Introduction

Previous page
Table of content
Next page


There are many different ways to configure an InfoSec organization, and there are many ways to configure the InfoSec functions that are part of that organization. Many ISSOs begin establishing an InfoSec organization, or "inheriting" one, without looking at the need for the various functions and from where that need was derived. As stated earlier, all functions should be derived from at least one or more of the following requirements (drivers):

  • Laws;

  • Regulations;

  • Best business practices;

  • Best InfoSec practices;

  • Ethics;

  • Privacy needs; and

  • IWC policies.

When developing or reorganizing a CIAPP-driven InfoSec organization, one can consider one of three basic structures as it relates to the InfoSec organization that the ISSO will manage and lead. The three basic options are:

  • Centralized InfoSec under ISSO and InfoSec organization;

  • Decentralized throughout the corporation; or

  • A combination of the two.

One of the major factors in deciding what philosophy and approach to take is the culture of the corporation, as well as the charter of the ISSO spelling out the ISSO's duties and responsibilities. The ISSO must remember that the more centralized the organization, the more problems and work for the ISSO and staff. The old adage "If you want it done right, do it yourself" may work for some, but as an ISSO, that approach will bring you more stress than usual. In addition, you will definitely age exponentially. Developing and maintaining a protected information environment for IWC requires the support and active involvement of all IWC employees. Sometimes an ISSO forgets that and tries to take on the entire protection matter instead of leading a corporate team effort. Such an approach leads to more problems than solutions for developing and maintaining a protected information environment.

So, what should you do? The best approach seems to be a combination. For example, the IWC ISSO decided that the overall information and information systems protection logically should be centralized under the ISSO and InfoSec staff. After all, they have the experience and know-how to lead this IWC effort. However, at the same time, why get burdened down trying to write and maintain current InfoSec procedures that must be implemented by IWC departments to comply with those InfoSec policies? So, procedures written for compliance, as previously stated, will be the responsibility of the IWC departments. Their adequacy will be determined through audits, InfoSec tests and evaluations, noncompliance inquiries, and the like.

In addition, the IWC departments will be responsible for developing, implementing, and maintaining the processes that are an integral part of the procedures needed to comply with the CIAPP.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Cisco Voice Gateways and Gatekeepers
The Java Tutorial: A Short Course on the Basics, 4th Edition
Mapping Hacks: Tips & Tools for Electronic Cartography
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy