In Software Development Industry, Information security is best initiated from the top down.
Security Professionals and the Organization It takes a wide range of
professionals to support a diverse information security program. These article
describes the typical information security responsibilities of various
professional roles in an organization.
The senior technology officer is typically the Chief
Information Officer (CIO), although other positions like vice president
of information, VP of information technology, and VP of systems may be used.
The CIO is mainly responsible for advising the chief executive officer,
president, or company owner on the strategic planning that affects the
management of information in the organization. The CIO transcribes the
strategic plans of the organization as a whole into strategic information
strategy for the information systems or data processing division of the
organization. Once this is accomplished, CIOs work with junior managers to
develop tactical and operational plans for the different department and to
enable planning and management of the systems that support the organization.
The Chief Information Security Officer (CISO)
has primary responsibility for the assessment, management, and implementation
of information security in the organization. The CISO may also be referred to
as the manager for IT security, the security administrator, or a similar title.
The CISO usually reports directly to the CIO, although in larger organizations
it is not uncommon for one or more layers of management to exist between the
two. However, the recommendations of the CISO to the CIO must be given equal,
if not greater, priority than other technology and information-related
proposals. The placement of the CISO and supporting security staff in
organizational hierarchies is the subject of current debate across the
industry.
Information
Security Project Team
The information security project team should consist of a
number of individuals who are experienced in one or multiple facets of the
required technical and nontechnical areas in Software Development Industry. Many of the same skills needed to
manage and implement security are also needed to design it. Members of the
security project team fill the following roles:
Champion: A senior executive who promotes the project and ensures its
support, both financially and administratively, at the highest levels of the
organization.
Team Leader: A project manager, who may be a departmental line manager or
staff unit manager, who understands project management, personnel management,
and information security technical requirements.
Security Policy Developers: People who understand the
organizational culture, existing policies, and requirements for developing and
implementing successful policies.
Risk Assessment Specialists: People who understand financial risk
assessment techniques, the value of organizational assets, and the security
methods to be used.
Security Professionals: Dedicated, trained, and well-educated specialists in all
aspects of information security from both a technical and nontechnical
standpoint.
Systems Administrators: People with the primary responsibility for administering the
systems that house the information used by the organization.
End Users: Those whom the new system will most directly affect. Ideally,
a selection of users from various departments, levels, and degrees of technical
knowledge assist the team in focusing on the application of realistic controls
applied in ways that do not disrupt the essential business activities they seek
to safeguard.
Data
Responsibilities
The three types of data ownership and their respective
responsibilities are outlined below:
1. Data
Owners:
Those responsible for
the security and use of a particular set of information. They are usually
members of senior management and could be CIOs. The data owners usually
determine the level of data classification (discussed later), as well as the
changes to that classification required by organizational change. The data
owners work with subordinate managers to oversee the day-to-day administration
of the data.
2. Data
Custodians: Working
directly with data owners, data custodians are responsible for the storage,
maintenance, and protection of the information. Depending on the size of the
organization, this may be a dedicated position, such as the CISO, or it may be
an additional responsibility of a systems administrator or other technology
manager. The duties of a data custodian often include overseeing data storage
and backups, implementing the specific procedures and policies laid out in the
security policies and plans, and reporting to the data owner.
3. Data Users: End users who work with the
information to perform their assigned roles supporting the mission of the
organization. Everyone in the organization is responsible for the security of
data, so data users are included here as individuals with an information
security role.
Conclusion: AS Information Security
is best initiated from the top down. Senior management is the key component and
the vital force for a successful implementation of an information security
program. But administrative support is also essential to developing and
executing specific security policies and procedures, and technical expertise is
of course essential to implementing the details of the information security
program.
Great Info!!! Thanks for sharing information with us.
ReplyDeleteCertificacion ISO 27001 Peru