The Rookie Chief Information Security Officer - Term Paper Example

Chief Information Security Officer Report Part Organization Chart i. Roles required to unsure design, evaluation, implementation and management of security programs. In the implementation of new information security procedures and policies, the finance, human resource, security and operations departments need to work together. The board of director must hold a meeting in which all managers will present opinion. Involvement of the department will be necessary and crucial because each department needs security. Security breach can occur in any department, and managers and employees in each department should comply with the security policies and procedures. The human resource management department, finance department and operation department should present the security challenges faced (Cullen, 2011). IT Compliance Officer, Security Officer, Privacy Security Personnel and IT Security Engineer should also present the problem faced in their daily duties. The report from each office and department should be presented to the Chief Information Security officer for evaluation. Security manager and CISO will use the report to implement policies and procedures, which will ensure sufficient security in the organizations. After evaluation of the report, they will recommend the applicable points and do away with points which will not lead to improvement of the security. They will apply professional ethics and come up with other policies left by the departments. After completion, they will forward the draft to the General Manger. The GM will forward to the Board of Directors who will hold a meeting with the Security Manger and CISO to evaluate each policy and procedure. After evaluation, the board of directors will sign the draft for approval. Then the security department will ensure that each employee in every department has a copy or is aware of the policies. Security department will also ensure sufficient training to all departments to create awareness of security policies to each employee. The employees will help in reinforcing the policies (Neil, 2009). ii. Reporting Structure Chain of command will ensure smooth running of the organization. Each employee will be reporting to the person next in command. The organizational chart above represents the reporting channel. Security guarding and escort services will be provided by a contracted guard force. Guard will provide physical security services, public relationship services and patrol and escort services. Guards will ensure sufficient security for the organization’s asset and employees. They will provide assistant to customers visiting the organization by showing them location of offices. The guards will be managed by their supervisor who will report directly to the Security Officer. Security Officer will be responsible for maintenance of physical security. He/she will ensure that the contracted guard force maintains discipline and ethics (Mark, 2007). He will also check and record the available assets each day and carry out investigation in case of theft. Security officer will report direct to the CISO. The IT Security Engineer and the IT Security Compliance Officer will work to ensure that the information technology devices are maintained. They will ensure the hardware and software are maintained. They will evaluate the effectiveness of each device. They will provide a report in case of damage, loss and change of devices. They will report direct to the CISO. The Privacy Security Professional or the Investigation Officers will investigate theft, fraud and employee dishonest. They will carry out investigation in case of asset theft, cash theft by employees and misconduct of the employee (Neil, 2009). In case of conflict between the employees, the investigation officer will carry out an inquiry to establish the source of the problem. Privacy Security Professionals will report direct to the CISO. The CISO will report to the Security Manager. The Security manager will be responsible for management of all security operation including budgeting and employment. Security Manager will report to the General Manager who will report direct to the Board of Directors. Other managers like Finance Manager, Human Resource Manager and Operations Manager will report to the General Manger. The GM will present the issues arising from each department to the directors. The directors have the final word in the organization (Mark, 2007). There decision is final and binding. iii. Resources Required for Each Duty Provision of services in each position requires certain knowledge and experience. To ensure effectiveness in security operation, the organization must employ people with the expected skills and knowledge. Security officers must have worked with the police or military for at least three years. He/she should have a degree or diploma in security management or related filed. He/she should also be computer literate with supervision skills. The IT Security Compliance Officer and IT Security Engineer and IT Procurement Specialist should posses a Bachelors degree in Information Technology or Computer Science. They should have worked in forensic department for a minimum of three years (Gerhard, 2010). Others positions like the Privacy Security Professional should be a holder of a degree in criminology. He/she should have worked with the Secrete Agents or the Undercover Agents for a minimum period of four years. The CISO should have a degree in Security Management, Computer Science, Forensic Science or any discipline related to Information Security. He/she should have worked in the information and physical security departments for a minimum period of seven years in a managerial position. The security manager should have worked with the police or military and retired or reigned in the rank of Inspector or Major. He/she should be having a degree in security related discipline (Cullen, 2011). The above skill will enable each person in those departments to work professionally. The skills and knowledge can not provide a favorable working environment. The organization should provide other facilities and equipment to reinforce the security policies and procedures. Physical security devices installation should take place. The organization should install things like Cross Circuit Television, alarms and provide metal detectors devices among other. Installation of document recovery software’s should take place to ensure information stored is safe. Each computer and other facilities with memory should be installed with ant-virus to ensure protection (Neil, 2009). iv. Reflection of Department of homeland Security The Department of Homeland Security provides security services. This organization provides the some security services provided by Department of Homeland Security. In information security area, the organization has professionals who will be providing security for both software and hardware. The IT Security Engineer and IT Security Compliance Officer will provide information security service. They will report direct to the Chief Information Security Officer who will also provide information security services. In physical security, the security guards and security officer will ensure protection of the workers and asset. They will report direct to the CISO. Privacy security will be provided by the investigators who will operate as undercover agents in information collection. Procurement services will be provided by the IT Procurement Specialist and other contracted Procurement Specialist. They will carry out procurement in each department to ensure service and facilities effectiveness. The areas mentioned above will work to ensure the security in each department of the organization (Mark, 2007). Part 2: Request for Proposal Plan a. Perspectives to Monitor in the Contract The organization needs to use outsourced services from other IT service providers. The companies should apply for tender to be awarded to qualified vendors. The contract should monitor several things for the provision of high quality services because in contract many companies provide service to receive payment instead of providing quality services. For example, the organization will need suppliers of computers, hard disc and software. The contract should monitor the time flame for service provision. The company providing services like installation of software and hardware should sign the period it will take to complete the assignment. Another thing to monitor is the quality of services. The company must sign the make, model and storage capacity of the devices to install. This is because many IT specialists scam people by installing devices with small storage capacity than agreed (Gerhard, 2010). b. Evaluation of qualified trusted supplier Many companies apply for tender giving out force information about their experience. In order to identify the qualified company to supply IT products there some points to note. The company should provide client list and contacts. The clients should be contacted and show the services provided by the company. The new companies in the industry can not provide high quality services. The company should also provide the certificate of incorporation. It should have been in the field for more than five years. The company with five years experience should also provide a bid security of $ 2000 to guarantee service delivery. Focusing on experience and customers reference the organization will get the best company to provide IT outsourcing services (Neil, 2009). Part 3: Physical Security Plan a. Plan to Protect Sensitive areas In protecting the physical assets and workers, the organization and security department will incorporate the following measures. First, employment of qualified guards who will provide 24 hours watch over the organization’s building will deter criminal activities. The guards will patrol and guard the building, and this will prevent intruders from entering to the organization. They will search employees to ensure that they do not go back home with organizations equipments. Second, installation of access control protection devices like electric gates, doors and locks will ensure enough physical security. The organization should use electric locks, biometric locks and magnetic locks. The doors should only open upon insertion of a pin number or application of figure prints. Thirdly, the organization should install alarms, Cross Circuit Television and panic buttons. The alarms will alert the security officers in case of theft and CCTV will monitor all the activities and operation within and outside the organizations compound. In case of theft, the investigation officers will use the recorded information from the CCTV to identify the perpetrator (Cullen, 2011). Security guard will use the panic button to alert people in the building in case of attack and suspected terrorist movement. Those three methods will help in deterrence and detection of intruder’s activities. They will ensure protection against intruder’s theft as well as employees. They will also ensure protection against risks like fire and other disasters. In case of fire, the security guards will switch the alarm to alert managers who will call for help. Part 4: Enterprise Information Security Compliance Program a. Plan and Control Objectives to address the known issues. Security breach can come as a result of intruders or employees activities. The employees should be screened upon entrance by the security guards to identify their possession. This is because they can carry bombs to set inside the organization’s building. They should be screened when leaving the offices to ensure that they have not taken away organizations items. The guards should also screen customers to ensure they do not possess weapons (Mark, 2007). Auditing should be carried out each month to prevent fraudster’s activities. b. Information Security Policies Each employee should keep the password for his/her computer secretly. The passwords should be more than eight digits and changed in case of employee transfer or suspected security breach. The hard discs like flash discs and memory cards should be kept by the employee in charge. They should be kept safe and in the office and not taken out without managers authority (Neil, 2009). The computers should have an updated antivirus. c. Steps to Define Security Needs `For effeteness and efficiency in security performance, a number of things need consideration. Security staffs needs off days, leave, allowance and trainings. When people over the work they become unproductive. For efficiency in security provision, all security staffs whether in the office or operation should not provide services for more than 12 hours in a day. They should also have two days off within a week, and one month leave within a year. Other departments should also apply the same working procedure to avoid development of dishonest behavior. The organization should employ enough workers to ensure that each person can get off and leave without interruption of organizations operations. Training of security and risk management measure will be carried out quarterly per year. Each department will keep the employees updated with security information and policies (Mark, 2007). Part 5: Risk Management Plan a. Risk Management Effort In risk management, threats and unknown issues can be accessed through identification and characterization of threat, accessing the venerability, determination of the risk and ways to mitigate the risk. First, characterization and identification of the threats will create awareness of the type of risk the organization may face. For example, fire, theft and floods among others. Through a vulnerability assessment, the organization will note the risks which can occur. Then a report and measures to take to mitigate the risk will be provided (Gerhard, 2010). b. Defining Priorities When putting in practice effective risk control measures, defining priorities help in the provision of effective mitigation and prevention measures. Through the definition of priorities, the organization will be able to prepare adequately to fight against the risk. It will lay down operations procedures, which will help in reducing the effect of the risk (Neil, 2009). For example, in case of fire, workers will be taught evacuation drills. C. Technical and Management Control Risk can be controlled through avoidance, sharing, reduction and retention. Avoidance means that individuals fail to participate in any business involving risks. Reduction means taking mitigation measures. This is the best treatment to undertake. Mitigating of risks like fire through installation of smoke detectors and fire extinguishers. The organization should share the risk with insurance companies. It should take insurance covers against property theft and fire damage. The company should use retention method. It should keep money to use in case of disaster to ensure continuity of business operations (Mark, 2007). Reference Adler Gerhard (2010). Criminology. Boston: All and Bacon Publishers. Crockford Neil (2009). An Introduction to Security Management. Cambridge, UK: Wood head-Faulkner. Dorfman Mark (2007). Security Management. London: Green Lion Press. Lilly Cullen (2011). Security Management. New York: McMillan. Read More