question pdf
jimpop1998
Chapter3DefiningtheSecurityManagementOrganization_InformationSecurityGovernanceSimplified.pdf
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 1/53
3
Defining the Security Management Organization
Sow a thought, and you reap an act;
Sow an act, and you reap a habit;
Sow a habit, and you reap a character;
Sow a character, and you reap a destiny.
Samuel Smiles, 1812–1904
The role of the information security leader has been being changing quite dra-
matically over the past few decades. Even as recently as 10 years ago, the position
of chief information security officer was largely unheard of except for in the
largest banking institutions. Emerging laws and regulations have pushed the need
for information security to the forefront of business and are seen as strategic and
tactical issues that require an appropriate investment. The role of the information
security officer has also received attention from multiple organizations providing
awards for “Executive Security Officer of The Year” or “Chief Information
Security Officer of the Year,” further providing visibility to the profession.
History of the Security Leadership Role Is Relevant
Topics Start Learning Search 50,000+ courses, events, titles, … What's New
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 2/53
Prior to the start of the new millennium, information security departments were
buried deep within the information technology (IT) departments, typically within
an infrastructure team or operations area focused on the deployment of servers,
networks, and applications. The primary focus was on what was known as secu-
rity administration, or in today’s nomenclature, identity management or access
management. The primarily functions involved (1) setting up accounts, (2) provid-
ing access to resources after proper approval was obtained, and (3) monitoring.
The scope was primarily centered on ensuring that users were provisioned the ac-
cess needed to perform their jobs when they needed access. This is not to say that
other functions were not provided, however, the predominant focus was on logon
ID administration.
Disaster recovery was typically thought of as a data center operation and not
really well-coordinated with the concept of business continuity, whereby the orga-
nization recognizes the complete process that is required to maintain operations
in the event of a disaster. Disaster recovery terminology has been largely associ-
ated with bringing the organization’s computing resources back to an operational
level to conduct business. More important, disaster recovery was typically man-
aged outside of the information security department and while seen as important
to those performing the function, it was usually seen as an added cost that was
one of the first to be trimmed back during staff reductions. Business leaders ra-
tioned that if nothing had happened in the last several years, it was unlikely to
happen and the resources could be redeployed to work on revenue-producing or
cost-reducing efforts. This sentiment shifted in the new millennium after the
tragic terrorist attack at the World Trade Center in New York City on September
11, 2001, and damage caused by Hurricane Katrina in August 2005. Audit firms
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 3/53
were very busy following these events constructing business continuity and disas-
ter recovery plans.
The passage of regulations such as the Health Insurance Portability and
Accountability Act (HIPAA) Final Security Rule (February 2003) requiring that re-
sponsibility for information security must be assigned; Sarbanes–Oxley Act of
2002 (SOX) Section 404 bringing attention to the need for information security
controls to ensure accurate financial statements; Gramm-Leach-Bliley Act (GLBA),
also known as the Financial Services Modernization Act of 1999, whereby the
Safeguards Rule required that at least one employee be denoted as having respon-
sibility for information security; and the Federal Information Security
Management Act of 2002 (FISMA), also known as the E-Government Act of 2002,
does not specifically require that a security officer be named, however, it does re-
quire that the National Institute of Standards and Technology (NIST) guidance be
used, which promotes the designation of an information security leader role in
Special Publication 800-12, “An Introduction to Computer Security: A NIST
Handbook,” and Special Publication 800-53, “Recommended Security Controls for
Federal Information Systems and Organizations.” Each of these regulations has an
underlying theme: someone must be designated to manage the information secu-
rity program.
Tese actions were deliberate in the laws, as it was clear that organizations were
not providing the proper investment toward information security and designat-
ing someone to the role. The impact of these changes in the law are very signifi-
cant, as it was the real beginning for organizations to commit the resources neces-
sary to secure their information assets. Without this legislation, it is doubtful that
organizations below the Fortune 100 would have designated someone at a high
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 4/53
enough level to make a significant impact in properly securing the resources. The
net result of the regulations was to squarely send a message to financial, health-
care, publically listed, government, and contracting organizations that informa-
tion security was important and that the commitment to the function needed to
be evidenced by an individual charged with the responsibility for the
organization’s security. None of these regulations made mention as to the time
commitment (i.e., full or part time) that would be required to permit scalability
with the size of the organization, however, it needed to be appropriate with the
size and resources available to the organization. In other words, a large organiza-
tion with $50 billion in annual revenues having one person dedicated to informa-
tion security would be judged woefully insufficient when stacked up against its
peers, whereas another organization with 50 employees may be judged adequate
to designate part of one person’s job as being responsible for leading the informa-
tion security efforts.
Te period from 2001 to 2005 was predominantly characterized by organizations
scurrying to meet the demands on SOX, HIPAA, GLBA, and so forth ahead of the
compliance mandates, which were typically two years out. Security assessments
or gap analyses were the norm, as many organizations were unclear as to where
they stood with respect to the broad spectrum of information security and not
clear as to where they stood with respect to the new legislation. Large- and
medium-tier audit firms were extremely busy during this period helping organi-
zations to beef up security. The Payment Card Industry (PCI) Security Standards
Council issued version 1.0 in 2006 and added more security requirements that
had to be complied with in subsequent updates. The impact of these regulations
was to bring an auditable focus to the security programs of these companies. As
various audit and consulting organizations developed standardized approaches to
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 5/53
assess the security posture of the organization, these services would be increas-
ingly utilized by security officers as one of “the first steps in office” to understand
the challenges that were before them.
The New Security Officer Mandate
So why is the past decade of information security so important with respect to the
emergence of the information security officer? The importance lies in the recogni-
tion that the security officer position, as we know it today, is in its infancy. With
the data processing profession being very young itself, dating to the 1950s, and
becoming more mainstream in the 1960s for back-office-type operations, the
leader of information security of today for most organizations has been in place
for less than a decade. Factoring in that prior to the year 2000 many IT organiza-
tions spent the preceding years leading up to Y2K engaged in retiring old, noncon-
forming applications and upgrading the infrastructure, the focus on security was
not prevalent until the early years of the new millennium with the passage of the
aforementioned laws and regulations. Considering that these laws passed in the
2002 to 2003 timeframe, with mandates for compliance extending two years, this
suggests that most organizations had established information security roles for
leaders by 2004–2005, midway into the new decade. Relatively speaking, 5 to 10
years puts the information security officer role as we know it today as being low
on the maturity curve. This means that the industry is continually shaping and
defining what the role is, how the individual should operate, in what capacity and
level the role should be placed, to whom the role should report to, how the indi-
vidual relates to the rest of the organization, and the roles of others in participat-
ing in the protection of the information assets.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 6/53
Although this ambiguity may be unnerving to some, it can be invigorating to
others that are shaping the information security industry. The following sections
contain the components which need to be considered to construct an effective se-
curity management organization. Security organizations will vary across organi-
zations due to the resources available and the specific needs of the organization.
However, each of the functions indicated need to be managed by someone within
the organization, or this presents an information security management risk that
may be unacceptable to the organization. Regulations will continue to increase
and competitors will continue to get smarter about information security, and fail-
ure to keep up will leave the company at a disadvantage.
Day 1: Hey, I Got the Job!
Congratulations, Mr. or Ms. Security Officer, you now have the job. This may be
welcome news or not, depending upon whether you (1) chose this career path and
interviewed extensively for the position, (2) raised your hand at the wrong time
during the meeting, (3) didn’t attend the selection meeting, or (4) were the last guy
in the IT shop and now “you’re it!” Hopefully, the honor of being the security offi-
cer was something that was chosen and aligns with a passion to protect the infor-
mation assets for the customers of your company.
Leading information security today is hard work, surrounded by audits that
seem to come one right after another, the continual threat of the impact breaches
will have on the reputation of the company, separating the hype from the reality
of information security products, and the increasing pressure to do more with
less resources. Whereas information security departments of the past were pri-
marily internally focused to ensure that the only the right users had access to the
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 7/53
information, today’s external connectivity has given rise to an increased focused
at protecting the perimeter and the evaporating perimeter characterized by the
mobile workforce, Internet connectivity, distributed company locations, and in-
creased external threats. This does not suggest that the internal threats have dissi-
pated but rather that organizations must now deal with another set of problems
that become added to the mix. One minute the security officer is in the hot seat
trying to determine if the USB stick that was lost by Ashley contained personally
identifiable information on it, and the next minute was preparing for a 15-minute
presentation for the board of directors to explain the progress made toward at-
taining compliance in one of the many government regulations, to the next
minute developing an information security program for the end users aimed at
minimizing the susceptibility of the end users being “phished.” The security offi-
cer is then wondering what the next day, Tuesday, will bring.
The security officer must be astute enough to not get bogged down in the day-
to-day issues or the crisis of the moment, such that a long-term strategy is not laid
out. Methods for achieving the long-term strategy were noted in the Developing
Information Security Strategy chapter (Chapter 2). Time must be set aside daily, if
not at least once a week, to review the information security strategy and the
progress made toward it. Senior management needs to have a comfort level that
progress is being made toward increasing security of the information assets to an
acceptable level, which also serves to lessen the culpability in the event that a
breach does occur. For example, if the executives are aware that patching is done
on a regular basis on the company’s externally facing databases, monitoring
through vulnerability scans is occurring, the latest penetration tests found mini-
mal problems, and the information was breached through the use of a very new
exploit, management may be more forgiving given that industry-accepted prac-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 8/53
tices were followed and procedures were regularly followed. If on the other hand
there were no long-term strategy and no understanding or communication of the
database protection processes in place, it may be difficult for the security officer
to survive the breach.
Security Leader Titles
Mark Sanborn (2006), in his book YouDon’t Need a Title to Be a Leader, says
“People who lead—whether or not they have a title—strive to make things better.”
Again, as evidence of a security leader profession in its earlier stages, titles of the
person leading information security programs may be one of chief information
security officer (CISO), chief security officer (CSO), security director, security man-
ager, security practice leader, or other. A recent survey by
PricewaterhouseCoopers indicated that 43% of consumer products/retail compa-
nies had someone in the role of CISO, whereas 83% of the financial services com-
panies had someone in a similar position. A Computer Security Institute survey
indicated that their respondents, primarily of the information security field, were
composed of 23% holding the security officer title, 13% CISO, 12% systems admin-
istrator, 6% CSO, 8% CIO, 7% CEO, and a full 32% in the “other” category. This is
representative of the security profession as a whole, where the CISO/CSO/Vice
President title is often used in very large organizations, with the security director
and manager or security administrator titles appearing in small- to medium-sized
organizations.
The actual title is less important than the fact that there is someone designated
to drive and lead the information security program to a level that did not exist
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 9/53
previously and one that the executive management would be pleased with in
terms of cost and benefit.
Techie versus Leader
Why would anyone want a job in the first place where a really bad day could be
your last? Why would anyone sign up to deal with the plethora of government
regulations, auditors, and users that have to comply with extra controls to get
their work done? The answer is simple: Security officer is a very cool and reward-
ing job and profession. No matter what level of the organization the security offi-
cer is starting out, given the appropriate skills, experience, and relationships, the
opportunities are endless.
In the not too distant past, people were moved into the role of information secu-
rity leader due to their success as a technician. Maybe the individual was a fire-
wall administrator, system administrator, network administrator, security admin-
istrator, or jack-of-all-trades. The individual was promoted to the role of informa-
tion security officer because of his or her technical knowledge and because infor-
mation security was primarily thought of as an IT function. Although the techni-
cal skills are still valued, they are not valued as much as the leadership skills nec-
essary to hold the position in the long term.
Leadership skills separate the technical analyst from becoming an effective in-
formation security leader that provides added value to the business. This is not an
issue that is new to IT, as organizations have dealt with the promotion issue for
years within IT organizations. Many organizations promoted individuals who
were very successful in their technical jobs, understanding standards, applying
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 10/53
solutions to problems, fighting fires, developing new technology products based
on emerging technologies, and so forth, and not based on their leadership and
people competency skills. These individuals, while technically sound, have to de-
velop the same competencies that they are missing, just as a new programming
language must be learned. This is not to say that technical individuals are not suc-
cessful in these roles, but rather to be successful requires recognition that these
additional competencies must now be developed in the role of the security officer.
Left-brain thinking is necessary to bring the logical and analytical competencies
to technical projects and is much different than the right-brain competencies nec-
essary to manage relationships and the feelings of individuals involved in
projects. The selection of the security officer that is able to influence the organiza-
tion to adopt secure practices, inspire a staff to go the extra mile, and maintain
credibility within the organization over a long period of time, requires a good
look into the “soft skill” side of the individual. Granted, the security officer must
understand the technology well enough to communicate with the technical staff,
vendors, and be able to discern where the technologies will provide benefit to the
business. As much as the technical security language is viewed as a baseline com-
petency for security officers, the language of leadership must also be viewed as a
baseline skill. Understanding the layers of TCP/IP are useful when designing secu-
rity architectures, but have little relevance when trying to explain to the board of
directors why continuing investments need to be made in the information secu-
rity program.
The Security Leaders Library
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 11/53
Just as the technical specialist has learned his trade through attending technical
conferences and seminars and reading targeted technical books on the technol-
ogy, so must the information security leader invest in books on leadership skills to
continue the education in the skills that are important. Earlier in my career, I
managed two groups of totaling forty-five Database Modelers and Database
Analysts, including seven technical project managers for a major airline. During
each monthly staff meeting, I created a 25-question multiple-choice quiz based
upon one of the database development magazines at the time and offered a prize
for answering 100% of the questions. I also challenged the team members to in-
vest $1,000 of their own money annually on books and training materials. Some
members took up the challenge; others disagreed that they should have to do this.
This exercise and the suggestion that they invest their own money in their careers
served two purposes: (1) since I had to write the questions, I had to understand
the content as well, which increased my learning and also showed the team mem-
bers that I was committed to their work, and (2) each person has a responsibility
to invest in his or her education, whether or not it is employer sponsored. The
commitment to learning about leadership principles must be just as strong for the
information security officer as learning how to optimize SQL and as database per-
formance is to the database analyst.
Many books have been written on leadership skills over the years. Leadership
books tend to be a favorite staple at airport newsstands, as business people seem
to be on the constant search for understanding the answers to the questions such
as: What is leadership? What makes successful companies more successful than
their competitors? Are leaders born or made? Is there a secret formula? The
books are presented as short stories such as The Present (Johnson, 2003) providing
parables on learning from the past, living in the present, and planning for the fu-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 12/53
ture; how-to books like The Effective Executive (Drucker, 2004) providing insights
on managing knowledge workers from great leadership analysts such as the late
management guru Peter Drucker; or the slicing and dicing of companies in the
same industries to discern the differences in books such as Good to Great.
Alternatively there are the abridged versions of leadership available through
small paperbacks such as Tom Peter’s Leadership Essentials (2005) series, or books
packed full of time-management-type tips such as Never Check E-Mail in the
Morning (Morgenstern, 2004). Otto Kroeger and Janet M. Thuesen leverage indi-
vidual personality differences in the work environment in psychology titles such
as Type Talk at Work (1992). Of course there is the staple leadership series by
Stephen R. Covey on the Seven Habits of Highly Effective People (2004). Each of
these books contributes in their own way to some facet of leadership, helping to
recognize the leadership capacity of individuals and companies.
Security Leadership Defined
Definitions are useful to provide the context and create a common language.
Security leadership is about the application of the soft skill competencies to the
business of information security. Many of the leadership books focus on the
growth of their organizations through product innovation, increasing market
share, cost containment and reduction, engaging the workforce in the company’s
vision, expanding services and markets, leveraging information technology, and
developing appropriate strategies and action plans. Information security should
be regarded as a business within a business, whereby the leadership strategies
presented in the leadership literature are adopted to create a successful, sustain-
ing, long-term business that supports the mission of the parent business. In other
words, the information security department must lead in such a way that enables
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 13/53
the core business function to depend upon their supporting services to meet the
overall vision of the company. Effective security leadership blends the technical,
business, and soft skill knowledge to support the business needs.
Security Leader Soft Skills
Security officers today now find themselves interacting with many different levels
across the organization, from the board of directors, C-suite, senior and middle
management, peers, and end users. They are no longer communicating with just
the IT staff and those frontline managers end users needing logon IDs and access
to systems. Security officers are being increasingly involved in determining strat-
egy, engaging in new product releases, and providing input to solutions that re-
duce the bottom-line costs to the organization (e.g., outsourcing, off shoring, usage
of personal mobile devices) without increasing risk beyond an acceptable level.
The interaction with individuals from multiple levels and different disciplines in
a team environment require a new set of skills, primarily soft or nontechnical
skills to advance the security agenda. Figure 3.1 from a survey of 100 security
leaders shows the relative importance of the different skill areas (Fitzgerald and
Krause, 2008). Notice that technical knowledge was not the most important, but
rather those skills such as oral and written communication, influence, teamwork,
collaboration, and self-confidence were.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 14/53
Figure 3.1 Security management competencies/skills. (Fitzgerald, T., and Krause, M, 2008, CISO Leadership Essential Principles for Success, New York, Auerbach.)
Seven Competencies for Effective Security Leadership
There are seven key areas that information security officers should honestly eval-
uate themselves as to where they stand. Why seven? The reason is that the human
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 15/53
mind has difficulty juggling more than seven things at once. Too many goals lead
to frustration, confusion, hopelessness, and procrastination to start any of them.
Narrowing the focus to a number of key areas and developing an action plan to
build upon the strengths and enhance the areas needing improvement will con-
tribute greatly to a security leader’s career. When a technical security analyst is
faced with a situation where something does not work, the approach is to go to
the documentation, manuals, and test; seek advice from colleagues; and try, try
again until a solution is found. The same approach applies to enhancing leader-
ship skills; it is an iterative process of trial and error, and focus on the discipline
of leadership. Stephen Covey’s landmark book, The Seven Habits of Highly
Effective People (2004), first explored the value of providing a seven-step, easy to
comprehend method to achieve greater results. These competencies are not the
soft skills noted in the earlier section, but rather represent the higher-level appli-
cation of the soft skills toward organizational effectiveness. In other words, once
the soft skills have been developed, the security leader should be able to use that
knowledge to achieve greater results by practicing the seven competencies. The
seven competencies for effective security leadership are shown in Figure 3.2.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 16/53
Figure 3.2 Seven competencies of effective security leadership.
1. Understand the Organizational Culture
Organizations establish a culture or “the way things are done around here” that is
unique to the organization. Culture is created over time based upon the past and
present leadership, history, geographic dispersion, collaborative versus hierarchi-
cal decision making, profitability, industry regulations, and each individual per-
son within the organization. Every individual brings their own unique set of val-
ues, backgrounds, experiences, and capabilities into the workplace every day, in
other words their own individual “culture.”
The effective security officer understands how the organization works, what is
accepted and what is not. Do people normally bend the rules to get the job done?
Does the organization reward taking chances for innovation or does it view those
activities as violating the prescribed rules? Does a strong individual in a position
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 17/53
of formal authority make decisions unilaterally, or is consensus building and col-
laboration expected? Are individuals regularly working 60 to 70 hours a week
with high energy and commitment, or is there stress and burnouts evidenced by
continuous turnovers and new-hire recruiting? Are individuals recognized or is
there an effort to recognize the contributions of the entire team? Is customer ser-
vice the key driver of the organization at all costs or is the focus on engineering
the best new product, in other words, where is the organization placing its invest-
ment dollars? Spending time to understand this focus will help the security officer
position the programs effectively and learn how to get the deliverables
accomplished.
2. Communicate Real Risk
The sky is falling! The sky is falling! Security is not either (1) in place or (2) not in
place. As security professionals, there is obviously the desire to secure the envi-
ronment through managerial, technical, and operational controls to the highest
degree possible; however, there are degrees of protection between no security
and absolute 100% security that are acceptable for the business. Executives are
used to dealing with risk, every single day. Business risk is accepted by underwrit-
ing new insurance policies, entering new markets, adding new services, outsourc-
ing business lines, merging with or acquiring other companies, making technol-
ogy investments, and so forth.
To be adept in communicating with the business executives about risk, the secu-
rity officer must be able to capture metrics, meaningful metrics, by which the
value of security can be seen by the business. This is not an easy task, as it de-
pends very much on first understanding what is important to the business.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 18/53
Companies mired in government regulations may want metrics related to the
compliance efforts. It may be useful in product- or service-focused companies to
relate the security metrics of availability and loss prevention to the individual
product lines and services that are produced by the company, demonstrating the
business value, or contribution, of security to the key products. Executives also
want to know what their competitors are doing, with the goal being to match the
security practices of the competitor. Why match? Matching ensures that the orga-
nization is spending enough on security, while not spending an excessive amount.
The only exception may be in an environment where security can be promoted as
a competitive advantage to gain the trust of the consumer. In today’s environ-
ment, these competitive advantages for security appear to be evaporating and
have become expected as the norm.
Lengthy, risk-analysis-by-the-pound documents should be a thing of the past.
Although these analyses may be very detailed, thorough, and accurate in describ-
ing the risk, in practice, these documents become shelfware and as such offer lim-
ited value. Qualitative approaches permit faster analysis and getting the results in
front of the executives in a way that the issues can be discussed. Even if a detailed
quantitative approach is the chosen method, the pragmatic security officer will
reduce the voluminous data into clear, manageable, summarized proposals that
relate the risk to the business product or service that will be impacted if the risk is
not mitigated or reduced.
3. Engage Associates at All Organizational Levels
Security happens at all levels within the organization, from the board of directors
to the end users to the middle management and front-line supervisors in be-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 19/53
tween. The security officer must be visible, accessible, and approachable to all as-
sociates. The security awareness programs provide an excellent opportunity for
the security officer to develop relationships with all associates. Establishing these
relationships are very important for the security officer to discern what is really
going on within the organization, beyond the documented policies and proce-
dures. When the rapport is established, individuals are much more likely to seek
out the security officer for security advice, concerns, or to report security
incidents.
Security councils with management representation for each of the primary
business units, human resources, information technology, legal, compliance, risk
management, internal audit, physical security, and so forth are effective tools for
establishing the buy-in of developed policies. These councils also establish a link-
age between the security department and the business where the business con-
cerns and impediments to the business can be discussed. Security departments
these days want to be viewed as enablers of the business; however, without the
existence of a council, the departments may still be viewed as the controllers of
getting the work done, or “some techie department within information technol-
ogy” that does not understand the business needs. Whether this would be a fair
representation depends upon the actions of the security department. An added
advantage of the security council is that the mere existence of such a body pro-
motes the perception that the security department is there to support the
business.
4. Pay Attention to Technical Competence; It Is Still Needed
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 20/53
Understanding the business and developing the business acumen is undoubtedly
a key element to the security officer’s success. Continuing to stay abreast of tech-
nology developments is also important so that the security officer is aware of the
technical capabilities, which may benefit the business. The security leader must
have a broad understanding of the technologies available, leaving the deep tech-
nical understanding to the information security analysts and other IT profession-
als. The security officer must be able to converse with business people in nontech-
nical terms and with information technology people in technical terms. With ac-
cess to the Internet, free newsletters, webinars, and security conferences, there is
no reason that the security officer cannot dedicate one hour per day to maintain-
ing the technical discipline.
This is different than the technical skills that were referred to earlier as being
less important. The difference here is that the security officer is not engaging in
the mastery of the technical skills, but rather is maintaining (1) a sufficient aware-
ness of the technology that exists, and (2) the ability to obtain information
through self-study and leveraging the knowledge of the technical staff to provide
strategic and tactical security direction in support of the company initiatives.
5. Be an Insider
Does it seem like you are the last one to know what is going on in the organiza-
tion? Do you wait for the org chart to come out to see if you have a seat on the
bus? Build internal relationships and support colleagues with their projects. They
need to also know who you are and what value you bring to the organization.
Organizations are designed to get work done to accomplish the organizational
goal. Taking accountability for individual actions, delivering the services when
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 21/53
promised, and being a good team player working to contribute to other
individual’s projects, as well as the security initiatives, builds trust within those
relationships.
6. Set Realistic But Aggressive Goals
Goals need to be set around a vision, strategy, and concrete action plans. These
plans should be multiyear created through a realistic, but aggressive mind-set.
The first question should be, What does the business need from information secu-
rity to be successful? Visions and strategies that are not connected with specific
action plans with deliverables and discrete completion dates do not move the se-
curity program forward. Success also needs to be delivered within the first three
to four months of a security officer’s arrival to build the confidence for future en-
deavors. It is better to miss a goal that was established than to never set one and
use hope as a strategy. Action plans are essential to establishing accountability, re-
sponsibility, and ensuring that the appropriate resources are dedicated to
security.
7. Collaborate and Network Outside of the Company
The security field is very complex and has many areas of specialization. Some in-
dividuals have focused their activities on security awareness, computer forensics,
disaster recovery, physical security, access control across multiple platforms,
identity management, remote access, vulnerability, penetrating testing, and the
list goes on. One must understand the vertical industry, how market share is
achieved, competitor profiles, marketing strategies, product development, and the
specific language of the business. It is unreasonable to expect that one individual
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 22/53
has all they need to know about any of these topics. There are many opportunities
for networking through security conferences, participation in industry advisory
groups, attending external business meetings with business partners, and estab-
lishing relationships with individuals met at the various forums. In today’s e-mail,
text messaging, Xbox–PlayStation-paced, “iPhone, iPad, Android, BlackBerry per-
son at the click of a button” world, answers to questions from peers are invalu-
able. Many people are more than willing to share their expertise with someone
that is passionate about their work. These collaborations reveal many other peo-
ple that are struggling with the same issues. Collaboration is a two-way street,
where deposits need to be made (sharing own expertise) before substantial with-
drawals can be taken (obtaining expertise).
Security Functions
Learning from Leading Organizations
In an effort to understand what leading organizations were doing to meet the in-
formation security challenges, the General Accounting Office (GAO) studied sev-
eral leading organizations in 1998 to determine what activities we performed by
organizations that were leaders in information security. It found that five critical
functions were consistently applied as shown in Figure 3.3.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 23/53
Figure 3.3 Security leadership, learning from leading organizations. (United States General Accounting Office. 1998. Executive guide: Information security management; Learning from leading organizations. http://www.gao.gov/archive/1998/ai98068.pdf)
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 24/53
Assess Risk and Determine Needs To many security practitioners assessing the
risk and determining needs would appear as a logical, if not obvious, first step.
However, how many times have we have seen a knee-jerk reaction to implement
a new policy or procedure, or buy a technical product without first understanding
what the real business risk is to the organization? Assessing risk, which is pro-
vided in more detail in Chapter 5, weighs the cost of implementing the control
against the losses that would be experienced by the organization if the risk is not
mitigated. The analysis may bear out the fact that it is more costly to implement
sufficient security controls than accept the risk. For example, an organization
sponsoring the annual auto show of new cars could perceive that there is the po-
tential threat of someone angry with a car manufacturer from a personal bad ex-
perience (e.g., they may have purchased a “lemon” in the past or had a car’s
brakes malfunction at a critical time) and may want to retaliate against the car
company by keying or vandalizing the display vehicle. The auto show could im-
plement controls such as roped-off areas around the cars or by requesting that
each person deposit their keys in a container before approaching the car. Most of
us would find either of these controls as silly or unwarranted, as most people
would be well-behaved and not present a risk. Implementation of a control of this
type would be unnecessary and would be viewed by many as an overreaction.
Conversely, many times cars in the $100,000 and up range will typically have their
doors locked, as they do not want to risk damage to the shifting mechanisms on
the cars. People appear to understand why these vehicles have additional security
controls. Cameras are also installed in the convention center, so any damage that
would result would be detected versus prevented.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 25/53
The car example illustrates what can happen in organizations if the security de-
partment does not take into account the business needs of the operation and uni-
laterally implements security controls. The purpose of the risk assessment is to
determine what the adequate level of controls needs to be. Organizations that
best manage security view the risk assessment as a critical first step in the
process.
Implement Policies and Controls Once the risk is determined, the appropriate
policies and controls to support the policies are implemented. Policies are specific
to the organization and take into account the needs of the organization and sup-
port the business operations. Controls are selected that match the risk profile of
the organization and reduce the likelihood and impact of a security breach. In the
care example, the implementation of cameras may be a sufficient control, while
still permitting individuals to experience the auto show and be able to sit in the
vehicles they may be interested in. Policies that govern the implementation of
cameras and salesperson monitoring of the customers need to be written to en-
sure that those individuals coordinating the show know what is expected of them.
The NIST has produced an excellent special publication (800-53) for federal infor-
mation systems for control selection titled “Recommended Controls for Federal
Information Systems and Organizations.” This reference contains controls for
low-, medium-, and high-risk systems and can be applied to nongovernment envi-
ronments as well. The publication ISO/IEC 27002: Security Techniques—Code of
Practice for Information Security Management is also an excellent resource for
the types of control that should be implemented, albeit this framework does not
go to the level of detail as that of NIST publication 800-53.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 26/53
Traditionally, laws have not been very prescriptive in defining the information
security controls needed, as this must be governed by the risk of the system, the
technology that is available, scalability, and the resources that are available to the
organization. Hence, the assessment of adequate controls is somewhat subjective
and depends upon the exposure of the individual performing the assessment to
different alternatives that have been successfully implemented in organizations
with similar size and similar issues. Guidance is starting to emerge from the expe-
riences within vertical industries to create best practices, good practices, essential
practices, and so forth to deal with some of the issues. One organization may de-
termine that it is willing to accept the risk of smartphone protection by requiring
a password be implemented on the phone. Other organizations may view this
control as insufficient and require that the password also be made a strong pass-
word by company policy, requiring that the password be eight characters, include
at least one upper and one lower case character, along with at least one special
character (@, &, $, %, etc.). Another organization may require even stronger con-
trols and require that the password be technically enforced and that the device is
remotely wiped after three invalid attempts, and the user attest to a smartphone
security training if a reset is required. Another organization may decide that the
technology of the Android or iPhone is not appropriate for business usage and are
not allowed, while another may yet encourage the use the use of a non-company-
owned device and provide complete support with the addition of a third-party se-
curity product. The choices may seem endless for each decision that must be
made, which further illustrates the importance of performing an adequate risk
analysis and then implementing the appropriate controls to mitigate or reduce
the risk to an acceptable level. Just as new risks are continually emerging, so are
the methods with which to mitigate the risk.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 27/53
Promote Awareness Most people want to do the right thing in life; they just need
to be aware of what the right thing is. If policies and controls are not properly
communicated, this step becomes very difficult. Security departments often will
draft voluminous policy documents and then wonder why they are not being fol-
lowed (techniques for increasing the success of security policy development are
noted in Chapter 6 about security policy development). People cannot be held re-
sponsible for policies that they have not seen or understand. As much effort that
went into determining the risk and deciding what controls were appropriate,
should also be placed in ensuring that the individuals responsible for executing
the policies and procedures understand and are able to implement the controls.
Otherwise, nice documents exist, but the security controls are not protecting the
information assets as desired.
Monitor and Evaluate If everything worked well the first time around, monitor-
ing would be unnecessary. Unfortunately, security controls may be effective at the
time they are first implemented; however, due to changing circumstances, they
must be re-evaluated periodically to remain effective. Threat levels may increase,
technology changes, procedures are found to be implemented differently than de-
signed, business requirements change, and so forth. Organizations may change
and the person that once was very diligent in performing the control has now left
and the new person has not been executing the control as frequently or, worse
yet, not at all. Or the policy changes such that all employees visiting another office
outside of their home office is considered a visitor and must sign out at the end of
the day. Without proper monitoring to ensure the policy and control are being ex-
ecuted, it may never be discovered that employees were not made aware of the
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 28/53
policy change and it was not being practiced consistently. Monitoring would also
discover if all of the security guards themselves were appropriately notified of the
change in policy.
Central Management Leading organizations also recognized that someone
needed to be focused on ensuring that the aforementioned four activities were oc-
curring. Organizations are busy, dynamic institutions that have many competing
demands for expenditures and resources. Just as other parts of the organization
need management to set direction and ensure that resources are being appropri-
ately used to meet the mission of the business, management is also needed to be
focused on managing information security. While there will be components that
may be decentralized, typically due to business unit differences or geographic dif-
ferences, the overall security program should be unified to provide the sharing of
practices across the multiple business units and locations.
This model while appearing simple can be a very powerful way to address in-
formation security management by guiding an information security program to
perform the right activities. Every organization is constrained by the resources
available to it, whether time, cost, materials, or labor, and by starting with the
risk assessment to determine the real needs and implementing the appropriate
controls, communicating those controls, and following up to ensure that the con-
trols are still adequate and properly implemented, the organization will continu-
ally enhance the security of the environment it operates within.
What Functions Should the Security Officer Be Responsible For?
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 29/53
If we accept the proposition that leading organizations address each of the five
critical functions in the model previously described and depicted in Figure 3.4,
then a useful approach would be to identify the related security activities that
must be performed to achieve the due diligence suggested by the model.
Organizations may have all of these functions reporting to the information secu-
rity officer or may decide to segregate the functions between multiple depart-
ments, such as a chief security officer maintaining responsibility for policy devel-
opment, while an IT security manager retains responsibility for security violation
monitoring. Before delving into the discussion as to what functions should report
where, let’s describe the core security functions that must be addressed some-
where within the organization as shown in Figure 3.4.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 30/53
Figure 3.4 Security critical functions and related security activities.
Assessing Risk and Determining Needs Functions
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 31/53
The three security functions that support the assessing risk and determining
needs activity in the model are risk assessment/analysis, systems security plan de-
velopment, and external penetration testing. In other words, performing these
three activities will satisfy this activity within the model. These should be consid-
ered functions that need to be performed somewhere within the company. Larger
organizations may have whole departments performing risk assessments,
whereas smaller organizations may assign one person to complete the risk assess-
ment and systems security plan development and may outsource external pene-
tration testing. What is important is that someone performs each of these func-
tions, otherwise an important component of information security will be missed
and the controls chosen may not be sufficient to protect the information assets.
Risk Assessment/Analysis Risk assessment, or also known as risk analysis, is the
formal process of reviewing the threats facing the organization, reviewing the
likelihood or probability that vulnerability could be exploited, and the impact of
the event should it occur. This is a key function of the information security de-
partment and performing the risk assessment as accurately as possible is the key
to ensuring that money is spent in the more productive manner to reduce the se-
curity risk. This is also one of the most difficult functions to perform for the infor-
mation security department, as it can be very challenging to obtain information
on what the real risk may be. At the end of the day, risk assessments become sub-
jective in nature. For example, what is the risk that a newly drafted first-round
National Football League quarterback will face a career-ending injury during the
first 5 years after the draft? Or the likelihood that the quarterback will take the
team to the Super Bowl within 5 years? Past statistics may be used; however, as
noted in many investment recommendations, past performance does not guaran-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 32/53
tee future results. Sometimes it is very difficult to determine the risk by not hav-
ing a particular security control in place. Organizations many times do not have
the broad perspective to determine what the risk would be and will hire an exter-
nal consultant to provide an assessment or gap analysis of the security controls.
External consulting organizations, whether they are large Big Four accounting
firms or smaller security firms, can bring the experience gained from multiple as-
sessments at multiple clients into the organization. This is not to suggest that ade-
quate risk analysis cannot be done solely from staff within the organization.
However, to leverage the external experience from other organizations, this is
one area where external firms are typically engaged as a first step. Once the orga-
nization has more experience performing risk assessments and has a clearer un-
derstanding of the threats, vulnerabilities, and controls in place, it may decide to
perform the risk assessment solely in-house.
Systems Security Plan Development The name “systems security plan” is some-
what misleading, as a systems security plan (SSP) is not really a plan at all but
rather a document that provides a snapshot of the security controls at a point in
time. The SSP contains the contact information for the system; documents the
criticality/sensitivity level of the system; describes the business use of the system;
defines the system boundaries and system interconnections; and describes the
managerial, operational and technical controls that are in place to protect the in-
formation assets contained within the system. Systems may be general support
systems, whereby they represent interconnected sets of information resources
under the same direct management control that shares common functionality, or
they may be major applications that are defined because they require special at-
tention due to risk and magnitude of harm resulting from loss, misuse, or unau-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 33/53
thorized access or modification of information in the application. Developing an
SSP is much more than just a documentation exercise, as the process of creating
the plan brings clarity to the information system, the boundaries, and how it is
protected. In medium to large organizations, a common answer when asking peo-
ple about specifics of the computing environment or security controls is, “I don’t
know.” The larger the organization and the more specialized the knowledge is
across knowledge workers (e.g., information security, midrange infrastructure,
network, and application development), the more this type of response should be
expected. Individuals in different areas know their piece of the puzzle and are not
necessarily expected to know what is going on in the rest of the organization. For
example, the firewall administrator on the network team may know what fire-
walls are in place, what ports are open, and what baselines are applied, but might
not know how often the firewall logs are reviewed by the security network moni-
toring team reporting to the IT security operations manager or what types of
events are being monitored. So, depending upon whether the organization views
the development of the SSP as purely a documentation exercise or if it is viewed
as an opportunity to obtain clarity around the security controls will determine the
ultimate value to the risk assessment process.
External Penetration Testing External penetration testing provides some com-
fort, or discomfort, that the security controls intended to block external entry into
the systems are functional and working as designed. These are typically per-
formed minimally on an annual basis, usually in conjunction with an overall risk
assessment. Penetration testing is also typically done by an external organization,
as most organizations do not have the resources available to keep up with the lat-
est tools and attacks that may be used to gain unauthorized access from an exter-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 34/53
nal source. The value of external penetration tests is subject for debate, as it
shows at one point in time the controls that a skilled attacker may be able to cir-
cumvent. Since organizations do not have the resources to spend to be 100% se-
cure, it is likely with the budgets of more security departments that the attacker
will find some way to infiltrate the organization. Technical means through the use
of a step-by-step procedure to locate weaknesses through the running of foot
printing and reconnaissance tools, as well as the use of social engineering (e.g.,
pretending to be someone from the help desk to obtain information or entering
the building and plugging into an open LAN jack in a conference room), are both
used to attempt entry. Odds are that the penetration test will reveal one or more
vulnerabilities within the environment. Security managers are often required to
have penetration testing performed at least once a year to meet a compliance reg-
ulation, or may use penetration testing as a method to raise visibility to security
vulnerabilities to obtain more resources or funding to reduce the risk.
Implement Policies and Control Functions
Security Policy Development Security policy development is covered exten-
sively in another chapter, but suffice it to say that without a formal, documented
information security policy, the organization has no assurance that there is a com-
mon set of rules or practices that can be depended upon. The information security
policy is the most visible document that the information security department cre-
ates. The document is necessary to guide the actions of everyone with respect to
information security and need to be easily available and read by everyone.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 35/53
Security Architecture Security architecture provides the security research and
technical review of information security products to ensure that the appropriate
security tools are purchased to solve the right problems. There are different meth-
ods to protect the environment, such as deciding between one vulnerability scan-
ner over another. One may have more robust reporting features, whereas the
other may be more accurate, delivering fewer false positives and representing
more value to the organization. Likewise security architecture needs to be consid-
ered when purchasing products to ensure that they are compatible with existing
products that are already in use. The purchase of an identity management system
running on a Unix platform may not have interfaces with the Windows-based
help desk ticketing system and require custom coding to make the system opera-
tional. Alternatively, the product may come bundled with an internal ticketing
system that may not be as robust. The purchaser of the potential system would
typically issue request for proposals (RFPs); talk with industry analysts such as
Gartner Group, Burton, or Forrester and perform independent research; have
vendors provide presentations; and talk with existing customers of the product.
The goal of security architecture is to define a set of compatible products and pro-
cesses to support the security controls that are necessary to mitigate the risks dis-
covered in the risk assessment.
Security Control Assessment If the risk assessment is the brain of the security
program, the security controls are the heart. Keeping the security controls flowing
through the organizational veins on a continuous basis provides the protection
needed. Security controls can be divided into three primary classifications—man-
agerial, operational, and technical. Because the implementation of the security
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 36/53
controls is core to the creation of a good security program, the controls are cov-
ered in detail in Chapters 8 through 10. Controls should be assessed on an annual
basis at a minimum, and in practice are examined more often by internal and ex-
ternal auditors. A good practice is to review all controls annually and further test
one-third of the controls each year. Processes and technologies rarely stay static
year after year and should be tested when changed.
Identity and Access Management Identity and access management is typically a
department on its own due to the size of the staff required to administer the func-
tion and the focus being primarily operational in nature. This area ensures that
logon IDs are created and access is appropriately authorized by management and
provisioned to the end user. Organizations that are more mature have embraced
automation of the ID creation, whereby access is then requested based upon a
profile (set of predefined accesses for a particular job function or role versus an
individual need) and access is automatically provisioned. The benefit of this ap-
proach is the speed by which requests can be filled, as once the electronic ap-
provals are received from the manager, the system is performing the provisioning
work. These products are still in their infancy and applications typically require
custom coding to provide the automation, which can be very expensive. These im-
plementations can cost well into the millions, placing them out of reach for small-
to medium-sized companies. Short of purchasing a product, simplified solutions
using electronic forms and e-mail can be created at a relatively low cost to reduce
the workflow time to manage the access administration. This function is the func-
tion that most people think of when they think of information security.
Increasingly, this function is being challenged with finding ways to lower costs
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 37/53
and perform the same work with fewer resources, as this area represents an op-
erational, nonstrategic overhead cost to the business.
Business Continuity and Disaster Recovery Business continuity provides the
analysis as to whether the business can sustain operations in the event of a disas-
ter, whereas disaster recovery is largely thought of as bringing the information
technology resources back online in the event of a disaster. As seen in recent
years, the world has no shortage of disasters, whether it is an East Coast power
grid blackout, flooding in North Dakota, earthquakes in Japan, oil spills in the Gulf
of Mexico, closing of European airports due to volcanic ash, or the collapse of a
major bridge in Minnesota. Each disaster brings new attention to business conti-
nuity and disaster recovery practices. The business continuity and disaster recov-
ery teams need to exercise tests each year to ensure that the computer systems
can be brought up in a remote location. They also conduct mock tests with differ-
ent departments to ensure their business continuity plans are still accurate, and
also lead emergency crisis management teams, made up of senior management,
to ensure that the organization can react to a crisis or unexpected event. For ex-
ample, if there are blizzard conditions near the call center, should the call center
close? Will call center employees be able to work from home and provide the
same level of service? Should the work shift to another, geographically different
location to handle the calls? How will people get to work if the offices remain
open? Who makes the decision and based upon what information? All of these
questions would be answered by the business continuity and disaster recovery
function. This function would also create business impact assessments (BIAs) to
determine the amount of time the company could afford to be without the infor-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 38/53
mation. They would also, with business participation, prioritize the systems in the
order they needed to be brought back online.
Each of these functions contributes toward defining the requisite controls to
protect the information system. Due to the different skills required in each of the
control areas, as well as the diverse interest areas, it is also likely in medium- to
large-sized organizations that different individuals are performing each of these
functions. For example, security policy development requires the ability to trans-
late technical jargon into communications that the nontechnical end user can un-
derstand. Likewise, the business continuity and disaster recovery areas require
the ability to work with management and understand where business needs may
not be met in the event of a disaster, as well as manage the technical ability to
bring up the system operating environment and coordinate end user testing to en-
sure the functionality is present. Identify and Access management requires the
ability to be customer service oriented and manage multiple “gotta have it now”
requests and complete the access requests in a timely basis.
Promote Awareness Functions
The goal of promoting awareness is to ensure that the security policies and proce-
dures are available to those beyond the information security department.
Everyone in the organization should be able to locate them. A random test asking
questions about the security policy across the organization would reveal how ef-
fective the communications are. Many organizations put much effort into the de-
velopment of information security policies, only to see them not followed because
of a lack of communication. Timely security incidents or currents news items can
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 39/53
be leveraged in a subtle way to highlight the existence of internal security
policies.
End User Security Awareness Training End users need to be able to do two ba-
sic actions with respect to information security: (1) recognize when an incident
occurs or what could cause an incident to occur, and (2) where to report the inci-
dent when the incident does happen. The end users are the eyes and ears of infor-
mation security and a crucial piece in ensuring that security is being adminis-
tered. Security “awareness” is just that—not the in-depth technical understanding
that a security analyst may need for their jobs, but rather an understanding of
how they are to handle and protect information entrusted to them. This function
ensures that this training is provided prior to any systems access, refreshed and
administered at least annually, and supplemented with interim e-mails, newslet-
ters, awareness campaigns, and so forth.
Intranet Site and Policy Publication The security policies need to be readily ac-
cessible by all associates and contractors within the organization. The policies can
be posted on the intranet site, or made available through policy management soft-
ware that can track user acknowledgement that they have read, understood, and
accepted the security policies. Providing the end users with a Google-type search
engine is also very useful in delivering security policy content to enable end users
to quickly locate information.
Targeted Awareness Delivering the information security message should not be
limited to the training sessions and posting of the policies, as the message needs to
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 40/53
be continually communicated at all levels. The security department should estab-
lish a formal communication plan, whereby different audiences are made aware
of the information security requirements. Information can be distributed through
participation by a standing agenda item in the managers’ meetings, IT steering
committees, or by monthly attending a different departmental staff meeting to
communicate plans and listen to their issues. Specific technical training should
also be provided to those areas in need, such as the server engineer that needs to
understand the security settings in the active directory, or the network adminis-
trator that learns about the audit capabilities for the network firewalls and
routers. Although all users can benefit from the generalized end-user security
awareness training, others will need training adapted to their specific needs.
Monitor and Evaluate Functions
The following functions are excellent candidates for the creation of a security op-
erations center or SOC team within the information security department. This
group provides the oversight for the other areas outside information security to
ensure that security is given the appropriate attention. Separating the function
provides stronger control through the separation of duties.
Security Baseline Configuration Review Each computing platform should have
a defined security baseline to limit the exposure of exploits. The Defense
Information Systems Agency (DISA) has developed a series of checklists known as
Security Technical Implementation Guides (STIGs) that contain the security set-
tings that should be in place to protect the environment. For example, parameters
such as password lockout attempts, revision history, or what services should be
enabled are set. The security department should ensure that the security configu-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 41/53
rations are reviewed and monitored on a frequent basis, preferably quarterly at a
minimum.
Maintenance of the security baselines typically resides in the operational, infra-
structure areas that are responsible for those platforms. It is important that base-
lines be developed for each platform and are frequently reviewed when new re-
leases of the standards are available. This can be a time-consuming task to ensure
(1) baselines are developed for each operational platform (e.g., Windows, Unix,
Mainframe, RACF, Oracle, SQL databases, virtualization servers, network devices,
desktops), (2) baselines are kept up to date, (3) baselines are properly docu-
mented, (4) exceptions to the baselines are approved by management and docu-
mented, (5) baselines are tested prior to rolling out to production, (6) all devices
are monitored and compared to the baseline, (7) a corrective action plan process
exists to upgrade to the current baseline if necessary, and (8) quarterly reviews of
compliance are conducted. The information security department is in the best po-
sition to provide leadership to ensure that the baselines are being kept up to date
and applied to the devices within the environment.
The security department can coordinate weekly meetings with the operational
areas to review the compliance with the baselines and track the process that is be-
ing made. The additional oversight increases the likelihood that security baselines
will receive the proper attention. The security department can also play a role in
ensuring that changes to the standards the baselines are built upon (i.e., DISA,
Federal Desktop Core Configuration [FDCC]) are communicated to the operational
areas in a timely manner.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 42/53
Logging and Monitoring An organization cannot be really sure what attempts
are being made to exploit vulnerabilities to access information unless there is an
active monitoring program in place. Some organizations do a great job of collect-
ing logs, however, there is no formal log review process in place and the logs are
merely saved in the event an investigation is initiated. This can cause undesired
events to go undetected, as the reliance then becomes dependent upon some
other external stimulus to kick off an investigation. Log monitoring should be a
daily event to be effective, even if a subset of the information is reviewed (e.g., ad-
ministrator privilege access).
Since log data can be voluminous, security departments will often use a security
information and event management (SIEM) product to aggregate and correlate
the log information, a reporting tool, or create scripts to reduce the amount of
data that must be reviewed. Logs are reviewed for external infiltration events and
administrator access attempts, as well as the review of internal users and exces-
sive login attempts. A threshold of the number of violations should be established,
after while follow-up is required. Training can then be provided to the habitual
user that is not following information security access policy. Due to the time-con-
suming efforts in reviewing the log, automation has a large payoff in this area.
Many times the reports produced for the platforms are rudimentary and can be
difficult to use unless some automation of the output is created to determine the
exceptions.
Vulnerability Assessment Vulnerability assessments are frequently confused
with penetration testing, and they represent two different activities. Penetration
testing is the practice of attempting to gain entry to the system and typically ob-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 43/53
taining higher-level privileges to demonstrate that the information assumed to be
protected by the organization could be disclosed, modified, corrupted, or deleted
by an unauthorized user outside of the organization. Vulnerability assessments
on the other hand test for flaws in the system, mainly software and hardware, to
determine where the exposures are that could be potentially exploited. The vul-
nerabilities are usually determined by running software tools (e.g., Tenable’s
Nessus, nCircle’s IP360, Application Security’s DbProtect) against the computing
platform. Individual identifiers are associated with each vulnerability for tracking
and remediation purposes. The risk level is also reported by the tools so that those
of the highest risk can be acted on immediately. Most tools also provide the links
to the patch or release level that should be applied to fix the issue.
The vulnerability scans should be run on a frequent basis, at least quarterly at a
minimum. A good process is for information security to administer the scans and
feed the information into a tracking document for the high and medium risk
items, such as an access database or Excel spreadsheet, and establish owners and
commitment dates for mitigation of the issues found in the scans. Weekly meet-
ings to resolve the issues can be held, and the expectation to complete all issues
within 90 days of the scan, or a senior executive (e.g., chief information officer
[CIO]) justification and approval is needed. There will always be some issues that
the operational areas will not be able to complete within 90 days; however, these
should be the exceptions due to a lengthy process to resolve or a major system im-
plementation or upgrade that is preventing progress. For example, a vendor prod-
uct may require a version of Java that is five versions back that contains known
exploits, however, the product is not scheduled for update/ new release until 6
months from now. The organization may decide to temporarily accept the risk un-
til the new release is available.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 44/53
Vulnerability scans are necessary to ensuring that holes have not been inadver-
tently created within the computing infrastructure.
Internet Monitoring/Management of Managed Services Companies that do not
have the staff to provide 24/7 monitoring of the externally facing devices may
consider the use of managed security services to provide the monitoring. These
organizations can achieve economies of scale by monitoring multiple clients in
different shifts. Outsourcing to an external company does not dismiss the need of
internal staff to respond to the security incidents. It typically requires an on-call
person on the company security team that will be able to respond if there is a crit-
ical theat. Service level agreements should be put in place as to the services that
will be provided and the timeframes expected to respond to issues.
Incident Response The ability to respond quickly to incidents depends largely on
how well the process is thought out in advance. Valuable time can be lost during
an incident if there is not a process in place, and the result may be following a
very chaotic, unorganized process of determining what has happened, containing
the security incident, and eradicating the damage that was caused. Mistakes can
be made without a well-defined process. The security department’s role should be
to facilitate the resolution of the incident to ensure that all of the right depart-
ments are engaged and the computer security incident response team (CSIRT)
process defined by the organization is generally followed. Not all incidents will re-
quire the enactment of the CSIRT, so it should be understood under what condi-
tions the team will be invoked. Other departments, such as the business owners,
infrastructure teams (server, desktop), and network teams are also engaged, ei-
ther as a responsible party or an informed party.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 45/53
Forensic Investigations Forensic investigations have not received much atten-
tion within information security departments and tend to receive little invest-
ment. If the number of investigations is low, outsourcing this function may be a
viable alternative. The time required to build a level of forensic expertise can be
very extensive. Performing this function in-house can also be risky if the evidence
is to be presented in court, primarily because the opposing counsel will ask, “How
many forensic investigations have you performed?” “What training have you had
that ensures you have the sufficient level of knowledge?” or “Demonstrate that
the appropriate chain of custody was followed completely throughout the
process.” Still, this is valuable expertise to develop within the organization at a
basic level, as the act of going through forensic investigations will highlight gaps
in the current logging, monitoring, or configuration processes, as well as creating
further learning opportunities for the information security staff.
Central Management Functions Along with providing the general management
of the information security program, the security department must also provide
the following two functions to interface with the audit requirements and ensure
that issues are formally tracked to closure.
Audit Liaison The security controls may be audited frequently depending upon
the type of industry in which the company is participating. The security area is
well advised to have someone designated to coordinate these audits that under-
stands information security controls. Although the internal audit department may
lead the overall audit with the audit firm, they may not have the technical exper-
tise to understand what is being requested, or the potential alternative, compen-
sating or mitigating controls within the environment that can be provided.
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 46/53
Information security can provide the expertise and contribute to a smoother run-
ning audit, which is explained in more detail in Chapter 11.
Plan of Action and Milestones Security deficiencies need to be tracked and corre-
sponding plan of actions and milestones (POA&Ms) are developed to establish in-
terim steps and dates for completion. Care should be taken in setting realistic
dates, or these POA&Ms are recorded as delayed. A formal approval process for
the submission of evidence, to whom, and who will review and approve the items
for closure should be established. The security operations center team would be
an excellent organizational position to close company-generated issues. Issues
surfaced by an external audit firm on behalf of another agency (e.g., government
contractor-government agency relationship, Office of Inspector General, PCI
Assessor) would need to be reviewed by the assessor and closed during his
process, which may be during the next onsite audit.
Reporting Model
The security officer and the information security organization should report as
high in the organization as position to (1) maintain visibility of the importance of
information security and (2) limit the distortion or inaccurate translation of mes-
sages that can occur due to hierarchical, deep organizations. The higher up in the
organization, the greater the ability to gain other senior management’s attention
to security and the greater the capability to compete for the appropriate budget
and resources. Where the information security officer reports in the organization
has been the subject of debate for several years and depends upon the culture of
the organization. There is no one best model that fits all organizations, but rather
pros and cons associated with each placement choice. Whatever the chosen re-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 47/53
porting model, there should be an individual chosen with the responsibility for
ensuring information security at the enterprise-wide level to establish account-
ability for resolving security issues. The discussion in the next few sections should
provide the perspective for making the appropriate choice for the target
organization.
Business Relationships
Wherever the information security officer reports, it is imperative that he or she
establishes credible and good working relationships with executive management,
middle management, and the end users that will be following the security policy.
Information gathered and acted upon by executive management is obtained
through its daily interactions with many individuals, not just executive manage-
ment. Winning its support may be the result of influencing a respected individual
within the organization, possibly several management layers below the executive.
Similarly, the relationship between the senior executives and the information se-
curity officer is important if the security strategies are to carry through to imple-
mentation. Establishing a track record of delivery and demonstrating the value of
the protection to the business will build this relationship. If done properly, the se-
curity function becomes viewed as an enabler of the business versus a control
point, which slows innovation, provides roadblocks to implementation, and rep-
resents an overhead cost function. Reporting to an executive that understands the
need for information security and is willing to work to obtain funding is
preferable.
Reporting to the CEO
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 48/53
Reporting directly to the CEO greatly reduces the message filtering of reporting
further down the hierarchy and improves the communication, as well as demon-
strating to the organization the importance of information security. Firms that
have high security needs, such as credit card companies, technology companies,
and companies whose revenue stream depends highly upon website purchases,
such as eBay or Amazon, might utilize such a model. The downside to this model
is that the CEO may be preoccupied with many other business issues and may not
have the interest, time, or enough technical understanding to devote to informa-
tion security issues.
Reporting to the Information Systems Department
In this model, the information security officer reports directly to the CIO, director
of information systems, the vice president of systems, or whatever the title of the
head of the IT department is. Most organizations are utilizing this relationship, as
this was historically where the data security function was placed in many compa-
nies. This is due to the history of security being viewed as only an information
technology problem, which it is not. The advantage of this model is that the indi-
vidual to which the security officer is reporting has the understanding of the tech-
nical issues and typically has the clout with senior management to make the de-
sired changes. It is also beneficial because the information security officer and his
department must spend a good deal of time interacting with the rest of the infor-
mation systems department, which builds the appropriate awareness of project
activities and issues and builds business relationships. The downside of the re-
porting structure is the conflict of interest. When the CIO must make decisions
with respect to time to market, resource allocations, cost minimization, applica-
tion usability, and project priorities, the ability exists to slight the information se-
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 49/53
curity function. The typical CIO’s goals are more oriented toward delivery of ap-
plication products to support the business in a timely manner. If the perception is
that implementation of the security controls may take more time or money to im-
plement, the security considerations may not be provided equal weight. Reporting
to a lower level within the CIO organization should be avoided, as noted earlier;
the more levels between the CEO and the information security officer, the more
challenges that must be overcome. Levels further down in the organization also
have their own domains of expertise they are focusing on, such as computer oper-
ations, applications programming, or computing infrastructure.
Reporting to Corporate Security
Corporate security is focused on the physical security of the enterprise, and most
often the individuals in this environment have backgrounds as former police offi-
cers, military, or were associated in some other manner with the criminal justice
system. This alternative may appear logical; however, the individuals from these
organizations come from two different backgrounds. Physical security is focused
on criminal justice, protection, and investigation services, whereas information
security professionals usually have different training in business and information
technology. The language of these disciplines intersects in some areas but is vastly
different in others. Another downside may be the association with the physical se-
curity group may evoke a police-type mentality, making it difficult to build busi-
ness relationships with business users. Establishing relationships with the end
users increases their willingness to listen and comply with the security controls,
as well as to provide knowledge to the security department of potential violations.
Reporting to the Administrative Services Department
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 50/53
The information security officer may report to the vice president of administra-
tive services, which may also include the physical security, employee safety, and
human resources departments. As in reporting to the CIO, there is only one level
between the CEO and the information security department. The model may also
be viewed as an enterprise function due to the association with the human re-
sources department. It is attractive because of the focus on security for all forms
of information (paper, oral, electronic) versus residing in the technology depart-
ment, where the focus may tend to be more on electronic information. The down-
side is that the leaders of this area may be limited in their knowledge of informa-
tion technology and the ability to communicate with the CEO on technical issues.
Reporting to the Insurance and Risk Management Department
Information-intensive organizations such as banks, stock brokerages, and re-
search companies may benefit from this model. The chief risk officer is already
concerned with the risks to the organization and the methods to control those
risks through mitigation, acceptance, insurance, and so forth. The downside is
that the risk officer may not be conversant in the information systems technology,
and the strategic focus of this function may give less attention to day-to-day opera-
tional security projects.
Reporting to the Internal Audit Department
This reporting relationship can create a conflict of interest, as the internal audit
department is responsible for evaluating the effectiveness and implementation of
the organization’s control structure, including those of the information security
department. It would be difficult for the internal audit to provide an independent
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 51/53
viewpoint, if the attainment of meeting the security department’s objectives is
also viewed as part of its responsibility. The internal audit department may have
adversarial relationships with other portions of the company due to the nature of
its role (to uncover deficiencies in departmental processes), and through associa-
tion the security department may develop similar relationships. It is advisable
that the security department establishes close working relationships with the in-
ternal audit department to facilitate the control environment. The internal audit
manager most likely has a background in financial, operational, and general con-
trols, and may have difficulty understanding the technical activities of the infor-
mation security department. On the positive side, both areas are focused on im-
proving the controls of the company. The internal audit department does have a
preferable reporting relationship for audit issues through a dottedline relation-
ship with the company’s audit committee on the board of directors. It is advisable
for the information security function to have a path to report security issues to
the board of directors as well, either in conjunction with the internal audit de-
partment or through its own.
Reporting to the Legal Department
Attorneys are concerned with compliance with regulations, laws, and ethical stan-
dards, performing due diligence, and establishing policies and procedures that
are consistent with many of the information security objectives. The company’s
general counsel also typically has the respect or ear of the CEO. In regulated in-
dustries, this may be a very good fit. On the downside, due to the emphasis on
compliance activities, the information security department may end up perform-
ing more compliance-checking activities (versus security consulting and support),
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 52/53
1.
2.
3.
4.
5.
which are typically the domain of internal audit. An advantage is that the dis-
tance between the CEO and the information security officer is one level.
Determining the Best Fit
As indicated earlier, each organization must view the pros and cons of each of
these types of relationships and develop the appropriate relationship based upon
the company culture, type of industry, and what will provide the greatest benefit
to the company. Conflicts of interest should be minimized, visibility increased,
funding appropriately allocated, and communication effective when the optimal
reporting relationship is decided for the placement of the information security
department.
Suggested Reading
National Institute of Standards and Technology (NIST). August 2009. Special Publication
800-53 Rev3: Recommended security controls for federal information systems and organi-
zations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf
Fitzgerald, T., and Krause, M. 2008. CISO leadership: Essential principles for success. Boca
Raton, FL: Auerbach.
United States General Accounting Office. 1998. Executive guide: Information security man-
agement; Learning from leading organizations.
http://www.gao.gov/archive/1998/ai98068.pdf
Information Security Executive of the Year Awards, http://www.iseprograms.com/
SC Magazine, Chief Security Officer of the Year Award, http://www.scmagazineus.com
4/9/23, 9:11 PM Chapter 3 Defining the Security Management Organization | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/014-9781466551282-003.xhtml#sec35 53/53
6.
7.
8.
9.
10.
11.
12.
13.
Sanborn, M. 2006. You don’t need a title to be a leader: How anyone, anywhere, can make a
positive difference. New York: Crown Business.
Drucker, P. F. 2004. The Effective Executive. Collins, New York.
Johnson, S. 2003. The present: The gift that make you happier and more successful at work
and in life, today! New York: Doubleday.
Covey, S. 2004. The 7 habits of highly effective people (Rev. ed.). New York: Free Press.
Peters, T. 2005. Tom Peters essentials series (Leadership). New York: DK Publishing.
Collins, J. 2001. Good to great: Why some companies make the leap and others don’t. New
York: HarperBusiness.
Morgenstern, J. 2004. Never check e-mail in the morning. New York: Simon & Schuster.
Kroeger, O., and Thuesen,J.M. 1992. Type talk at work: How the 16 personality types deter-
mine your success on the job. New York: Delacorte Press.
