Developing the Corporate Strategy for Information Security - Report Example

Developing the Corporate Strategy for Information Security a. Specific Functions of the Chief Information Security Officer (CISO) A Chief Information Security Officer (CISO) is often assigned to perform vital functions within an organization. For example, the CISO need to perform various functions such as planning and development, management and evaluation while assessing and mitigating risks as well as ensuring the legal compliance of the policies and procedures that adapt by an organization (State of California, 2008). The three specific functions that effectively perform by the CISO have been described hereunder. Planning and Development One of the prime functions of the CISO is to recognize yearly work plan in order to accomplish security objectives on frequent basis aligning with organizational strategic plan. Moreover, the CISO is liable for developing as well as implementing an efficient information security plan, strategy, standard or procedure within an organization through performing the aforementioned function (State of California, 2008). Management The CISO carefully conducts risk appraisal and supervises vital incidents by conducting internal as well as external coverage’s as well as introduces security awareness based education and training programs (State of California, 2008). Evaluation Evaluation is generally regarded as one of the major specific functions of the CISO. In this similar context, the CISO evaluates the efficiency of enduring security operational procedures as well as monitoring the conformity for internal and external requirements in accordance with applicable laws, systems and policies among others (State of California, 2008). 1. b. Competencies of CISO It is essential for the CISO to possess both business management as well as technical security skills in order to develop corporate strategy for information security. In this regard, the competencies that could perform by the CISO have been described hereunder. Security Risk Management One of the prime competencies that the CISO could perform is regarding effectively mitigating any sort of potential security risks within an organization. In this regard, the CISO is held responsible for creating formal procedure to address potential security risks through effective coordination and control of activities and also for conducting formal vulnerability assessment of an organization frequently (State of California, 2008). Strategic Security Management Another important competency that could perform by the CISO is about providing management advice and appropriate recommendation for developing an organization’s information security program. In this similar context, the CISO needs to preserve various security policies, processes along with guidelines and monitoring the policy conformity with the established standards (State of California, 2008). Regulatory and Standard Compliance Ensuring the implementation of different information security related programs in accordance with common laws and regulations along with the constraint of internal information security policies are regarded to be the other imperative competency that could perform by the CISO. This particular competency of the CISO would ultimately support the organizations to raise their information security level by a greater extent (State of California, 2008). 2. a. Functions of a Chief Information Officer (CIO) A Chief information officer (CIO) is fundamentally regarded to be a job title that is provided to a particular person who is liable for developing computer systems along with information technology (IT) related programs that support an organization to attain their expected business goals (United States Department of Homeland Security, 2008). The major functions of the CIO have been discussed below. IT Security Training and Awareness The CIO will be held responsible for ensuring IT security training and awareness that is related with employees, contractors and other users. Moreover, the CIO must ensure that employees are provided with necessary training relating to different areas of assignments (United States Department of Homeland Security, 2008) Physical and Environment Security The CIO must possess the function of recommending and participating in the selection of physical and environmental controls in order evaluate the efficiency of such controls. Moreover, the CIO ensures that the designed policies and processes are capable enough to prevent any sort of damage to organization’s equipments and information assets by a significant level (United States Department of Homeland Security, 2008). Information Security and Incident Management The CIO also possess the function of designing as well as executing policies, processes and standards among others that are required in order to ensure significant compliance with applicable laws and regulations with respect to reporting and notification of information security incidents. In this regard, the CIO is responsible for obtaining necessary approval for the implementation of an information security incident response plan (United States Department of Homeland Security, 2008) Information System Acquisition Development and Maintenance The CIO must ensure that the procedures, plans and standards are efficient enough to develop the corporate strategy of information security through incessant growth and maintenance of an effective information system by a considerable level. In addition to this, the CIO should actively participate in the development of feasibility studies and request for presenting proposals in order to examine that all the information security related issues are addressed appropriately (United States Department of Homeland Security, 2008). For instance, the CIO would execute the aforementioned functions within an organization by managing, designing and effectively evaluating the new and emerging information security technologies. 2. b. Security Assurance A security assurance process is typically concerned with the assessment of risks and incidents that are associated with planning, controlling, managing and evaluating different information systems (University College Dublin, 2012). An effective formal security awareness, training and education program will certainly enable the CIO to achieve vital security assurances. In this regard, the different security assurances that can be attained by the CIO in developing formal training, security awareness along with educational program has been listed below. Confidentiality The CIO could attain the security assurance of confidentiality assuring that only authorized people are permitted to access any valuable data related to information security (SANS Institute, 2005). Integrity and Awareness The CIO could also attain the security assurance of integrity as well as awareness while developing formal security awareness, training and educational program. In this regard, the CIO would have to ensure that the information which is broadcasted over several networks is quite secure enough and are duly protected (SANS Institute, 2005). 2. c. Methods, Processes and Technologies Recommendation By the effective utilization of modern tools, techniques and technologies that include ‘responsive web design’ along with ‘search engine optimization’, the CIO can easily certify the security functions as well as the data assets of an organization on a day-to-day basis. While utilizing the aforesaid methods or technologies, the CIO must concern two significant aspects such as digital privacy control and security issues (Obama, 2011). 3. Impact of Digital Forensics Function Digital Forensics is liable for implementing the techniques and processes that are used to preserve, analyze and present electronic evidence. It is worth mentioning that electronic evidence represents the data that assists to reconstruct past actions or events relating to any policy breach or illegal activity. It has been viewed that the Digital forensic functions ensure authorized collection of data, protection of sensitive data and control or prevention of any abusive activities related with information security (Nikkel, 2006). By considering the aforementioned fact, digital forensics function can complement the overall security efforts of an organization. 4. The Operational Duties of Digital Forensic Personnel The operational duties of digital forensics personnel are to identify readiness stage for ensuring effective operation and developing infrastructure for supporting a particular investigation. Moreover, the personnel also perform the operational duty in terms of securing the collected information relating to information security for a longer time period. The different operational duties that perform by the digital forensic personnel can help to qualify the integrity of forensic investigators within the enterprise and industry by integrating all processes, systems as well as technologies and conducting investigation with minimum disruption of organizational activities (Grobler & Louwrens, 2007). References Ashraf, S. (2005). Organization need and everyone’s responsibility information security awareness. Global Information Assurance Certification Paper, pp.3-18. Grobler, C. P., & Louwrens, C. P. (2007). Digital forensic readiness as a component of information security best practice. International Federation for Information Processing 232, pp.13-34. Nikkel, B. J. (2006). The role of digital forensics within a corporate organization. Retrieved from http://www.digitalforensics.ch/nikkel06a.pdf Obama, B. (2011). Digital Government building a 21st century platform to better serve the American people. Retrieved from http://www.whitehouse.gov/sites/default/files/omb/egov/digital-government/digital-government.html State of California. (2008). Guide for the role and responsibilities of an information security officer within state government. Retrieved from http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf United States Department of Homeland Security. (2008). Information technology (it) security essential body of knowledge (EBK): a competency and functional framework for it security workforce development. Retrieved from http://www.us-cert.gov/ITSecurityEBK/EBK2008.pdf University College Dublin. (2012). Information security management policy. Retrieved from http://www.ucd.ie/t4cms/ucd%20information%20security%20management%20policy.pdf Read More