A security program is built by an organization as a set of activities used to manage information security on an ongoing basis.
This requires support from executive management so that decisions in this program can be made.
The security program should be held by a forum or committee chaired by a security officer, and essential personnel such as Human Resources, IT, Legal, and Compliance departments that are management level. This ensures that security decisions are accepted and don’t affect the organization in a detrimental way.
This forum or committee does this by evaluating security metrics. This allows the organization to assess effectiveness of the program from policies, procedures, and standards set in place and identify what deficiencies can evolve from a decision. Once decided an organization can prioritize activities to begin implementation.
There are several goals that are addressed in a security program such as operational goals, tactical goals, and strategic goals.
Operational goals focus on day-to-day activities.
Tactical goals include key infrastructures and processes of the security program.
Strategic goals are about long-term directions and objectives.
Every organization will have different challenges and laws that apply to ensure security is being met. Know your business! What is the network architecture? Is it cloud- based? Is it a small subset of systems? What information are you protecting?
Let’s talk about the roles and responsibilities that can be found in your organization.
CEO – The Chief Executive Officer oversees the company’s finances, strategic planning, and operations.
CFO – Chief Financial Officer is responsible for the company’s financial activities and financial structure.
CIO – The Chief Information Officer reports to the CEO or CFO and is responsible for strategic use and management of information systems.
CPO – The Chief Privacy Officer is usually an attorney. The CPO is responsible for ensuring customer, company, and employees data is kept safe.
CSO – The Chief Security Officer is responsible for understanding company risks and how to mitigate these risks to an acceptable level.
CISO – The Chief Information Security Officer is focused deeply to technology of the organization.
ISSM – The Information System Security Manager is responsible for information security management and operations.
Legal counsel – Identifies legal, regulatory, and contractual compliance requirements.
Head of Human Resources – Implements and manages the training and awareness of information security and implements security involved with recruitment, termination, and disciplinary information.
Head of Real Estate – Manages physical security such as access control to buildings, protection against fire, electrical maintenance, etc.
Head of IT – Manages solutions to technical measures in managing daily operations.
Help Desk – Manages services to users
Publication Relations Officer – Validates the impact of a company’s reputation and communication with external shareholders.
Internal Auditor – Validates security controls and compliance.
Document Manager – Ensures all stages of the document life cycle.
Next post we will talk about compliance.
Cybersecurity Fundamentals 