2.4.2 (ROLES AND RESPONSIBILITIES OF SENIOR MANAGEMENT AND BOARDS OF…
ROLES AND RESPONSIBILITIES OF SENIOR
MANAGEMENT AND BOARDS OF DIRECTORS
Information security governance requires strategic direction and impetus. It requires
assignment of responsibility for information security management
as well as a means for the board to determine that its intent has been met.
Board of Directors
Members of the board need to be aware of the organization’s information assets and their criticality to ongoing business operations
can be accomplished
by periodically providing the board with the high-level results of
COMPREHENSIVE RISK ASSESSMENTS
BUSINESS IMPACT ANALYSIS
BUSINESS DEPENDENCY ASSESSMENTS
Senior management endorsement
of intrinsic security requirements
provides the basis for ensuring that security expectations are met
at all levels of the enterprise.
Penalties for noncompliance must be defined,
communicated and enforced from the board level down.
responsibility of ensuring the organization follows the laws, behaves in an ethical manner, and makes effective use of its resources.
IMPLEMENTING EFFECTIVE SECURITY GOVERNANCE
DEFINING STRATEGIC SECURITY OBJECTIVES
of an organization is a complex task.
must have leadership and ongoing support from executive management to succeed
Developing an effective information security
integration with and cooperation of business process owners
activities in support of business objectives.
The extent to which this is achieved and processes
determine the cost-effectiveness
of the information security program in achieving the desired objective of providing a predictable,
defined level of assurance for business information
acceptable level of impact from adverse events
Information Security Standards Committee
To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups.
This facilitates achieving consensus on priorities and tradeoffs
serves as an effective communications channel and provides an ongoing basis for ensuring
the ALIGNMENT of theSECURITY PROGRAMS WITH BUSINESS OBJECTIVES .
also be instrumental in achieving modification of behavior toward a culture more conducive to good security
The chief information security officer (CISO) will primarily drive the information security program
have realistic policies, standards, procedures and processes
implementable and auditable and to achieve a balance of performance in relation to security.
members from C-level executive management
and senior managers from IT,
business process owners,
audit and legal.
The committee will deliberate
suitability of recommended controls and good practices in the context of the organization,
secure configuration of operating systems (OSs)
Chief Information Security Officer
The responsibilities may be performed by the CIO, CTO, CFO or, in some cases, the CEO, even when there is an information security office or director in place.
scope and breadth of information security is such that the authority required and the responsibility taken will inevitably make it a
senior officer or top management responsibility.
Failure to recognize this and implement appropriate governance structures can result in senior management being unaware of this responsibility and the related liability.
IT Steering (planning )Committee
to oversee the IT function and its activities
For ensuring that the
IT department is in harmony with the corporate mission and objectives.
member of the board of directors
understands the risk and issues
is responsible for IT and is
chair of this committee.
The committee should include representatives from senior management, each line of business, corporate departments, such as HR and finance, and the IT department.
committee’s duties and responsibilities should be defined in a formal charter.
of the committee
policies, procedures and practices.
They should have the
authority to make decisions within the group for their respective areas
Reviewing the long- and short-range plans of the IT department
to ensure that they align with the corporate objectives.
Reviewing and approving major acquisitions of hardware and software
within the limits approved by the board of directors.
Approving and monitoring major projects and the status of IS plans and budgets,
establishing priorities, approving standards and procedures, and monitoring overall IS performance.
Reviewing and approving sourcing strategies for select or all IS activities
, including insourcing or outsourcing, and the globalization or offshoring of functions.
adequacy of resources and allocation of resources in terms of time, personnel and equipment.
decisions regarding centralization versus decentralization and assignment of responsibility.
development and implementation of an enterprise wide INFORMATION SECURITY MANAGEMENT PROGRAM .
Reporting to the board of directors
on IS activities.