IWC ISSO s InfoSec Functions


IWC ISSO's InfoSec Functions

The ISSO has gone through the process previously noted to identify the baseline functions that are needed within the InfoSec organization in order to support the CIAPP, which as mentioned earlier supports IWC's business needs as stated in the IWC strategic, tactical, and annual business plans. The following paragraphs identify, describe, and discuss some of the functions identified by the IWC ISSO.

Awareness Program

The IWC ISSO decided to concentrate, as a high priority, on the IWC CIAPP Education Awareness and Training Program (CIAPP-EATP) as a major InfoSec organizational function and also as an integral part of the CIAPP. The CIAPP-EATP was needed to make the IWC users aware of the need as well as their responsibilities to protect IWC information and systems, as well as to gain the users' support in the protection of IWC information and systems.

The ISSO reasoned that once the IWC InfoSec policies of the CIAPP were developed and published, the employees must be made aware of them and also why they were necessary. For only with the full support and cooperation of the IWC employees could a successful CIAPP be established and maintained.

The Awareness Program process was broken into two major parts (Figure 8.2):

  • Awareness Briefings; and

  • Continuing Awareness Material.

click to expand
Figure 8.2: The flow process of IWC's CIAPP-EATP.

Awareness Briefings

The awareness briefings included information relative to the need for information and systems protection; the impact of protecting and not protecting the systems and information; and an explanation of the IWC InfoSec Program.

The ISSO reasoned that the awareness material and briefings, when given as a general briefing could only be used for new employees. The general briefings failed to provide the specific information required by various groups of systems users. Thus, the awareness briefings were tailored to specific audiences as follows:

  • All new hires, whether or not they used a system, the rationale being that they all handle information and come in contact with computer and telecommunication systems in one form or another;

  • Managers;

  • System users;

  • Information Technology Department personnel;

  • Engineers;

  • Manufacturers;

  • Accounting and Finance personnel;

  • Procurement personnel;

  • Human Resources personnel;

  • Security and Audit personnel; and

  • The system security custodians (those who would be given day-today responsibility to ensure that the systems and information were protected in accordance with the InfoSec policy and procedures).

A process was established to identify these personnel, input their profile information into a database, and, using a standard format, track their awareness briefing attendance, both their initial briefings and annual rebriefings. That information would also be used to provide them, through the IWC mail system, with awareness material.

Continuing Awareness Material

The ISSO, in concert with the Human Resources and Training staffs, decided that ensuring that employees were aware of their CIAPP responsibilities would require constant reminders. After all, information and systems protection is not the major function of most IWC employees. However, a way must be found to remind the employees that it is a part of their function.

It was decided that awareness material could be cost-effectively provided to the employees. This was accomplished by providing InfoSec material to the employees through:

  • Annual calendars;

  • Posters;

  • Labels for systems and disks;

  • Articles published in the IWC publications such as the weekly newsletter; and

  • Logon notices and system broadcast messages, especially of InfoSec changes.

Although this CIAPP-EATP baseline was not all-inclusive, the ISSO believed that it was a good start that could be analyzed for cost-effective improvements at the end of the calendar year.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net