Friday, 2 June 2017

Information Security Program Management and Your Business

The management of an information security program is a significant project for a business owner or manager, and will not happen of its own accord. When you plan your project, it is important to be clear about both where you are at the moment and also what you wish to achieve. The best results by far are gained by implementing and managing security as an overall programmed, rather than adding occasional unrelated security countermeasures (such as a firewall) on an ad hoc basis.



Information security program management is often viewed by managers as something that "just happens" of its own accord. Nothing could be further from the truth. In fact, it reaches into so many disparate business functions, and involves so many people, that it is arguably one of the most complex areas to manage successfully. Ideally, the Chief Information Security Officer (CISO) needs all of the following attributes:

• In-depth knowledge of specialized technology, such as firewall types, computer network configurations, and cryptographic algorithms, for the purposes of computer security.
• In-depth knowledge of recognized standards (such as ISO 27001) to a level which enables the CISO to implement the standards in full for a given organization.
• Experience of writing customized policies and procedures for a given organization, based on the CISO's experience of industry best practice.
• Knowledge of relevant legislation and industry regulations, and how to comply with them, together with experience of liaising with the company's legal department.
• Familiarity with methods of workplace training and awareness-raising, plus experience of liaison with the HR department concerning contractual clauses.
• A working knowledge of human psychology as applied to workplace behavior and computer security.
• Experience of conducting IT audits and liaising with external auditors and consultants.
• Experience of managing an information security team (for larger organizations).
• Experience of managing a significant budget and liaising with vendors.

This is a demanding set of requirements, and few people perform equally well on all points. Just as obviously, the tentacles of information security reach into every part of even a large organization, making the job of the information security manager even more challenging than other managerial jobs.


However, help is available from several sources. Chief among them is the ISO 27001 standard, which specifies the design, implementation, monitoring and improvement of an information security management system. This standard and its sister standard ISO 27002 together represent the distillation of best practice in this area. Becoming compliant with these standards will go a long way towards easing the burden of information security program management. In addition, help and advice can be obtained from professional networking events with one's peers in the same town or city, as they will be affected by exactly the same local conditions. Finally, reading relevant periodicals can help to provide insight into commonly-encountered problems.

0 comments:

Post a Comment