Placing Information Security within an Organization

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

Control and Accounting Information Systems
Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.
AUDITING CHAPTER 7 Audit Process & Detecting Fraud By David N. Ricchiute.
Security and Personnel
IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.
Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Silo Compliance Risk vs. Enterprise Compliance Risk Presented to: ORIMS PD Day By: Joe Hardy & Tony Carlisle.
IT Governance and Management
IS Audit Function Knowledge
Information Systems Security Officer
1 Trade Facilitation A narrow sense –A reduction/streamlining of the logistics of moving goods through ports or the documentation requirements at a customs.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Managing Risk in Information Systems Strategies for Mitigating Risk
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Supplier Ethics: Program Checklist
Corporate Ethics Compliance *
Chapter 2 Modern Private Security
Client-Specific, Operational Risk Management, Solution- Building Workshops The following pages show a list of workshops that may be provided individually.
Internal Auditing and Outsourcing
Key changes from OHSAS 18001:1999
CBLE Relationships with Administration, Staff, Students and Parents.
WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.
Organizing Information Technology Resources
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
© Joint Commission Resources AMP with FSA Step-by-Step Guide to Implementing AMP in your Organization Step 1-Developing Teams Jeanette Snell, RN, MSN Clinical.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
McGraw-Hill/Irwin Copyright © 2005 by The McGraw-Hill Companies, Inc. All rights reserved. STRATEGIC MANAGEMENT Creating Effective Organizational Designs.
1 The Auditor’s Perspective Division of Sponsored Research Research Administration Training Series Presented by: Joe Cannella Audit Manager,
Marketing Ethics and Social Responsibility
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
CHAPTER 10 Technology Issues.
OPTIONS FOR ACTION – BLUEPRINT FOR ACTION. Executive (CEO) Engagement MAKING THE BUSINESS CASE Legal mandates Liability Employee engagement Corporate.
The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,
How to audit the role of the vendor in the conduct of outsourced studies Kristel Van de Voorde Director Global Quality Regulatory Compliance Bristol-Myers.
© Dr. John T. Whiting All Rights Reserved Slide 1 Achieving Compliance with GBLA & Other Laws and Regulations Impacting.
Research Services Research Services Presentation to Department of Paediatrics Gill Rowe Head, Research Services, Medical Sciences 23 September 2015.
Principles of Information Systems, Sixth Edition Information Systems in Organizations Chapter 2.
Capacity Building for the Kosovo Anti- Corruption Agency Constantine Palicarsky.
“Integrating Property Management with Emergency Recovery” Ivonne Bachar, CPPM CF Director, Property Management Office Stanford University
11-1 Chapter 11 – Organizational Structure & Controls.
Criminal Justice Organizations: Administration and Management
Pro-active Security Measures
TREASURY REGULATIONS’ CHANGES AND POTENTIAL IMPACT
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Who is a manager. Purpose Appreciate differences in different levels of management. Focus on Skill sets managers need Management as a career option.
1 Research Compliance at HMS: What is it Why it is important Who is involved How it affects you and how you can get help Postdoctoral Fellow Orientation.
Horizontal Strategy Chapter 10. Horizontal Strategy It coordinates the goals and strategies of related business units.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
Business Services Safety Office N EW E MPLOYEE O RIENTATION.
Chapter 16: Understanding the HR Profession Jackson and Schuler © 2003 South-Western College Publishing. All rights reserved. Eighth edition.
CH 2.  This chapter includes:  The Function of banks and services.  Banks targets.  Organizational forms for banks.  Administrative and organizational.
Managing Uncertainty, Creating Opportunity Enterprise Risk Management J. Brown, CEO.
SEC 420 Entire Course (UOP) For more course tutorials visit  SEC 420 Week 1 Individual Assignment Responsibilities of Personal Protection.
SEC 420 Entire Course (UOP) SEC 420 Week 1 DQ 1 (UOP)  SEC 420 Week 1 Individual Assignment Responsibilities of Personal Protection Officers Paper 
SEC 420 aid Expect Success/sec420aiddotcom FOR MORE CLASSES VISIT
SEC 420 UOP professional tutor / sec420dotcom.  SEC 420 Entire Course (UOP)  SEC 420 Week 1 DQ 1 (UOP)  SEC 420 Week 1 Individual Assignment Responsibilities.
Information Security Program
Chapter 2 Modern Private Security
MGMT 452 Corporate Social Responsibility
Overview – Guide to Developing Safety Improvement Plan
CMGT 582 Competitive Success/tutorialrank.com
Standard 6: Educational Leaders understand the social, legal, and ethical issues related to technology and model responsible decision-making related to.
Presentation transcript:

Placing Information Security within an Organization Chapter 5

Management of Information Security, 2nd ed. - Chapter 5 Option 1: IT Department From Information Security Roles and Responsibilities Made Easy, used with permission. Management of Information Security, 2nd ed. - Chapter 5

Option 1: Information Technology Information Security Department reports to Information Technology Department CISO reports to CIO Advantages: CIO has influence with Top Management CIO understands information systems technological issues Involves only one manager between CISO and CEO Convenience: Information Security Department staff must daily spend time with Information Technology Department staff Disadvantages: Resource allocation: Conflict of interest between CISO and CIO Implied conclusion that information security is strictly a technological issue, which is not the case

Option 2: Broadly Defined Security Department Management of Information Security, 2nd ed. - Chapter 5 From Information Security Roles and Responsibilities Made Easy, used with permission.

Option 2: Security Information Security Department (Information Protection Department) reporting to the Security Department Advantages: Facilitates communication with others who have both a security perspective and related security responsibilities Establishes longer term preventative viewpoint to information security activities Which in turn lowers overall information security costs Disadvantages: Information security function perceived to be primarily protective in nature, and therefore comparable to Physical Security Department & Personnel Security and Safety Department Culture difference between information security and physical security functions Information security staff see themselves as high-tech workers Physical security staff see themselves as participants in the criminal justice system Budget for information security escalating vs budget for physical security constant Security Dept Manager poor communicator to CEO re: information security - lacks appreciation of information systems technology Indirectly communicate that Information Security Department is new type of police Prevents Information Security Department to establish consultative relationships with other departments

Option 3: Administrative Services Department Management of Information Security, 2nd ed. - Chapter 5 From Information Security Roles and Responsibilities Made Easy, used with permission.

Option 3: Administrative Services Information Security Department reports to Administrative Services/Support Department CISO reports to VP Administation Advantages: Only one middle manager between CISO and CEO Acknowledges that information and information systems found everywhere throughout organization & all workers to work with Information Security Department Supports efforts to secure information in any form: paper, verbal, etc. Disadvantages: VP Administration does not know much about information systems technology Hampers efforts of VP Administration to communicate with CEO about information security Desirable for organizations NOT highly information intensive, e.g. chain of restaurants

Option 4: Insurance & Risk Management Department From Information Security Roles and Responsibilities Made Easy, used with permission. Management of Information Security, 2nd ed. - Chapter 5

Option 4: Insurance and Risk Management Information Security Department reporting to the Insurance and Risk Management Department CISO reports to Chief Risk Manager (CRM) Advantages: Fosters an integrated risk management perspective – all risks prioritized and compared across the organization Involves assessing potential losses and likelihood across all functional departments Only one middle manager between CISO and CEO Prevention orientated Adopt longer term viewpoint Engage CEO in intelligent discussions about risk acceptance, risk mitigation and risk transfer Disadvantages: CRM often not familiar with information system technology, may need extra coaching/ background research from CISO to convey msg to CEO Focus is strategic, causing operational & administrative aspects of information security may not get deserved attention from CRM Recommended for information intensive organizations, e.g. banks, stock brokerages, telephone companies and research institutes

Option 5: Strategy & Planning Department From Information Security Roles and Responsibilities Made Easy, used with permission. Management of Information Security, 2nd ed. - Chapter 5

Option 5: Strategy and Planning Information Security Department reports to the Strategy and Planning Department Advantages: Information security function viewed as critical to success of organization Involves only one middle management between CISO and CEO Supports the need for documented information security requirements (policies, standards, procedures) Acknowledges multi-departmental and multidisciplinary nature of infosec tasks – risk analysis and incident investigations (also option 3 & 4) Information Security Dept work with others sharing scenario-oriented view of the world Communicates that infosec is a management and people issue, not just a technological one Disadvantages: Focus is strategic, and the operational and administrative aspects of information security may not get attention deserved from VP Strategy & Planning Appropriate for Internet merchant or credit card company – both critically dependent on success of information security function.

Option 6: Legal Department Management of Information Security, 2nd ed. - Chapter 5 From Information Security Roles and Responsibilities Made Easy, used with permission.

Option 6: Legal Information Security Department reports to the Legal Department Emphasizes: information is the asset of primary concern, not information systems copyrights, patents, trademarks & related intellectual property protection mechanisms contracts – nondisclosure agreements & outsourcing agreements – of importance Compliance – laws, regulations and ethical standards (privacy) Advantages: Access to CEO through one middle manager – Legal Department Manager / Chief Legal Officer (CLO) Legal Dept members comfortable with development of documentation – policies & procedures – to show the org is in compliance with information security standard of due care Disadvantages: Overemphasis on compliance – potential underemphasis on other aspects of infosec e.g. access control administration Could lead to compliance checking, leading to conflict of interest – as compliance checking should be performed by Internal Auditing Department Organizational structure for the future – Information security increasingly mandated by law, regulated and affected by ethical standards

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.