibilities Made Easy, used with permission.

13 Option 6: Legal Information Security Department reports to the Legal Department Emphasizes: information is the asset of primary concern, not information systems copyrights, patents, trademarks & related intellectual property protection mechanisms contracts – nondisclosure agreements & outsourcing agreements – of importance Compliance – laws, regulations and ethical standards (privacy) Advantages: Access to CEO through one middle manager – Legal Department Manager / Chief Legal Officer (CLO) Legal Dept members comfortable with development of documentation – policies & procedures – to show the org is in compliance with information security standard of due care Disadvantages: Overemphasis on compliance – potential underemphasis on other aspects of infosec e.g. access control administration Could lead to compliance checking, leading to conflict of interest – as compliance checking should be performed by Internal Auditing Department Organizational structure for the future – Information security increasingly mandated by law, regulated and affected by ethical standards

Download ppt "Placing Information Security within an Organization"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.

Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.
AUDITING CHAPTER 7 Audit Process & Detecting Fraud By David N. Ricchiute.

AUDITING CHAPTER 7 Audit Process & Detecting Fraud By David N. Ricchiute.
Security and Personnel

Security and Personnel
IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.

IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.
Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.

Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Silo Compliance Risk vs. Enterprise Compliance Risk Presented to: ORIMS PD Day By: Joe Hardy & Tony Carlisle.

Silo Compliance Risk vs. Enterprise Compliance Risk Presented to: ORIMS PD Day By: Joe Hardy & Tony Carlisle.
IT Governance and Management

IT Governance and Management
IS Audit Function Knowledge

IS Audit Function Knowledge
Information Systems Security Officer

Information Systems Security Officer
1 Trade Facilitation A narrow sense –A reduction/streamlining of the logistics of moving goods through ports or the documentation requirements at a customs.

1 Trade Facilitation A narrow sense –A reduction/streamlining of the logistics of moving goods through ports or the documentation requirements at a customs.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Chapter 2 Modern Private Security

Chapter 2 Modern Private Security

Similar presentations

Ads by Google