The Rookie Chief Information Security Officer
SEC 402 Cyber Security
The Essential Body of Knowledge
As a matter of record, it is widely known that information security is critical to all organizations to protect their data and continue operating. Information security is defined “as the protection of information, the system, and hardware that use, store and transmit that information.” The four important jobs that Information security performs for an organization are to protect the organization’s ability to continue operations, to enable the safe operation of applications implemented on the organization’s IT systems, to protect the data the organization collects, stores, shares, and utilizes. Lastly it is responsible for the safeguarding the technology assets which are in use at the organization. With each implemented information security plan within an organization there are challenges and risks involved.
The Information Security Officer (ISO)role is defined as “the person who provides the vision and strategies necessary to ensure the confidentiality, integrity, and availability of electronic information by communicating risk to senior administration, creating and maintaining enforceable policies and supporting processes, and ensuring compliance with regulatory requirements.” (Techopedia. (n.d.)).
ISO’s play a vital role in protecting an organization, establishing and enforcing security policies. because an information security breach can result in disruption to the business, loss of confidential or commercially sensitive data, and financial loss. Security breaches take a number of forms, including attacks by cyber-criminals, virus attacks and attempts by unauthorized parties, inside and outside the company, to obtain passwords or personal data.
The information security programs have essentially five goals within that particular team workflow:
Due to the eventual nature of a data breach the majority of organizations today have designated a department so called the ISO within the company to govern the agencies compliance with information security requirement. Organizations must annually verify that it complies with all state policies governing information technology, security and risk management by its director.
- To safeguard the critical data and processing assets of an organization.
- To govern the weaknesses inside the data processing framework
- To educate the staff about their information security and privacy
- To perform security classifications and risk analysis.
- To safeguard critical records and data, requiring information to be protected in terms of its requirements for availability, integrity, and confidentiality.
Role: Information Security Officer
By maintaining the direct responsibility for this analysis and review the ISO has enabled the acceptance of the review to create on a functional basis a relationship rather than reorganizing the department.
It is expected that the Information Security Officer must display a complete understanding of the organization’s programs, the business requirements, and the activities of the roles within the organization. The ISO Team must continue to evolve as it pertains to technologies to ensure appropriate security controls within the organization. The ISO is the Frontline defense to identify and thwart potential threats, the frontlines have the important role of identifying potential security risks to the organization and having the ability to evaluate and recommend appropriate security measures. A comprehensive strategic analysis enables a well-informed organizational management to have a clear understanding, ability to mitigate and reduce the risks.
Role: Management and communication skills
Security personnel interact with people on a daily basis, whether it is giving directions, interviewing, or simply reporting and incident to management. “Effective communication is essential and the basis of the development of the organizational management, communication both verbally and written must be properly understood for effective functionality of the organization.” (Techopedia. (n.d.)).
Role: Technical competence
The ISO team would be required to have a general knowledge of the technical competencies and issues of the business and the organization to lead. Without the proper technical security knowledge, it may prove difficult to obtain the respect from the organization.
Role: The Structure of Reporting for the Security Organization as CISO Security Engineering, CIO, CICO, IT Security Engineer, IT Security Compliance officer, Security Governance & Reporting, Information Security Project Team, , Security Operations, and CyberOPs
Based on the expectation of scope and breathe of service the IT unit is to provide the organization the information technology leaders emerge central in the structure within the organization. The centralized IT organizational structure defines the requirements of the primary organization. The appropriate balance of centralized verses decentralized recourses pool of staffing and budget resources is directly related to expectations of the organization.
Role: Security Compliance Officer
The security compliance officer’s responsibility is to guarantee a fixed operation of the existent computer systems, network connections and servers in conformity with the company’s inner operations, techniques and compliance requirements. The security compliance officer’s job duties also involve administering scheduled audits on a regular basis on internal systems and organizing third-party audits as necessary in order to retain certifications and compliance certificates.
Organization chart to reflect the FEPOC
Role: Security Manager
A security manager’s responsibilities consist of the operations of heightening security in an organization or company. The commitment of a security manager, multitude of which can be associated to evaluating and applying security for parts of an IT setup, for systems, material warehouses and more.
A chief information officer (CIO) is the corporate administrator in control of Information Technology (IT) policy and execution. In addition to supervising all the hardware, software and information that aide’s other associates of the C-suite do their work successfully, the CIO should investigate current technologies, strategize how technology can be able to produce business advantage and inscribe the threats connected with digital data.
The CISO (chief information security officer) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO may also operate alongside the chief information officer (CIO) to obtain cyber security commodities and services and to organize disaster recovery and business continuity plans.
Role: Information Systems Security Engineer
An information systems security engineer (ISSE) is a person who is accountable for uncovering and meeting systems safety needs. An ISSE “generally describes system defense requirements, creates system protection architecture, invent an elaborate security design, apply said security system, and evaluate the data security effectiveness.”
Request for Proposal (RFP) Plan
Anatomy of an RFP DEFINITIONS
The introduction of the organization and the purpose of the RFP stating what the service provider has to do about the central part of the organization. The importance of this is to enable individuals to think outside the box. Many of solutions are available to meet the requirement if the people know better than what people have in mind and web professional can suggest solutions not discussed yet.
- Essential points of an RFP
- You can simply pinpoint the essential sections you need to incorporate in your RFP by easily responding to each and any of the following questions:
- Why? Why does the organization need or desire this work to be done, purpose.
- Who? Company description.
- What? Objective of project.
- How? Contract.
- IT Procurement
- Award criteria for contract.
- Preference process timeframe and deadlines.
- People to notify.
Providing a short summary of your company and its performance, using data, client demographics, and the study of the culture of the people their attitudes and aspirations. Provide genuine feedback expressing the strengths and weaknesses truthfully. Do not forget to incorporate important information on the individuals who will then become the voice and handle future correspondence of the organization.
- Background knowledge of data
- Scope of work
- Identify the particular responsibilities to be executed by the contributor and the anticipated outcomes. Incorporate a comprehensive listing of responsibilities, especially when sub-contractors are involved.
- Outcome and implementation guidelines
- Term of contract
- Payments, incentives, and penalties
- Contractual terms and conditions
- Prerequisites for proposal production
- Assessment and award
- Process schedule
- Points of contact for future correspondence
- Enterprise Information Security Compliance Program
- Physical Security Plan
- Develop a risk management plan
- Risk management is the process of risk identification, assessment, and reduction of its acceptable level. It is an essentials management function and is critical for any agency to successfully implement and maintain an acceptable level of security
- **1.1–1.16 – ComplianceCrossing.com. (2018). **
Identify the end result targets, minimum production standards anticipated from the contractor, and techniques for observing performance and process for applying corrective actions.
Allocate an inventory of all materials, records, and strategies that will be transported to your company and present a delivery schedule.
Identify length, establish a start date and end date of the contract, and the choice for renewal.
Record all the terms of settlements for satisfactory production. Underline the foundation for incentives for high-ranking production and sanctions for insufficient production or lack of compliance.
Bind common contracting forms, official documents, and pledges. You may incorporate requirements particular to this specific contract.
A consistent build in terms of content, data, and record types simplifies things for the individual assessing the proposals.
Lay down the techniques and standards used for assessing proposals and for producing the final contract award.
Distinctly and briefly present the timeline for the steps commanding to the ultimate decision, such as the dates for proposing the letter of intent, forwarding questions, visiting the pre-proposal conference, submitting the proposal.
Incorporate a full list of individuals to contact for information on the RFP, or with any other questions. Include their name, title, responsibilities, and the various ways of contacting them into this list
Physical security plan is the understandable written plan providing proper and economical use of personnel and equipment to prevent or reduce loss or damage from theft, misuse, espionage, sabotage, and other criminal or disruptive activities.
The purpose of the physical security plan is to provide guidance, assign responsibility, and it should set minimum standards for the security of property and personnel. The physical security officer must first determine the types and the extent of protection required on the post.
ComplianceCrossing.com. (2018). Security Compliance Jobs Description | ComplianceCrossing.com. Retrieved from https://www.compliancecrossing.com/job-description/4500/Security-Compliance-Jobs/
A Guide to Writing a Request for Proposal. (n.d.). Retrieved from https://www.werc.org/assets/1/assetmanager/rfpwritingguide.pdf
PressBooks. (n.d.). 11.2 Risk Management Process – Project Management for Instructional Designers. Retrieved from https://pm4id.org/chapter/11-2-risk-management-process/
Rouse, M. (2013, December 4). What is CISO (chief information security officer)? – Definition from WhatIs.com. Retrieved from https://searchsecurity.techtarget.com/definition/CISO-chief-information-security-officer
Rouse, M. (2015, May 25). CIO (Chief Information Officer). Retrieved from https://itss.untsystem.edu/sites/default/files/unt_system_information_security_users_guide_2014.pdf
Techopedia. (n.d.). What is a Security Manager? – Definition from Techopedia. Retrieved from https://www.techopedia.com/definition/3954/security-manager
Webopedia Staff. (n.d.). ISSE – Information Systems Security Engineer. Retrieved from https://www.webopedia.com/TERM/I/information_systems_security_engineer.html
Dan Shoemaker, W. A. (2012). Cybersecurity: The Essential Body of Knowledge. Boston: Cengage Learning.