We are in an era where Security and Compliance have made it to the forefront of corporate board room discussions. It is now one of the key topics on the agenda. Are we protecting our corporate and personal data? Are we meeting both corporate and regulatory requirements as it relates to data privacy? (HIPAA, GLBA, SOX, PCI DSS).
With these questions hovering over the corporate leaders, there has been an overwhelming requirement to ensure that security positions are being filled to ensure compliance. Over the past 10+ years the roles of CSO, CISO, Director Security, Analyst, Engineer/Technical, IT Compliance Leader and Administrator have emerged. But what have not been very clearly defined are the roles and responsibilities of these positions, and the need for these unique skill sets. Larger companies have the luxury of finding highly skilled people to fill these individual jobs (comes down to dollars), where mid to small try to find people who have all the skill sets wrapped up in one. Ahh…. The bearer of many hats to fill positions that are uniquely different. By finding that person who has all these credentials you limit yourself to expertise needed in specific roles. Jack of all trades and master of none is a dangerous mix in the security world. I fully understand that in today’s economy more businesses are looking to cut back and consolidate. This is not an area where we want to get to frugal. In the end, you may be paying a bigger ticket if you are compromised.
There are regulatory requirements that audit your roles and responsibilities of the security staff. Due to conflict of interest issues, you may not be able to have the person enforcing security policies/procedures as the same person administering and monitoring those standards. This makes it much too easy to have your environment compromised internally (collusion). Each business needs to review their requirements.
What you need to do is to find out what are your business drivers for security. These drivers can be a combination of corporate and regulatory requirements. If you are a business where you accept credit cards but its low volume , then you may fall into a level 4 merchant as it relates to PCI DSS requirements for security controls. So, do you really need to have many levels of security on staff for your business? Probably not. You will not get hit with the same auditing control requirements as a Merchant Level 1 service provider. You need to assess your business first, and make determinations for what is required based on risk/probability/severity/lost revenue if your data was compromised. And again, the business drivers enforcing security for your establishment will help to make these determinations. Many businesses have run a BIA ( Impact Analysis) study to help with determining level of risk to their data.
I have picked a few key security roles and listed their responsibilities to help if you decide you need to fill security roles for your business. These responsibilities will need to be tailored based on your type of business . But it’s a good starting point for you to work from.
Key security roles and their corresponding responsibly:
CSO (Chief Security Officer) / Director of Security
Communicate with senior management about security risks and the current state of security of the business. Develop and implement a strategic business security plan that is aligned with enterprise-wide security initiatives. Support Legal, Compliance and HR in developing and implementing processes relating to privacy and the protection and use of PII, employee and business data. Interpret Corporate/Compliance security policies, procedures, guidelines and best practices to understand how they apply to the specific business. Develop, maintain and communicate business specific policies, procedures and guidelines. Ensure that security reviews and tests are conducted at recommended points within the Tollgate process. Verify that security is part of the change control process for all systems and applications. Define secure operational processes and monitor compliance. Support security operations such as secure account management, secure data access, etc. Advisor for implementation of secure network architectures and configuration of network devices. Monitor security compliance of networks, servers, and applications. Ensure client PCs are secure and contain correct versions anti-virus software and any other recommended security tools. Provide security awareness within the business. Ensure proper evaluation, test, and implementation of security technologies meet business needs. Develop, implement and track a security integration plan for acquisitions that is in compliance with company guidelines. Develop, implement and track a security separation plan for divestitures that is in compliance with company guidelines. Review and approve security for all network interfaces to other companies (i.e., third party connections). Review and approve appropriate security controls for outsourcing agreements.
CISO (Chief Information Security Officer) / Technical Manager
The Information CISO/Security Technical Leader will assume primary responsibility for the technical aspect of all security-related activities by direction of the CSO, including, but not limited to, those detailed below.
Work with advance technology team to research, design, prototype, and potentially implement company information protection initiatives to meet security objectives. Provide leadership to multiple teams with a diversity of functions and attendant skills. Responsible for the development and maintenance of the Enterprise Information Security Architecture, tools, and associated technical procedures to ensure systemic protection of the business information. Responsible for ensuring that the organization?s data systems and databases are secure through the development and implementation of information security architecture and standards. Coordinate security architectural principles with Enterprise Wide Technology Architecture team. Develop and maintain a security architectural framework in coordination with technology and business partners. Develop, refine, or modify technical security standards as necessary to implement technical security controls. Assess technology infrastructure and collaborate with infrastructure group to design a scalable and secure infrastructure. Participate in complex designs of technology solutions to ensure information security architectural principles, standards, and requirements are incorporated in design. Assess divisional and local security needs. Evaluate emerging threats and recommend preventative measures that will mitigate the threat to the
Source: http://sourcing3.com/blog/information-security-titles-%E2%80%9Cout-of-control%E2%80%9D/
our daily bread script toronto star ernest hemingway january jones mya shopping
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.