|
Based on what you have read, consider the following questions and, as an ISSO, how you would reply to them:
Do you have a process in place to conduct a formal year-end analysis of your CIAPP and InfoSec functions?
If not, why not?
If so, does it include cost-benefit analyses?
Do you provide a "state-of-InfoSec" report of the corporate information environment at year's end?
If so, is it briefed to executive management?
Are "subreports" provided to each department head addressing specifically the status of the protection of their information environment?
Do you involve your InfoSec staff in the year-end reviews, analyses, and planning?
Do you reward your InfoSec staff for a job well done at year's end—by more than words?
How would you go about conducting and improving on the process described in this chapter?
|