ISSO and CIAPP Organizational Responsibilities

Previous page
Table of content
Next page


As the IWC ISSO, you will be managing and leading a CIAPP organization. You will be responsible for developing, implementing, maintaining, and administering a company-wide CIAPP program.

You have evaluated the IWC environment and found that a centralized CIAPP is required to cost-effectively jump-start the CIAPP and its associated processes. Your evaluation of what is needed led you to consider the following CIAPP-related functions for development [5]:

  • Management of all functions and work which are routinely accomplished during the course of conducting the organization's business in accordance with IWC's policies and procedures.

  • System access administration and controls, including the direct use and control of systems' access software, monitoring their use, and identifying access violations.

  • Access violation analyses to identify patterns and trends that may indicate an increased risk to systems or information.

  • Computer crime and abuse inquiries where there are indications of intent to damage, destroy, modify, or release to unauthorized people information of value to the company. (Note: This function was coordinated and agreed to by the Director of Security as long as his investigative organization manager was kept apprised of the inquiries and copies of all reports sent to that manager.)

  • Disaster recovery/contingency planning, which includes directing the development and coordination of a company-wide program to mitigate the possibility of loss of systems and information, and ensure their rapid recovery in the event of an emergency or disaster.

  • An awareness program established and administered to all system users to make them aware of the information systems protection policies and procedures that must be followed to adequately protect systems and information.

  • Evaluation of systems' hardware, firmware, and software for impact on the security systems and information.

  • Where applicable, conduction of risk assessments, with the results reported to management for risk decisions.

  • Conduction of systems' compliance inspections, tests, and evaluations to ensure that all users and systems are in compliance with IWC's CIAPP policies and procedures.

IWC ISSO's Formal Duties and Responsibilities

Based on the above and in concert with the executive management of IWC, the ISSO has developed and received approval for formally establishing the following charter of IWC ISSO responsibilities:

Summary of the Purpose of the IWC ISSO Position

Develop, implement, maintain, and administer an overall, IWC-wide CIAPP to include all plans, policies, procedures, assessments, and authorizations necessary to ensure the protection of customer, subcontractor, and IWC information from compromise, destruction, and/or unauthorized manipulation while being processed, stored and/or transmitted by IWC's information systems.

Accountabilities

  • Identify all government, customers, and IWC CIAPP requirements necessary for the protection of all information processed, stored and/or transmitted by IWC's information systems; interpret those requirements; and develop, implement and administer IWC plans, policies, and procedures necessary to ensure compliance.

  • Evaluate all hardware, firmware, and software for impact on the security of the information systems; direct and ensure their modification if requirements are not met; and authorize their purchase and use within IWC and applicable subcontractor locations.

  • Establish and administer the technical security countermeasures program to support IWC requirements.

  • Establish and administer a security test and evaluation program to ensure that all of IWC's and applicable subcontractors' information systems are operating in accordance with their contracts.

  • Identify, evaluate, and authorize for use all information systems and other hardware within IWC and at applicable subcontractor locations to ensure compliance with red/black engineering[6] where proprietary and other sensitive information is processed.

  • Direct the use of, and monitor, IWC's information systems access control software systems; analyze all systems' security infractions/ violations and report the results to management and Human Resources personnel for review and appropriate action.

  • Identify information systems business practices and security violations/infractions; conduct inquiries; assess potential damage; direct and monitor IWC management's corrective action; and implement/recommend corrective/preventive action.

  • Establish and direct an IWC-wide telecommunications security working group.

  • Develop, implement, and administer a risk assessment program; provide analyses to management; modify IWC and subcontractor requirements accordingly to ensure a least-cost CIAPP program.

  • Establish and administer a CIAPP awareness program for all IWC information systems users, to include customers and subcontractor users, and ensure they are cognizant of information systems threats, and of security policies and procedures necessary for the protection of information systems.

  • Direct and coordinate an IWC-wide information systems emergency/disaster recovery/contingency planning program to ensure the rapid recovery of information systems in the event of an emergency or disaster.

  • Direct the development, acquisition, implementation, and administration of CIAPP software systems.

  • Represent IWC on all CIAPP matters with customers, government agencies, suppliers, and other outside entities.

  • Provide advice, guidance, and assistance to IWC management relative to CIAPP matters.

  • Perform common management accountabilities in accordance with IWC's management policies and procedures.

[5]As previously mentioned, IWC is the ideal company for an ISSO, and therefore, we are developing an ideal CIAPP and organization.

[6]For IWC, red/black engineering means the methods used to separate those data lines that require special protection because of the sensitivity of the information which flows through them from those lines that do not require enhanced protection. One of the main concerns with such lines running together is the chance that emanations will transfer between the lines, thus exposing "protected" information to compromise.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Documenting Software Architectures: Views and Beyond
Building Web Applications with UML (2nd Edition)
What is Lean Six Sigma
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy