Developing the Corporate
Strategy for Information Security

Jason M Sanders

Strayer University

SEC 402 Cyber Security

We will write a custom essay sample on
Developing within an organization. In part, the Department
Specifically for you for only $16.38 $13.9/page


order now

Professor

1/28/18

 

 

 

 

 

 

Due to the success and growth of a tech company would require
an information security corporate strategy. The purpose is to define specific
information technology security roles that will optimize the organizations data
assets, as part of the information security strategy development.

            The Chief Information Security
Officer (CISO) is responsible for many functions within an organization. In part,
the Department of Homeland Security (DHS), IT Security Essential Body of
Knowledge (EBK), describes the role of CISO as the senior-level executive
within an organization responsible for establishing and maintaining the
enterprise’s strategy and programs to ensure information assets are adequately
protected. (DHS, 2007) The CISO directs staff in identifying, developing,
implementing and maintaining processes across the organization to reduce
information and information technology (IT) risks, respond to incidents,
establish appropriate standards and controls, and direct the establishment and
implementation of policies and procedures. (Conklin & McLeod, 2009)

            One key function of the CISO is
breach responsibilities, which is to act quickly and in the best interest of
the company in the event of a breach. This entails the ability to know when the
company has been breached, at what level the breach has occurred, and with whom
the communication of the breach event should include. This function would be
executed as soon as a breach was discovered, yet the preparation and planning
for the inevitable breach is a part of the daily functions. (Casey, 2006) Another
key function is as the company progresses forward in business with new
technology and innovation, the CISO is directed to ensure that the company’s
and customer’s data is protected. This includes ensuring and directing the
security teams objectives meet the company’s risk tolerance. This function
would be executed whenever the company plans new technology and innovation, and
the direction and management of the function continues through the release as a
daily function. A third key function is establishment and implementation of
policies and procedures. As an executive the CISO must document and signoff on
all reports exhibiting the security controls in order to be compliant with
Sarbanes Oxley (SOX). (Conklin & McLeod, 2009) This function is executed on
a quarterly basis, or whenever new policies and procedures are implemented.

The specific IT security competency areas that the CISO
manages are data security, digital forensics, enterprise continuity, incident
management, IT security training and awareness, physical and environmental
security, procurement, regulatory and standards compliance, risk management,
strategic management, and system and application security. (DHS, 2007)

            One of these specific competencies
that the CISO manages is the digital forensics team and overseeing the building
of the forensics team, the designing of the security response, and the policies
that ensure the integrity of forensics investigations. (DHS, 2007) Another
specific competency is the management and evaluation of IT security training
and awareness, which maintains the security posture from starting employees to
employee refresher programs, so that security does not fall to the wayside. (DHS,
2007) A third specific competency of the CISO is the management and evaluation
of enterprise continuity is a competency to oversee how a business will handle
one hundred percent uptime, ensuring there is a plan in case of a catastrophic
event. (DHS, 2007)

            The Chief Information Officer (CIO)
is responsible for several accountability functions within an organization, represents
the IT leader of the organization who is chiefly concerned with organizational
strategy but also responsible for all IT functions including security.
According to the EBK guide, a key accountability function for the CIO is to
work with other members of the executive team to identify how information
technology can help the company achieve its business and financial goals. (DHS,
2007) Technology can streamline business processes, increase employee
productivity and improve the quality of customer service, for example. The CIO
develops a strategy to achieve those business goals and recommends investments
that will deliver measurable results. (Conklin & McLeod, 2009) Another key
accountability function is to be responsible for ensuring that the information
technology and network infrastructure supports the company’s computing, data
processing and communication needs. (DHS, 2007) If the company requires greater
capacity, the CIO makes decisions on the solutions that will meet the
additional needs at lowest cost. When the company has short-term IT
requirements, such as additional website capacity during a successful marketing
campaign or seasonal sale, the CIO must balance the need for additional
capacity against the risk of acquiring resources that may be underutilized at
other times. (Shoemaker, 2012) Third, the CIOs must meet a company’s
information technology needs within budget limits, often under pressure to
reduce costs while maintaining a high standard of service to users. At times,
they must consider cost-saving options, such as outsourcing part of their IT
operations or moving from investment in fixed infrastructure to renting IT
resources from external providers. (Conklin & McLeod, 2009) Fourth the CIO must
have the vision to recognize and respond to changing requirements for IT
resources. To meet the need for increased collaboration, for example, they must
deploy wireless networking infrastructure and collaboration tools, such as
desktop videoconferencing and project portals. As increasing numbers of
employees use their personal smartphones for business applications, CIOs must
develop security policies that protect the company’s infrastructure and data,
while ensuring the privacy of employee’s personal information. (Shoemaker,
2012)

            Two security assurances that could
be achieved by the CIO developing a formal security awareness, training, and educational
program are, ensuring that users understand their IT security responsibilities,
organizational policies and standards, and how to properly use and protect the
IT resources entrusted to them. (DHS, 2007) It is generally understood that
enterprise wide awareness and training addresses the weakest link in attempts
to secure systems and networks, which is the human factor. (Gupta &
Sharman, 2008) A second security assurance achieved is the reduction of
vulnerabilities and accidental mishandling of company assets by users do to the
lack of awareness and training. Also managers will be properly trained in how
to fulfill their security responsibilities by ensuring users understand the
specific rules for each system and application they use. (Shoemaker, 2012)

            Technology that can be used by the
CIO to certify the security functions and data assets of an organization on a
day-to-day basis is a automated assurance controls, such as antivirus,
examination of system logs, such as syslogging events to a SIEM; and
penetration scans, such as a Qualys scan. (Shoemaker, 2012) Another option can
be to add an additional role to the executive level committee, such as the
Security Compliance Officer (SCO) which enforces the compliance of the business
and reduces the stress of the CIO and CISO to ensure the organization stays in
compliance. (Shoemaker, 2012)

            The digital forensics function
complements the overall security efforts of the organization by gathering all
electronic evidence that will support an incident and hold up in the court of
law. This ensures that all federal and state laws and policies applicable to
the organization are observed when handling an incident which is important to
the security efforts of the organization when reporting breaches that can affect
customers and the organizations reputation. Another function that complements
the overall security efforts is to identify appropriate counter measures to
ensure that a breach does not happen again. This is important to build the
defenses of the business and faculty and to make sure as much risk as possible
is mitigated into the future by identifying potential vulnerabilities and
preventing exploits. (Casey, 2006)

            One technical resource available to
the digital forensics professional to perform forensic audits and
investigations is the proper training of forensics professionals to properly
acquire the necessary data. Training is the most imperative resource available
to the forensic professional in order to know when in which tools to use and to
maintain the chain of custody requirements to ensure that evidence has been
properly handled. (DHS, 2007) Another technical resource is specialized
software and hardware to enable the digital forensic professional to analyze
hard drives and produce the exact replication needed in order to not modify the
contents of the drive. (Shoemaker, 2012) A third technical resource is policies
and procedures in place to allow forensic professionals access to wide areas of
the network. It is important that the forensic professionals have the support
of the IT team to make this access available. (Shoemaker, 2012)

 

 

 

 

 

 

 

 

References

Casey, E. (2006). Investigating
sophisticated security breaches. Communications of the ACM, 49(2), 48-55. Retrieved
from EBSCO Host; http://search.ebscohost.com/login.aspx?direct=true&db=nlebk&AN=535983&site=eds-live&scope=site

Conklin, William A. and
Alexander McLeod, (2009) Introducing the Information Technology Security Essential
Body of Knowledge Framework, Journal of Information Privacy and Security,
Retrieved from; http://www.amcleod.com/mcleod9.pdf

Department of Homeland Security,
(2007), IT Security Essential Body of Knowledge (EBK):  A Competency and Functional Framework for IT
Security Workforce Development, Retrieved from; http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2007-12/ISPAB_Dec7-BOldfield.pdf

Gupta, M., & Sharman, R. (2008).
Social and Human Elements of Information Security: Emerging Trends and
Countermeasures: Information Science Reference. Retrieved from EBSCO Host;
http://search.ebscohost.com/login.aspx?direct=true&db=nlebk&AN=391096&site=eds-live&scope=site

Shoemaker, D., Conklin, W.A.,
(2012). Cybersecurity: The essential body of knowledge (1st ed.). Boston, MA:
Cengage Learning.

x

Hi!
I'm Dora!

Would you like to get a custom essay? How about receiving a customized one?

Click here