Developing the Corporate Strategy for Information Security - Assignment Example

? Developing the Corporate Strategy for Information Security The Chief Information Security Officer (CISO)’s functions within an organization a. Three (3) specific functions of a Chief Information Security Officer (CISO) Assessment of the Risk One of the several functions of a CISO is to assess the risks associated with the confidentiality obligations bestowed on the organization and its stakeholders based on mutual benefits. Accordingly, CISO needs to analyze the potential threats associated with various crucial information of the organization that might hamper the interests of the organization on the whole or that of its stakeholders (Whitman & Mattord, 2010; Homeland Security, 2007). Example: Implementation of this function in the organization can be done through the utilization of risk assessment tools in order to depict potential risks to information security. Management of the Risk Another vital function of CISO is managing the risks, which are interrelated with the functions of continuous assessment. Based on the results of the assessment, the officer is liable to develop strategies and plans in order to mitigate these threats (Whitman & Mattord, 2010; Homeland Security, 2007). Example: In an organization, this function can be accommodated by determining risk management strategies, having continuous monitoring of the organizational processes. Implementation of Designed Program Another vital function of CISO calls for proper implementation of the designed programs to ensure that the organizational strategies are applied in an ethical and hazard-free manner. This function of the officer is quite vital, as efficiency of the other functions tend to be highly depended on its proper execution (Whitman & Mattord, 2010; Homeland Security, 2007). Example: For the effective execution of this function, the CISO would need to utilize management techniques so that successful implementation of the organizational strategies can be assured. b. Three (3) competencies of CISO Access Control The CISO needs to be familiar with the standards that are obligatory in accessing control in the information. Furthermore, they should also have to comprehend the various factors that can assist them in designing an effective control plan. They must also have the competency to manage a control plan restricting inappropriate access to information that may hamper organizational interests either directly or indirectly (EC-Council, 2013; Homeland Security, 2007). Physical Security In accordance to this competency, CISO will need to be familiar with the standards, policies and laws associated with physical security. In this regard, it would also be vital for the CISO to determine the importance of such physical assets for any organization. Owing to this understanding, CISO will be able to gain the competency to manage and develop a coherent plan to ensure the overall information security within the organization (EC-Council, 2013; Homeland Security, 2007). Risk Management Mitigation as well as proper treatment of the threats being identified, is among the core competencies of CISO. In this regard, CISO should also need to be aware about the various resources that would be required towards determining proper risk management plan for the potential threats. It would be worth mentioning in this regard that successful mitigation of risk is directly dependent on this competency of CISO (EC-Council, 2013; Homeland Security, 2007). 2. The Chief Information Officer (CIO)’s functions within an organization a. Four (4) functions of CIO Manage A major function of a CIO is to determine the risks associated with information security of an organization. This can be done on the basis of facilitated understanding of policies and regulatory norms, related to managing the information. These functions will also include managing the strategic plans as well as programs associated with the information technology practiced within an organization (United States Dept. of Homeland Security, 2011; Homeland Security, 2007). Example: This function of a CIO can be executed within an organization with the understanding of its policies pertinent to information technology and execute them accordingly. Design In accordance with the aforementioned functions, the CIO is also held responsible to initiate security compliance program with regard to minimizing the depicted risks. This function of CIO will aim towards designing a receptive and reliable information security infrastructure within the organization (United States Dept. of Homeland Security, 2011; Homeland Security, 2007). Example: CIO can execute this process within an organization through the assessment of their data threat and develop plans of mitigation accordingly. Implement CIOs are also responsible to closely supervise the designed programs for security assurance. This function also binds the CIO to manage as well as provide a direction to the programs designed for information security (United States Dept. of Homeland Security, 2011; Homeland Security, 2007). Example: Within an organization, this function of CIO can be implemented with the help of management at the initial stage and later, with the participation of the staff members at every stage of the organization. Evaluate Another major function of the CIO is to assess the implemented programs and depict whether those comply with the standards, policies and regulatory norms of the organization. This particular function of CIO can also be considered as a review process, where the effectiveness of the implemented programs is ensured with utmost priority (United States Dept. of Homeland Security, 2011; Homeland Security, 2007). Example: Within an organization, this function can be executed through reviewing the performances of its implemented information security. b. Two (2) security assurances that could be achieved by the CIO developing a formal security awareness, training, and educational program Expectedly, Security Awareness, Training and Educational Programs are believed to be capable of assuring security up to a marginal extent. In this context, below are the listed two security assurances that a CIO can achieve by developing a formal security awareness, training, and educational program. i. Through training and education, CIO will be able to make employees and authorities more aware about the type of security threats identified to information, which will further make them more reluctant towards performing the tasks that can lead to such threats (United States Dept. of Homeland Security, 2011) ii. Through proper security awareness, training, and educational programs, CIO can ensure that all the employees possess the competencies to take requisite actions for restricting such occurrences, being adequately aware of their roles, responsibilities and obligations towards the information security issues (United States Dept. of Homeland Security, 2011). c. Suggestions Protecting Functions of Organization At the onset, the CIO should implement a security system that protects the day to day functioning of the organization. It is through improper and careless handling of day to day data that augment the threat to information security. So, it would be crucial for the CIO to have control on the day to day information dealing of enterprise (Whitman, 2012). Safe operation of Application It is apparent that most of the business transactions now-a-days are dependent on the use of Information Technology (IT). Moreover, improper functioning of these applications further augments the threat towards information data. Hence, the CIO should develop strategies of implementing trustworthy technologies so that the data threat could be minimized initially (Whitman, 2012). 3. Impact of digital forensics functions on security efforts of organization Digital forensics has become a vital part of security efforts in organizations. It involves the application of science with regard to recognizing, collecting as well as examining data to maintain integrity when taking security efforts. An organization also needs to maintain a strict supervision to secure confidential data in which, digital forensics play a vital role, along with other security measures. Computer crimes, involving data thefts, have become an evident scenario today. Contextually, digital forensics, along with other security programs comply with this particular scenario, where classified information of organization remains at high threat. It investigates the computer crimes and enables organizations to provide data to the court. Furthermore, it also helps organizations to recover information that are lost accidently. These facets affirms that digital forensic contribute towards balancing security efforts of any organization through collaborative operation with other security measures (Information Technology Laboratory, 2010). 4. Operational duties of digital forensics and its role in building integrity in investigation The operational duties of forensics are vital with regard to their integrity towards the investigation. In accordance, they must be able to coordinate with all the other members of the investigations including legal advisors and security managers. Furthermore, in investigations involving governmental as well as law enforcement groups, the digital forensic investigator will need to collect pertinent evidences of the cases irrespective of any external pressure. This will further as assist the CIO to maintain integrity throughout the investigation procedure. Operational duties of digital forensic professionals also include securing the data from various system vulnerabilities so that it does not get manipulated and the integrity of the investigation remains intact. Additionally, the professionals also have the obligation to ensure value of the investigation along with maximum accuracy. The professionals should take the responsibility wherever necessary and ensure reliability, validity as well as comprehensiveness of the investigation with utmost integrity. These approaches or duties performed with proper compliance, will certainly contribute towards maintaining the overall integrity of the investigation (United States Dept. of Homeland Security, 2011). 5. Three (3) technical resources of digital forensics professionals Multifunction Printer (MFP) It is among the most vital tools available for digital forensic personnel. It is mostly used in investigations where various evidences are available from more than one source. It is a network appliance that is organized on local information network practiced in the organization, which further ensures a secure, web-based analytical interface to all the computers of organization (Richard III & Roussev, 2006). Content-Based Image Retrieval (CBIR) Techniques Digital forensic personnel need to deal with crucial tasks of probing a large quantity of pictures with the intention to depict potential facts. In this regard, Content-Based Image Retrieval (CBIR) is a technical resource that can help them to perform this task. It is used to resolve queries related to contraband images as well as images of some known people. This system works by extracting as well as assimilating various features of images and investigating the same to conclude a result (Richard III & Roussev, 2006). Automated Video Summarization Through this technical resource, forensic department professionals attempt to extract certain crucial images from a live streaming video. Subsequently, these images extracted from the video can be processed and investigated through techniques of clustering of images, which further enables identification of the images witnessing security hazards (Richard III & Roussev, 2006). References EC-Council. (2013). Information security core competencies. Retrieved from http://www.eccouncil.org/ciso/dominion/core-competencies Homeland Security. (2007). IT security essential body of knowledge (EBK): a competency and functional framework for it security workforce development. Retrieved from http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2007-12/ISPAB_Dec7-BOldfield.pdf Information Technology Laboratory. (2010). Forensic techniques: helping organizations improve their responses to information security incidents. Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnsep06.htm Richard III, G. G., & Roussev, V. (2006). Digital forensics tools: the next generation. Retrieved from http://cs.uno.edu/~vassil/pdf/nextgen-chapter Whitman, M. E., & Mattord, H. J. (2010). Management of information security. Boston: Cengage Learning. Whitman, M. E. (2012). Guide to network security, 1st ed. Boston: Cengage Learning. United States. Dept. of Homeland Security. (2011). Cybersecurity: the essential body of knowledge, 1st ed. Boston: Cengage Learning Read More