Category list

The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program - page 47

Summary

The fictitious corporation, IWC, can be used by the reader to build a CIAPP or improve a CIAPP for a corporation. Most corporations set their goals and objectives in planning documents such as strategic, tactical, and annual business plans. These plans are key documents for the ISSO to read and use to determine the corporation's future directions.

These plans are also key documents that the ISSO may be able to use to determine what is expected from the ISSO and the CIAPP. The plans should also be used as the basis for writing service and support assets protection plans, as separate documents or as sections which are integrated into the identified corporate planning documents.

The decision process of the IWC executive management in determining in which department the ISSO and the corporate security organization belongs provides some key information which should be used by the ISSO in establishing the CIAPP and organization. It helps identify potential "power plays" by managers and provides a glimpse of the corporate political environment.

The ISSO must look at IWC from a global perspective and consider political, technological, economic, criminal, terrorist, and other events around the world. This broad scope is required when developing a CIAPP for IWC that will meet the worldwide needs of the IWC, now and into the future.

Section II: The Duties and Responsibilities of an ISSO

Chapter List

Chapter 5: The ISSO's Position, Duties, and Responsibilities
Chapter 6: The Infosec Strategic, Tactical, and Annual Plans
Chapter 7: Establishing a CIAPP and Infosec Organization
Chapter 8: Determining and Establishing InfoSec Functions
Chapter 9: Establishing a Metrics Management System
Chapter 10: Annual Reevaluation and Future Plans
Chapter 11: High-Technology Crimes Investigative Support
Chapter 12: InfoSec in the Interest of National Security

Part Overview

After gaining a basic understanding of the external world with all its many threats to information and information systems—all of which have a direct bearing on the ISSO and the ISSO's job—Section II provides a more internal, business focus on the world of the ISSO.

This section of the book provides a look at the duties and responsibilities of an ISSO employed at the International Widget Corporation (IWC).

Section II begins with the identification of the position, duties, and responsibilities of the IWC ISSO. It progresses through a discussion of:

Establishing and managing a Corporate Information Assets Protection Program (CIAPP);
Strategic, tactical, and annual InfoSec and business planning;
Developing and managing an InfoSec organization and its functions;
Measuring InfoSec costs, failures, and successes through metrics management;
Supporting the IWC security department's investigative staff; and
An overview of InfoSec in a nation-state's national security environment.

Chapter 5: The ISSO's Position, Duties , and Responsibilities

Responsible, who wants to be responsible? Whenever something bad happens, it's always, who's responsible for this? —Jerry Seinfeld ^[1]

Chapter Objective

The objective of this chapter, "The ISSO's Position, Duties, and Responsibilities," is to define the role that the ISSO will play in a corporation or government agency. In this case, it is the role of the ISSO for IWC. The duties and responsibilities of an ISSO vary depending on the place of employment. However, in this case, we are assuming the ISSO has the perfect position because it is one all ISSOs should strive to attain in order to "do it right the first time."

^[1] Reader's Digest , October 2002, p. 73.