placing information security within an organization chapter 5
TRANSCRIPT
Placing Information Security within an Organization
Chapter 5
Management of Information Security, 2nd ed. - Chapter 5
Slide 2
Option 1: IT DepartmentFrom Information Security Roles and Responsibilities Made Easy, used with
permission.
Option 1: Information Technology
• Information Security Department reports to Information Technology Department
• CISO reports to CIO• Advantages:
– CIO has influence with Top Management– CIO understands information systems technological issues– Involves only one manager between CISO and CEO– Convenience: Information Security Department staff must daily
spend time with Information Technology Department staff
• Disadvantages:– Resource allocation: Conflict of interest between CISO and CIO– Implied conclusion that information security is strictly a
technological issue, which is not the case
Management of Information Security, 2nd ed. - Chapter 5
Slide 4
Option 2: Broadly Defined Security Department
From Information Security Roles and Responsibilities Made Easy, used with permission.
Option 2: Security• Information Security Department (Information Protection Department)
reporting to the Security Department• Advantages:
– Facilitates communication with others who have both a security perspective and related security responsibilities
– Establishes longer term preventative viewpoint to information security activities– Which in turn lowers overall information security costs
• Disadvantages:– Information security function perceived to be primarily protective in nature, and
therefore comparable to Physical Security Department & Personnel Security and Safety Department
– Culture difference between information security and physical security functions• Information security staff see themselves as high-tech workers• Physical security staff see themselves as participants in the criminal justice system
– Budget for information security escalating vs budget for physical security constant
– Security Dept Manager poor communicator to CEO re: information security - lacks appreciation of information systems technology
– Indirectly communicate that Information Security Department is new type of police
– Prevents Information Security Department to establish consultative relationships with other departments
Management of Information Security, 2nd ed. - Chapter 5
Slide 6
Option 3:Administrative Services Department
From Information Security Roles and Responsibilities Made Easy, used with permission.
Option 3: Administrative Services
• Information Security Department reports to Administrative Services/Support Department
• CISO reports to VP Administation• Advantages:
– Only one middle manager between CISO and CEO– Acknowledges that information and information systems found
everywhere throughout organization & all workers to work with Information Security Department
– Supports efforts to secure information in any form: paper, verbal, etc.• Disadvantages:
– VP Administration does not know much about information systems technology
– Hampers efforts of VP Administration to communicate with CEO about information security
Desirable for organizations NOT highly information intensive, e.g. chain of restaurants
Management of Information Security, 2nd ed. - Chapter 5
Slide 8
Option 4:Insurance & Risk Management
Department
From Information Security Roles and Responsibilities Made Easy, used with permission.
Option 4: Insurance and Risk Management
• Information Security Department reporting to the Insurance and Risk Management Department
• CISO reports to Chief Risk Manager (CRM)• Advantages:
– Fosters an integrated risk management perspective – all risks prioritized and compared across the organization
– Involves assessing potential losses and likelihood across all functional departments
– Only one middle manager between CISO and CEO– Prevention orientated– Adopt longer term viewpoint– Engage CEO in intelligent discussions about risk acceptance, risk mitigation and
risk transfer• Disadvantages:
– CRM often not familiar with information system technology, may need extra coaching/ background research from CISO to convey msg to CEO
– Focus is strategic, causing operational & administrative aspects of information security may not get deserved attention from CRM
Recommended for information intensive organizations, e.g. banks, stock brokerages, telephone companies and research institutes
Management of Information Security, 2nd ed. - Chapter 5
Slide 10
Option 5:Strategy & Planning Department
From Information Security Roles and Responsibilities Made Easy, used with permission.
Option 5: Strategy and Planning• Information Security Department reports to the Strategy and Planning
Department• Advantages:
– Information security function viewed as critical to success of organization– Involves only one middle management between CISO and CEO– Supports the need for documented information security requirements (policies,
standards, procedures)– Acknowledges multi-departmental and multidisciplinary nature of infosec tasks –
risk analysis and incident investigations (also option 3 & 4)– Information Security Dept work with others sharing scenario-oriented view of the
world– Communicates that infosec is a management and people issue, not just a
technological one
• Disadvantages:– Focus is strategic, and the operational and administrative aspects of information
security may not get attention deserved from VP Strategy & Planning
Appropriate for Internet merchant or credit card company – both critically dependent on success of information security function.
Management of Information Security, 2nd ed. - Chapter 5
Slide 12
Option 6: Legal Department
From Information Security Roles and Responsibilities Made Easy, used with permission.
Option 6: Legal• Information Security Department reports to the Legal DepartmentEmphasizes:• information is the asset of primary concern, not information systems• copyrights, patents, trademarks & related intellectual property protection
mechanisms• contracts – nondisclosure agreements & outsourcing agreements – of
importance• Compliance – laws, regulations and ethical standards (privacy)• Advantages:
– Access to CEO through one middle manager – Legal Department Manager / Chief Legal Officer (CLO)
– Legal Dept members comfortable with development of documentation – policies & procedures – to show the org is in compliance with information security standard of due care
• Disadvantages:– Overemphasis on compliance – potential underemphasis on other aspects of
infosec e.g. access control administration– Could lead to compliance checking, leading to conflict of interest – as compliance
checking should be performed by Internal Auditing Department
Organizational structure for the future – Information security increasingly mandated by law, regulated and affected by ethical standards