ISSO thought Process in Establishing the Infosec Organization | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

The ISSO also knew that a staff of InfoSec specialists would be required because of the large size and geographical locations of IWC systems and associated facilities. What the ISSO had to determine was how many specialists, what types, and how the ISSO's organization should be structured. Although there was a group of InfoSec specialists that made up the IWC InfoSec organization that the ISSO inherited, they were disorganized and had been sort of "thrown together" by the previous ISSO, who was not employed long enough to get around to properly organizing the group.

The IWC ISSO must, in parallel to establishing a CIAPP baseline, also begin the task of establishing a CIAPP-related InfoSec organization. The ISSO decided that the sole purpose of the organization was to lead and support the CIAPP. Therefore, the ISSO intended to provide an "umbilical cord" between the CIAPP and the ISSO's InfoSec organization. After all, without some form of CIAPP, no InfoSec organization would be necessary. In doing so, the ISSO needed to understand:

The limits of authority;
The amount of budget available; and
The impact of establishing a CIAPP program on IWC—the culture change.

The ISSO must also determine how to find qualified people who could build and maintain a cost-effective CIAPP. The staff must also be able to develop into an InfoSec team where everyone acts and is treated as professionals. The IWC ISSO wanted a group of InfoSec professionals who were very talented, yet could leave their egos at the door when they came to work (not an easy task for very talented people).

The ISSO also had to consider that building an empire and a massive, bureaucratic organization would not only give the wrong impression to IWC management, but would also be costly. Furthermore, the ISSO must build an efficient and effective InfoSec organization, as required by IWC and as stated in the numerous plans. After all, wasn't that one of the implied conditions of employment?

Building a bureaucracy leads to cumbersome processes, which leads to slow decision cycles, which causes the CIAPP to have an adverse impact on costs and schedules, which leads to a CIAPP that does not provide the services and support needed by the company. This snowballing effect, once started, will be difficult to stop. And if stopped, it requires twice as long to rebuild the service and support reputation of the ISSO, the InfoSec staff, and the CIAPP.

In developing the CIAPP organization, the ISSO also had to bear in mind all that was discussed with IWC management and what was promised. These included:

IWC's history, business, and the competitive environment;
Mission, vision, and quality statements;
IWC and CIAPP plans; and
The need for developing a CIAPP as quickly as possible, for the work will not wait until the ISSO is fully prepared.

Determining the Need for InfoSec Subordinate Organizations

The ISSO must determine whether or not subordinate InfoSec organizations are needed. If so, a functional work breakdown structure must be developed to determine how many subordinate organizations are needed and what functions should be integrated into what subordinate organizations.

The IWC ISSO reviewed the ISSO's charter and CIAPP focus previously agreed to by the ISSO and executive management. That charter included the following CIAPP functions:

Requirements, policies, procedures, and plans;
Hardware, firmware, and software InfoSec evaluations;
Technical security countermeasures (function subsequently transferred to the Security Department);
InfoSec tests and evaluations;
Information system processing approvals;
Access control;
Non-compliance inquiries;
Telecommunications security;
Risk management;
Awareness and training; and
Disaster recovery/contingency planning.

The ISSO analyzed the plans, functions, number of systems, number of users; and determined that two subordinate organizations would be needed to provide the minimum CIAPP professional services and support.

Actually, the ISSO thought of dividing the functions into three organizations, but the need for one of those was borderline. Also, having three suborganizations might give the wrong impression to others in IWC (one must always remember perceptions and appearances when building a CIAPP and organization). It would also provide another level of administrative overhead burden that would not be cost-effective. The ISSO reasoned that the two subordinate organizations would suffice for now; the organizations could be reevaluated at the end of the first year's operation.

The ISSO decided to brief the Corporate Information Officer (the boss) on the plan. The CIO thought it was reasonable, but wondered how the ISSO would handle the off-site locations in the United States, Europe, and Asia.

As with any good plan, nothing ever runs completely as expected. Being an honest and straightforward ISSO, the only logical comeback was "Huh?" The CIO went on to explain that their global locations are manufacturing sites making final or subassemblies of the widgets, shipping them to the main plant or global customers, as applicable.

The ISSO asked the CIO how other organizations handled the off-site. The CIO explained that they have smaller, satellite offices to provide the service and support needed at that location. The ISSO determined that before deciding on the need for a satellite office, the problem should be further evaluated. The ISSO explained to the CIO that the evaluation would be conducted within a week and a decision made at that time.

The ISSO subsequently determined that in order to provide quality services and support to the off-site locations, small InfoSec organizations with dedicated staff should be in place at all facilities. This would replace the current staff, who as an additional duty, assigned by on-site facility executive managers, had to serve as part-time InfoSec persons. This decision was based on several considerations:

Conversations with managers of other organizations, who had satellite offices at the off-site location, relative to how they handled the problem;
Conversations with managers of other organizations, who did not have satellite offices at the off-site location, as to how they handled the service and support requirements;
Conversations with off-site facility executive managers;
An analysis of the off-site locations' information systems configurations and processing;
Information flow processes; and
The CIAPP needs of each location.

Based on the analysis, the ISSO determined that CIAPP satellite offices were indeed necessary, but some functions could be supported from the corporate office, such as risk management, policy development, and requirements.

The ISSO informed the CIO of the decision and the basis for the decision, emphasizing its cost-effectiveness. The CIO agreed based on the business logic shown by the ISSO, the minimal number of InfoSec staff needed, and what the CIO sensed as the ISSO's strong commitment to CIAPP using a least-cost/minimum risk approach.

The number of people in any working group tends to increase regardless of the amount of work to be done.—Cyril Northcote Parkinson^[7]

Developing the CIAPP Organization Structure

Based on the ISSO's analyses, the ISSO established the CIAPP organization—at least on paper (Figure 7.2).

click to expand
Figure 7.2: The primary structure of the CIAPP organization.

The ISSO found that establishing the CIAPP organization to date had been the easy part. Now came the bureaucracy of coordinating and gaining approval of the CIAPP organization from the designated organizations, such as organizational planning, human resources, and facilities; as well as completing theirs and other organizations' forms.^[8]

A word of caution to the ISSO: Some service and support organizations are more interested in proper completion of the administrative bureaucracy than in helping their internal customers. Just grin and bear it. You can't change it, except over time, and now is not the time. The priority is getting the CIAPP and the InfoSec organization off the ground. Concentrate on that priority.

Developing the CIAPP Subordinate Organizations

The ISSO determined that the subordinate organizations must also have charters that identify the CIAPP functions that are to be performed by the staff of those organizations. The ISSO further determined that to recruit managers for the subordinate organizations was premature. The ISSO reasoned that what was needed first was professional InfoSec personnel who could begin the actual CIAPP work. The ISSO would manage all the organizations until such time as the workload and cost-effectiveness considerations determined that a subordinate manager or managers were needed. Based on the work to be performed, and the analyses discussed above, the ISSO developed the charters for the subordinate organizations. In the interim, the ISSO used a matrix management approach with the off-site facility managers who were responsible to the CIO for overall information and information systems management

Responsibilities of CIAPP Subordinate Organizations

CIAPP Access Control and Compliance Subordinate Organization

The ISSO is the acting manager of the CIAPP Access Control and Compliance (IACC) subordinate organization

The following is the summary of the position:

Provide the management, direction, and conduct analyses required to protect information processed on IWC information systems, from unauthorized access, disclosure, misuse, modification, manipulation, or destruction; as well as implement and maintain appropriate information and information systems access controls; conduct noncompliance inquiries; and maintain violations tracking systems^[9] (Figure 7.3).

click to expand
Figure 7.3: A CIAPP Access Control and Compliance subordinate organization and its primary functions.

Detailed accountabilities include:

Implement, administer, and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of IWC information.
Monitor user access control systems to provide for the identification, inquiry, and reporting of access control violations. Analyze system access controls violations' data and trends to determine potential systems' security weaknesses and report to management.
Conduct inquiries into CIAPP violations/incidents and related CIAPP business practices, IWC policies, and procedures. Identify the exposures/compromises created, and recommend to management corrective and preventive actions.
Direct, monitor, and guide the CIAPP activities of the IWC's access controls support groups and systems to ensure adequate implementation of access control systems in meeting CIAPP requirements.
Establish and manage an information systems defensive system, including firewalls and related intrusion detection systems.
Provide advice and assistance in the interpretation and implementation of CIAPP policies and procedures, contractual CIAPP requirements, and related documents.

CIAPP Policy and Risk Management

The ISSO is the acting manager of the CIAPP Policy and Risk Management subordinate organization.

The following is the summary of the position:

Provide the management, direction, and develop, implement, and maintain CIAPP policies and procedures; awareness; disaster recovery and contingency planning; CIAPP system life cycle processes; InfoSec tests and evaluations; risk management, and CIAPP technical security and related programs to protect IWC systems and information (Figure 7.4).

click to expand
Figure 7.4: A CIAPP Policy and Risk Management subordinate organization and its primary functions.

Detailed accountabilities include:

Identify all CIAPP requirements needed and develop IWC policies and procedures necessary to ensure conformance to those requirements.
Evaluate all hardware, software, and firmware to ensure conformance to CIAPP policies and procedures, recommend modifications when not in conformance, and approve them when in conformance.
Establish and administer an InfoSec Tests and Evaluations Program to ensure compliance with systems' security documentation and applicable CIAPP requirements.
Establish, implement, and maintain a CIAPP Technical Program to identify all electronic threats and mitigate those threats in a cost-effective manner.
Establish and maintain a CIAPP Awareness Program to ensure that IWC management and users are cognizant of CIAPP policies, procedures, and requirements for the protection of systems and information, and their related threats.
Develop, implement, and administer a Risk Management Program to identify and assess threats, vulnerabilities, and risks associated with the information for which IWC has responsibility and recommend cost-effective modifications to the CIAPP Program, systems, and processes.
Establish and maintain a Disaster Recovery/Contingency Planning Program that will mitigate CIAPP, IWC information, and systems' losses and ensure the successful recovery of the information and systems with minimal impact on IWC.

Off-Site CIAPP Organizations

The ISSO is also the acting manager of the Off-Site CIAPP subordinate organizations. However, the ISSO has also determined that it will be necessary to appoint a person as a supervisor to manage the day-to-day operations of the off-site CIAPP program. At the same time, there are not enough personnel, as stated by HR, to appoint a manager at the off-site locations. However, the supervisor has authority to make decisions related to that activity, with several exceptions. The supervisor cannot counsel the CIAPP staff, evaluate their performance (except to provide input to the CIAPP manager), make new CIAPP policy, or manage budgets.

The following is the summary of the position:

Implement, maintain, and administer a CIAPP program for IWC resources at the off-site location; and take the action necessary to ensure compliance with the CIAPP requirements, policies, and procedures to protect IWC information from compromise, destruction, and/or unauthorized manipulation.^[10]

Detailed accountabilities include:

Implement and administer IWC plans, policies, and procedures necessary to ensure compliance with stated IWC CIAPP requirements for the protection of all information processed, stored, and/or transmitted on IWC information systems.
Administer an InfoSec Tests and Evaluations Program to ensure that all IWC information systems are operated in accordance with appropriate CIAPP requirements and contract specifications.
Administer and monitor the local use of IWC information systems access control software systems, analyze all infractions/violations, and document and report the results of questionable user activity for CIAPP inquiries.
Identify information systems' business practice irregularities and security violations/infractions; conduct detailed inquiries; assess potential damage; monitor IWC management's corrective action; and recommend preventive measures to preclude recurrences.
Administer a CIAPP Education and Training Awareness Program for all IWC managers and users of IWC information systems to ensure they are cognizant of information systems' threats and are aware of the CIAPP policies/procedures necessary for the protection of information and information systems.
Represent the CIAPP Manager relative to all applicable IWC CIAPP matters as they apply to personnel, resources, and operations at the off-site location.
Provide advice, guidance, and assistance to management, system users, and systems' custodians relative to CIAPP matters.
Perform other functions as designated or delegated by the CIAPP Manager.

InfoSec Job Descriptions

After establishing and gaining final approval for the InfoSec organization, and while trying to begin establishing a formal, centralized CIAPP, the ISSO determined it was now time to begin hiring some InfoSec professionals.

However, before that could be accomplished and in accordance with IWC organizational development and Human Resources requirements, an InfoSec job family must first be established. After all, IWC, being a high-tech, modern corporation, requires that employees be assigned to career families to support their career development program as directed by the Human Resources Department. And, unfortunately, it seems that InfoSec functions have never been a formal part of IWC. Therefore, there are no job families that seem to meet the needs of the CIAPP functions.

The ISSO and the Human Resources person discussed the matter and agreed that the ISSO would write the InfoSec functional job family descriptions. The ISSO was told that they must be generic, so they are flexible enough to support several InfoSec job functions within each level of the job family. The Human Resources person advised the ISSO that this is necessary to ensure the flexibility needed for recruiting, hiring, and the subsequent career development of the InfoSec professionals. Also, it would streamline the process and ensure that the number of InfoSec job family positions' descriptions could be kept to a minimum, thus also decreasing bureaucracy and paperwork.

At the conclusion of the meeting, the Human Resources person provided the ISSO with the job descriptions for the security, auditor, and information technology job family. Also provided were several forms that must be completed when submitting the InfoSec job family descriptions, as well as forms to be used for documenting each job family description by grade level.

Armed with the challenges of this new onslaught of bureaucratic paper, and bidding adieu to the smiling Human Resources person, the ISSO headed back to the office to begin the task of writing IWC's InfoSec job family as sample-descriptions (while wondering when there would be time to do real CIAPP work).

After reviewing the provided job descriptions and reading the paperwork needed to make this all happen, the ISSO wrote and provided the Human Resources person with the function descriptions of the InfoSec job family! After several iterations and compromises, and approvals through a chain of organizational staffs, the job family was approved.

InfoSec Job Family Functional Descriptions

The following detailed InfoSec job family functional descriptions were developed and approved by the applicable IWC departments:

1. Systems Security Administrator

Position Summary: Provide all technical administrative support for the InfoSec organization.

Duties and Responsibilities:

filing,
typing reports, and other word processing projects,
developing related spreadsheets, data bases, and text/graphic presentations

Qualifications: High school diploma, 1 year of security administration or 2 years of clerical experience. Must type at least 60 words per minute.

2. System Security Analyst Associate

Position Summary: Assist and support InfoSec staff in ensuring all applicable IWC CIAPP requirements are met.

Duties and Responsibilities

Support the implementation and administration of InfoSec software systems.
Provide advice, guidance, and assistance to system users relative to CIAPP matters.
Identify current CIAPP and InfoSec functional processes and assist in the development of automated tools to support those functions.
Assist in the analysis of manual CIAPP and InfoSec functions, and provide input to recommendations and reports of the analyses to the ISSO.
Maintain, modify, and enhance automated InfoSec functional systems of InfoSec tests and evaluations, risk assessments, software/ hardware evaluations, access control, and other related systems.
Collect, compile, and generate CIAPP functional informational reports and briefing packages for presentation to customers and management.
Perform other functions as assigned by the ISSO and InfoSec management.

Position requires being assigned to perform duties in one or more of the following areas:

Access Controls—Maintain basic user access control systems by providing processes and procedures to prevent unauthorized access or the destruction of information.
Access Controls/Technical Access Control Software—Assist access controls support groups and systems by providing software tools and guidance to ensure adequate implementation of access control systems in meeting CIAPP requirements, as well as defensive systems such as firewalls and related intrusion detection systems.
Access Controls/Violations Analysis—Monitor the use of IWC access control software systems; identify all systems CIAPP infractions/violations; document and report the results of questionable user and system activity for CIAPP inquiries.
InfoSec Tests and Evaluation/CIAPP System Documentation—Conduct InfoSec tests and evaluations on standalone (nonnetworked) systems to ensure that the systems are processing in accordance with applicable CIAPP-approved procedures.

Qualifications: This position normally requires a bachelor's degree in an InfoSec-related profession.

3. System Security Analyst

Position Summary: Identify, schedule, administer, and perform assigned technical InfoSec analysis functions to ensure all applicable requirements are met.

Duties and Responsibilities

Represent CIAPP to other organizations on select CIAPP-related matters.
Provide advice, guidance, and assistance to managers, system users, and system custodians relative to CIAPP matters.
Provide general advice and assistance in the interpretation of CIAPP requirements.
Identify all CIAPP requirements necessary for the protection of all information processed, stored, and/or transmitted by the information systems; develop and implement plans, policies, and procedures necessary to ensure compliance.
Identify current CIAPP functional processes and develop automated tools to support those functions.
Analyze manual CIAPP functions, and provide recommendations and reports of the analyses to InfoSec management.
Maintain, modify, and enhance automated CIAPP functional systems of InfoSec tests and evaluations, risk assessments, software/hardware evaluations, access control, and other related systems.
Collect, compile, and generate CIAPP functional informational reports and briefing packages for presentation to customers and management.
Perform other functions as assigned by InfoSec management.

Position requires being assigned to perform duties in the following areas:

Access Controls/Technical Access Control Software—Administer and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of IWC information; as well as defensive systems such as firewalls and related intrusion detection systems.
Access Controls/Violations Analysis—Administer and monitor the use of IWC access control software systems; analyze all systems CIAPP infractions/violations; document and report the results of questionable user and system activity for CIAPP inquiries.
Noncompliance Inquiry—Identify and analyze CIAPP business practice irregularities and CIAPP violations/infractions; conduct detailed inquiries; assess potential damage; monitor corrective action; and recommend preventive, cost-effective measures to preclude recurrences.
Risk Assessment—Perform limited risk assessments of CIAPP systems and processes; determine their threats, vulnerabilities, and risks; and recommend cost-effective risk mitigation solutions.
InfoSec Tests and Evaluation/CIAPP System Documentation—Schedule and conduct CIAPP tests and evaluations on standalone (non-networked) systems to ensure that the systems are processing in accordance with applicable CIAPP-approved procedures.

Qualifications

This classification normally requires a bachelor's degree in an InfoSec-related profession and at least 2 years of practical experience.

4. System Security Analyst Senior

Position Summary: Identify, evaluate, conduct, schedule, and lead technical InfoSec analysis functions to ensure that all applicable IWC CIAPP requirements are met.

Duties and Responsibilities

Provide technical analysis of CIAPP requirements necessary for the protection of all information processed, stored, and/or transmitted by systems; interpret those requirements; and translate, implement, and administer Division plans, policies, and procedures necessary to ensure compliance.
Represent CIAPP on security matters with other entities as assigned.
Provide advice, guidance, and assistance to senior management, systems' managers, and system users and custodians relative to CIAPP matters.
Perform other functions as assigned by InfoSec Management.

Position requires being assigned to perform duties in the following areas:

Access Controls/Technical Access Control Software—Implement, administer, and maintain systems' user access control systems through the use of controls, processes, and procedures to prevent their unauthorized access, modification, disclosure, misuse, manipulation, and/or destruction; as well as defensive systems such as firewalls and related intrusion detection systems.
Access Controls/Violations Analysis—Coordinate, administer, and monitor the use of systems' access control systems; analyze systems' security infractions/violations employing statistical and trend analyses and report the results.
CIAPP Awareness—Prepare, schedule, and present CIAPP awareness briefings to systems' managers, custodians, and users. Act as focal point for dissemination of CIAPP information through all forms of media.
Disaster Recovery—Coordinate and ensure compliance with system disaster recovery/contingency plans to ensure the rapid recovery of system in the event of an emergency or disaster.
Hardware and Software CIAPP Evaluations—Evaluate all hardware, firmware, and software for impact on the CIAPP of the systems; monitor and ensure their modification if requirements are not met; and authorize their purchase and use within IWC.
Noncompliance Inquiry—Identify and conduct technical analyses of CIAPP business practices and violations/infractions; plan, coordinate, and conduct detailed inquiries; assess potential damage; and develop and implement corrective action plans.
Risk Assessments—Conduct limited InfoSec technical risk assessments; prepare reports of the results for presentation to management.
InfoSec Tests and Evaluations/CIAPP Documentation—Schedule and conduct InfoSec tests and evaluations to ensure that all the applicable systems are operating in accordance with CIAPP requirements.
Technical Countermeasures—Conduct technical surveys and determine necessary countermeasures related to physical information leakage; conduct sound attenuation tests to ensure that information processing systems do not emanate information beyond IWC's zone of control.

Qualifications: This classification normally requires a bachelor's degree in an InfoSec-related profession and 4 years of practical, related experience.

5. System Security Analyst Specialist

Position Summary: Act as technical CIAPP advisor, focal point, and lead to ensure all CIAPP functions are meeting IWC requirements, as well as develop and administer applicable programs.

Duties and Responsibilities:

Act as technical advisor for CIAPP requirements necessary for the protection of all information processed, stored, and/or transmitted by systems; interpret those requirements; and translate, document, implement, and administer IWC CIAPP plans, policies, and procedures necessary to ensure compliance.
Represent CIAPP on security matters with other entities as assigned.
Provide advice, guidance, and assistance to senior management, IT managers, system users, and system custodians relative to CIAPP matters.
Perform other functions as assigned by InfoSec Management.

Position requires being assigned to perform duties in a combination of the following areas:

Access Controls/Technical Access Control Software—Implement, administer, and maintain systems' user access control systems through the use of controls, processes, and procedures to prevent their unauthorized access, modification, disclosure, misuse, manipulation, and/or destruction, as well as defensive systems such as firewalls and related intrusion detection systems.
CIAPP Awareness—Prepare, schedule, and present CIAPP awareness briefings to system managers, custodians, and users. Act as focal point for dissemination of CIAPP information through all forms of media.
Disaster Recovery—Coordinate and ensure compliance with system disaster recovery/contingency plans to ensure the rapid recovery of systems in the event of an emergency or disaster.
Hardware and Software CIAPP Evaluations—Evaluate all hardware, firmware, and software for impact on the CIAPP of the systems; monitor and ensure their modification if requirements are not met; and authorize their purchase and use within IWC.
Risk Assessments—Conduct limited CIAPP technical risk assessments; prepare reports of the results for presentation to management.
InfoSec Tests and Evaluations/CIAPP Documentation—Schedule and conduct InfoSec tests and evaluations to ensure that all the applicable systems are operating in accordance with CIAPP requirements.
Technical Countermeasures—Conduct technical surveys and determine necessary countermeasures related to physical information leakage; conduct sound attenuation tests to ensure that information processing systems do not emanate information beyond IWC's zone of control.

Qualifications

This classification normally requires a bachelor's degree in a CIAPP-related profession, and 6 years of CIAPP experience.

6. System Security Engineer

Position Summary: Act as a technical systems management consultant, focal point, and project lead for CIAPP functions and programs developed to ensure IWC requirements are met.

Duties and Responsibilities:

Act as a lead in the identification of government, customers, and IWC CIAPP requirements necessary for the protection of information processed, stored, and/or transmitted by IWC's systems; interpret those requirements; and develop, implement, and administer IWC CIAPP plans, policies, and procedures necessary to ensure compliance.
Represent the CIAPP Office, when applicable, on CIAPP matters as well as serve as IWC's liaison with customers, government agencies, suppliers, and other outside entities.
Provide advice, guidance, and assistance to senior and executive management, IWC's subcontractors, and government entities relative to CIAPP matters.
Provide technical consultation, guidance, and assistance to management, systems' users; and CIAPP software systems by providing controls, processes, and procedures.
Establish, direct, coordinate, and maintain a Disaster Recovery/Contingency Program for IWC that will mitigate systems and information losses and ensure the successful recovery of the system and information with minimal impact on IWC.
Act as lead for the technical evaluation and testing of hardware, firmware, and software for impact on the security of the systems; direct and ensure their modification if requirements are not met; authorize their purchase and use within IWC, and approve them when in conformance.
Develop or direct the development of original techniques, procedures, and utilities for conducting CIAPP risk assessments; schedule and conduct CIAPP risk assessments and report results to management.
Direct and/or lead others in conducting technical CIAPP counter-measure surveys to support CIAPP requirements and report findings.
Direct and administer InfoSec tests and evaluations programs to ensure that the applicable systems are operating in accordance with CIAPP requirements.
Provide technical consultation and assistance in identifying, evaluating, and documenting use of systems and other related equipment to ensure compliance with communications requirements.
Investigate methods and procedures related to the CIAPP aspects of microcomputers, local area networks, mainframes, and their associated connectivity and communications.
Identify and participate in evaluation of microcomputer and local-area network CIAPP implementations, including antivirus and disaster recovery/contingency planning functions.
Perform development and maintenance activities on CIAPP-related databases.
Recommend and obtain approval for procedural changes to effect CIAPP implementations with emphasis on least-cost/minimum risk.
Lead and direct InfoSec personnel in the conduct of systems CIAPP audits.
Participate in the development and promulgation of CIAPP information for general awareness.
Perform other functions as assigned by the InfoSec Manager.

Position requires being assigned to perform duties in a combination of the following areas:

Supervisor, Project Leader—Provide assistance, advice, guidance and act as technical specialist relative to all InfoSec technical functions.

Qualifications: This classification normally requires a bachelor's degree in an InfoSec-related profession and a minimum of 10 years of CIAPP-related experience.

Recruiting InfoSec Professionals

Once the ISSO had gotten the InfoSec organizational structure, and the InfoSec job family functional descriptions both approved, the next task was to begin recruiting and hiring qualified InfoSec professionals.

Hold it! Not so fast! The ISSO must first determine the following:

How many InfoSec professionals are needed?
What functions will they perform?
How many are needed in each function?
How many are needed in what pay code?
How many should be recruited for the off-site location?
Does the off-site location or main plant have the highest priority?

The ISSO must plan for the gradual hiring of personnel to meet the CIAPP and InfoSec organizational needs based on a prioritized listing of functions. Obviously, a mixture of personnel should be considered. One or two high-level personnel should be hired to begin establishing the basic CIAPP and InfoSec processes. Personnel who meet the qualifications of a System Security Engineer should be hired immediately. At least two should be hired. One would be the project lead to begin the process of establishing the formal functions of one of the InfoSec subordinate organizations while the other would do the same for the other InfoSec organization. At the same time, the access control function positions should be filled as they represent the key CIAPP mechanism of access control.

Functions such as risk management, noncompliance inquiry, and the awareness program could come later. The rationale used by the ISSO for this decision was that CIAPP policies had not been established, so there was nothing on which to base noncompliance inquiries or an awareness program. The next position to be filled, after the two Systems Security Engineers and access control personnel, was the position of the emergency planning, disaster recovery planning, and contingency planning specialist.

The ISSO reasoned that while access controls were being tightened up and analyzed, the engineers were beginning to build the process for each function, with much of the access control process development being done with the assistance of the access control administrators. In the event of a disaster, the systems must be up and operational in as short a time period as possible. This is crucial to the well-being of IWC.

Unfortunately, the type of individual the ISSO would ideally want to employ is not usually readily available. In addition, IWC's policy is one of "promote from within" whenever possible. So, although a more qualified individual may be available from outside IWC, the ISSO may have to transfer a less qualified individual currently employed within IWC, because that person does meet the minimum requirements for the position—at least as interpreted by the Human Resources personnel.

The ISSO soon began to realize that compromise and coordination were a must if there was to be even a slight chance of succeeding in building the IWC CIAPP. Based on a self-evaluation, the ISSO decided to find as many people as possible within IWC who were willing to transfer and who met the minimum requirements for a CIAPP position. The ISSO soon learned why the job descriptions approved through the Human Resources Department include words such as "normally" and "equivalent." The ISSO naively thought that those words would assist in bringing in InfoSec professionals. It never entered the ISSO's mind that others could also use the position descriptions to help recruit personnel—some who just barely would meet the minimum requirements!

For the ISSO who is quickly trying to build a CIAPP and InfoSec organization, the compromises on staff selection may help or they may hurt. In either case, it is important to quickly begin the hiring process.

Identifying In-House InfoSec Candidates

Those individuals within IWC organizations who have been providing access control as either a full or part-time position for their department's local area networks (LAN) may be good access control candidates.

The IT Department may also be a place to "recruit" (make personnel aware of the positions available) InfoSec candidates. The Audit and InfoSec organizations may also provide a place to find InfoSec candidates.

A word of caution to the ISSO: Most managers do not take kindly to recruiting of their employees, as it means they will be short-handed until they can find replacements. In addition, the ISSO should beware of individuals whom the managers recommend. These may just be the people that the manager has been trying to find some way to get rid of for some time!

The ISSO has enough problems building a CIAPP, establishing and managing an InfoSec organization, handling the day-to-day CIAPP problems, attending endless meetings, trying to hire a professional CIAPP staff, having to transfer personnel who don't meet the ISSO's expectations, to then be saddled with an employee recommended by another manager who turns out to be a "difficult" employee.

A difficult employee will occupy more of the ISSO's time than three other staff members combined. It seemed that the IWC IT Department has a penchant for this. So, beware of geeks bearing gifts!

Identifying Outside InfoSec Candidates

There are many sources that can be used to recruit talented InfoSec professionals, many limited only by imagination and budget (especially budget!). Regardless of how or where you recruit, the recruitment must be coordinated with the Human Resources staff.

In order to recruit InfoSec personnel, the Controller must validate and approve (on another form, of course) that there is budget set aside for the InfoSec organization to hire staff.

Then once that hurdle is jumped, the Human Resources personnel must validate that you have completed the necessary form describing the position you want to hire against, the minimum qualifications, and the pay range for that position. Luckily, all the ISSO has to do in this case is basically transcribe the general position description onto the new Human Resources form used for recruiting candidates and advertising the positions.

Just as the IWC ISSO thought that the door was now flung wide open to recruit InfoSec professionals, one of the Human Resources personnel walked up to the ISSO and mentioned how boring the Human Resources job was, and that it would be nice to transfer to another, more exciting organization—and the InfoSec job seems to be a very exciting one. Experience? Well, of course the person is proficient is using a computer! Another often-found problem is the manager or staff member who has a cousin just graduating from college who would be perfect for the InfoSec position.

The ISSO soon began to realize that building and managing an outstanding, state-of-the-art CIAPP and an InfoSec organization staffed by talented InfoSec professionals might become more of a dream than a reality.

Once the ISSO was able to fend off these and similar charges, the recruitment effort within and outside IWC could start in earnest! Among the ways to recruit InfoSec professionals are through:

Local advertisement in trade journals, newspapers, etc.;
Hiring a consulting firm to find the right people;
Passing the word among colleagues;
Asking InfoSec associations to pass the word; and
Using the Internet to advertise the position.

With a few InfoSec personnel on board, the ISSO could begin to work on the CIAPP and also begin work on developing the baseline processes and functions with the InfoSec organization.

^[7]Cyril Northcote Parkinson (1909–1993), British political scientist, historian, and writer. Parkinson's Law (1958), as quoted in Microsoft's Encarta World.

^[8]Since each corporation has a somewhat different forms bureaucracy, no attempt will be made here to complete any forms. Those readers who have to make any changes in an organization can appreciate the maze the ISSO must now go through.

^[9]The ISSO decided that the priority of CIAPP was the TCI systems and information at their facilities. The sticky problem of dealing with non-TCI CIAPP issues, such as subcontractors and customers, would have to wait. The ISSO reasoned that if TCI had a successful, professional program, it would be easier to gain the cooperation of the outside corporations.

^[10]Because of its off-site location, this position requires CIAPP functions to be performed which are similar to or the same as most functions noted for the entire CIAPP organization.