The ISSO in the International Widget Corporation (IWC)

Previous page
Table of content
Next page


At IWC, the ISSO reports to the Corporate Information Officer (CIO), who reports to the Corporate Executive Officer (CEO). The ISSO is in an extremely important position as a corporate leader and as the in-house consultant on Corporate Information Assets Protection Program (CIAPP) matters. The ISSO also represents IWC to the outside world on information and systems security protection matters. If you are chosen as the new IWC ISSO, you should have determined the history of that position:

  • When was it established?

  • Why?

  • What is expected of you as the ISSO?

  • What are your responsibilities and duties?

  • What are you accountable for?

  • What happened to the last one? (You want to know so you can understand the political environment in which you will be working.)

As you begin your new job as the IWC ISSO, you must clearly determine what is expected of you. Again, this information should have been asked during your interview process for two reasons:

  • So you know what you were getting into by accepting the ISSO position with IWC; and so you could better prepare for the position with a more detailed CIAPP prior to beginning your first day at work.

You need a detailed plan prior to beginning your employment at IWC because you will be behind schedule from the moment you walk into IWC. That's because putting together a CIAPP from the start is a tremendous project. The ISSO has to determine the answers to the following:

  • What is important and requires protection?

  • What is being protected?

  • In what manner?

  • Is a staff needed?

  • If so, how many?

  • With what qualifications, for what positions?

  • What are the tasks to be performed?

  • What are the mandatory, best practices, and optional requirements to be met?

  • What processes and functions are necessary to meet those requirements?

  • What are the necessary budget allocations?

  • What metrics management techniques are required?

and the list goes on.

On top of all that is the need to learn about IWC, the culture, normal corporate policies and procedures, and all the learning that comes with just joining a company. As the new IWC ISSO, you can't afford to waste any time in your 12- to 14-hour days. You must understand and learn your new environment, the key players, and the issues that must be addressed first. Often, ISSOs tend to isolate themselves from the rest of the corporation and consider it almost a "me against them" mentality. In today's corporations this will get you nowhere but possibly out the corporate door. As an ISSO, you and your staff must integrate your functions into the corporate mainstream and integrate yourselves into the processes of the business. "Teaming" with others in the corporation is the only way to succeed in today's information-based, information-supported, and information-dependent modern corporations.

The IWC ISSO must eventually get into a proactive mode to be successful: that is, identifying problems and solutions before they come to the attention of management. InfoSec-related problems will undoubtedly get management's attention when they adversely affect costs and/or schedules. Adverse impacts on costs and schedules run contrary to the CIAPP goal, objectives, etc.

When an ISSO is in the position of constantly putting out fires, the proactive CIAPP battle is lost. If that battle is lost, the results are adverse impacts on costs and schedules. The goal of a cost-effective CIAPP cannot be attained.

As IWC's ISSO, you have been told that you are expected to establish and manage a CIAPP program that works and one that is not a burden on IWC. You are told to establish a program that you believe is necessary to get the job done. You have the full support of management because they have come to realize how important their information and systems are to IWC maintaining its competitive advantage in the global marketplace. This honeymoon will last about 6 months. So, you must take advantage of it. To do so, you must have a fast start and then pick up speed.

Based on the "blank management check" and your prior experience (or for the inexperienced ISSO, the information gained reading this book), you have evaluated the IWC environment and have decided that the overall goal of IWC's CIAPP is to:

Administer an innovative CIAPP program that minimizes information protection risks at least impact to costs and schedules, while meeting all of IWC's and customers' reasonable expectations.

If that is what is expected of you, then that is your primary goal. Everything you do as the IWC ISSO should be focused and directed toward meeting that goal. That includes incorporating that philosophy into your:

  • CIAPP Strategic Plan;

  • CIAPP Tactical Plan; and

  • CIAPP Annual Plan.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
The CISSP and CAP Prep Guide: Platinum Edition
The Java Tutorial: A Short Course on the Basics, 4th Edition
File System Forensic Analysis
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy