Building a World-Class Information Security Department - Research Paper Example

Research “Building a World Information Security Department.” al Affiliation) 7 Critical Elements necessary to build my Organization i) Policy and Compliance In recent years, many organizations have realized that it is illogical to adhere to individual regulations and build their security programs based on regulatory standards (Axelrod, Jennifer & Daniel Schutzer 26). This area will be primarily focused on considering all the regulatory, corporate, legal, and third-party security needs and then harmonizing and consolidating them into one security and policy framework. I will be much easier have a single framework and customize it to individual requirements and then seal any remaining loopholes as appropriate. I would employ SIM or GRC tools to harmonize, analyze, and report on compliance and policy. ii) System Policies and Architecture As soon as the corporate security and risk framework has been established, it will be mapped into lower-level procedures for the implementation teams. The policies and architecture team will be required to not only construct the architecture but also help in managing and monitoring compliance with architecture and system policies. iii) Program Management This area will be focused on the management of projects and resources for the information security group. It will be harnessed to ensure that necessary resources are assigned to projects and that timelines, service levels, and commitments from the security team are met. It will also be used to ensure that personnel are well-equipped and trained to execute their duties. iv) Business Liaison The security team and its programs must be aligned to business requirements and needs; this will help in ensuring that oversight and governance are complied with (Dhillon 24). Many organizations have special security liaisons in the business, but their responsibilities are usually not a formal component of their job descriptions, or if they are, other operational duties take precedence over this bit part role. I will have a designated business liaison for every significant business segment or at least make it a significant part of the job responsibility so that these people are able to spend enough time knowing and responding to business requirements and needs. v) Security Implementation This area will be focused on and emphasized in order to ensure that security technologies and tools are employed in the current environment in accordance with architectural needs. In addition to this, this area will ensure that IT operations management tools and custom applications being deployed, such as log management and network management, have appropriate and adequate security built into them. For instance, there may be applications where access control is very important to guarantee network management tools that monitor bandwidth and corporate IP protection that serve as the core means for good user policy enforcement. vi) Metrics, Reporting and Measurement The expectations for logical metrics and reporting keep increasing as information security continues maturing as a discipline (Tipton & Krause 41). It is insufficient to tell the CEO that 30,000 spam messages are blocked every week; the department will be expected to articulate how security contributes to the realization of the organization’s goals. For instance, a CISO (chief information security officer) created a secure online program for an organization, which in turn brought in an additional $350 million of revenue in 3 years for the organization. Rather than choke the organization in operational metrics, a security metrics program will be built that measures the operational factors and then translates them into logical metrics for the organization. vii) Infrastructure Security and Device Monitoring and Management This area will include and involve the following: managing the security components of infrastructure elements like networks, workstations, and servers; managing system weaknesses by creating and implementing the patch management process and carrying out network scans; ensuring that configurations of the security infrastructure (e.g. intrusion detection systems, intrusion prevention systems, and firewalls) adhere to security policies and are deployed in accordance with the architectural needs; and managing the security of remote workers and endpoints (Wylder 48). Hiring Strategy for Directors, Managers, Individual Contributors (e.g. Specialists – IDS engineer, system administrator, etc.) Directors, managers, and individual contributors (e.g. specialists – IDS engineer, system administrator, etc.) will be hired strictly on merit, individual ability, and experience. They will be subjected to stricter and more complex recruitment procedures. Aptitude tests and other measures of individual ability will be employed. Use of Contractors Contractors will be hired depending on the nature of a problem and the timeframe for its resolution. Internal expertise will be favored at all times and the right personnel will be drawn from within the organization. Contractors will be required in situations involving complex problems that require quick resolutions, more expertise, or more personnel (Whitman & Mattord 57). Off-shoring Talent The policy is to hire and make as much use of domestic expertise as possible, unless very talented individuals are identified, in which case the organization will move swiftly to recruit them. Reporting Structure within the Corporation Who Information Security reports to and why The CIO/CISO reports to the CEO. This is because the CEO and the board are becoming increasingly concerned about the effectiveness of the organization’s security controls, and this is because security is growing in importance and requires more funding so as to give the organization a comfortable environment in which to operate. Without adequate security arrangements the organization will simply not run (Straub, Seymour & Baskerville 38). Ensuring proper Span of Control Each and every member of staff must perform his/her duties to the latter. Delegation will only be tolerated if it is done in a responsible and considerate manner, therefore all members of staff should know their duties and exercise their powers as expected. Anyone who oversteps his/her authority will face the appropriate disciplinary measures, and delegation of extra duties must be accompanied by valid and logical reasons. Dealing with Vendor Management An automated vending system will be developed and employed in the management of all vending transactions. This will make it easier for not just the person directly responsible but also other members of staff to know what is going on in terms of vendor management. Dealing with Regulators, Internal Audit, and External Consultants All regulators, internal audit, and external consultants will be given adequate space and time they require to perform their work. The organization complies with the necessary regulations and is therefore comfortable with audits and compliance checks. External consultants will also be allowed to outline how they believe they will benefit the organization prior to being hired for their services. Timeframe and Criteria to ensure the success of the new Information Security Department The new information security department is expected to be fully operational within 6 months; this is sufficient time for preparation in terms of planning, recruitment, and budgeting. The criteria for ensuring success will involve the following: a) Sound, effective and appropriate operations policies have been formulated to guide the operation of the department; they must be complied with at all times. b) Proper budgeting and control over all financial aspects of the department. c) Good, relevant, and effective human resource management policies have been formulated; they must also be complied with. Proposed Solution The new information security department will be guided by sound and effective policies, and managed by adequate, highly qualified, dynamic, and knowledgeable staff. This will allow it to perform its duties as expected and help the organization move forward by providing it with a secure platform for growth and expansion. The department will be expected to handle all the current, potential, and future security concerns of the parent organization. Conclusion The new information security department will signal a major shift from the normal security arrangements of the organization. In addition to this, it will usher in a new template in data and information security through its direct and dynamic approach to the resolution of security concerns. It is therefore a necessity that will more than compensate for the time and funds required to create and maintain it. Works Cited Axelrod, C. Warren, Jennifer L. Bayuk, & Daniel Schutzer. Enterprise information security and privacy. Boston: Artech House, 2009. Print. Dhillon, Gurpreet. Information security management global challenges in the new millennium. Hershey, Pa.: Idea Group Pub., 2001. Print. Straub, Detmar W., Seymour E. Goodman, & Richard Baskerville. Information security policy, processes, and practices. Armonk, N.Y.: M.E. Sharpe, 2008. Print. Tipton, Harold F., & Micki Krause. Information security management handbook. 5th ed. London: Taylor & Francis e-Library, 2005. Print. Whitman, Michael E., and Herbert J. Mattord. Principles of information security. Boston, Mass.: Thomson Course Technology, 2003. Print. Wylder, John. Strategic information security. Boca Raton, Fl.: Auerbach Publications, 2004. Print. Read More