Please enable JavaScript.
Coggle requires JavaScript to display documents.
2.4.2 (ROLES AND RESPONSIBILITIES OF SENIOR MANAGEMENT AND BOARDS OF…
2.4.2
ROLES AND RESPONSIBILITIES OF SENIOR
MANAGEMENT AND BOARDS OF DIRECTORS
Information security governance requires strategic direction and impetus. It requires
commitment,
resources
assignment of responsibility for information security management
as well as a means for the board to determine that its intent has been met.
Board of Directors
Members of the board need to be aware of the organization’s information assets and their criticality to ongoing business operations
can be accomplished
by periodically providing the board with the high-level results of
COMPREHENSIVE RISK ASSESSMENTS
and
BUSINESS IMPACT ANALYSIS
(BIA)
by
BUSINESS DEPENDENCY ASSESSMENTS
of
information resources.
Senior management endorsement
of intrinsic security requirements
provides the basis for ensuring that security expectations are met
at all levels of the enterprise.
Penalties for noncompliance must be defined,
communicated and enforced from the board level down.
responsibility of ensuring the organization follows the laws, behaves in an ethical manner, and makes effective use of its resources.
Senior Management
IMPLEMENTING EFFECTIVE SECURITY GOVERNANCE
and
DEFINING STRATEGIC SECURITY OBJECTIVES
of an organization is a complex task.
must have leadership and ongoing support from executive management to succeed
Developing an effective information security
strategy requires
integration with and cooperation of business process owners
alignment of
information security
activities in support of business objectives.
The extent to which this is achieved and processes
will
determine the cost-effectiveness
of the information security program in achieving the desired objective of providing a predictable,
defined level of assurance for business information
and an
acceptable level of impact from adverse events
Information Security Standards Committee
To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups.
This facilitates achieving consensus on priorities and tradeoffs
serves as an effective communications channel and provides an ongoing basis for ensuring
the ALIGNMENT of theSECURITY PROGRAMS WITH BUSINESS OBJECTIVES .
also be instrumental in achieving modification of behavior toward a culture more conducive to good security
The chief information security officer (CISO) will primarily drive the information security program
to
have realistic policies, standards, procedures and processes
that are
implementable and auditable and to achieve a balance of performance in relation to security.
ISSC includes
members from C-level executive management
and senior managers from IT,
application owners,
business process owners,
operations,
HR,
audit and legal.
The committee will deliberate
on the
suitability of recommended controls and good practices in the context of the organization,
including the
secure configuration of operating systems (OSs)
Chief Information Security Officer
The responsibilities may be performed by the CIO, CTO, CFO or, in some cases, the CEO, even when there is an information security office or director in place.
scope and breadth of information security is such that the authority required and the responsibility taken will inevitably make it a
senior officer or top management responsibility.
Failure to recognize this and implement appropriate governance structures can result in senior management being unaware of this responsibility and the related liability.
IT Steering (planning )Committee
to oversee the IT function and its activities
For ensuring that the
IT department is in harmony with the corporate mission and objectives.
Structure
a
member of the board of directors
who
understands the risk and issues
is responsible for IT and is
chair of this committee.
The committee should include representatives from senior management, each line of business, corporate departments, such as HR and finance, and the IT department.
committee’s duties and responsibilities should be defined in a formal charter.
Members
of the committee
should know
IT department
policies, procedures and practices.
They should have the
authority to make decisions within the group for their respective areas
.
Primary
functions
•
Reviewing the long- and short-range plans of the IT department
to ensure that they align with the corporate objectives.
•
Reviewing and approving major acquisitions of hardware and software
within the limits approved by the board of directors.
•
Approving and monitoring major projects and the status of IS plans and budgets,
establishing priorities, approving standards and procedures, and monitoring overall IS performance.
•
Reviewing and approving sourcing strategies for select or all IS activities
, including insourcing or outsourcing, and the globalization or offshoring of functions.
• Reviewing
adequacy of resources and allocation of resources in terms of time, personnel and equipment.
• Making
decisions regarding centralization versus decentralization and assignment of responsibility.
• Supporting
development and implementation of an enterprise wide INFORMATION SECURITY MANAGEMENT PROGRAM .
#
•
Reporting to the board of directors
on IS activities.