Module 3 - Information Security Framework
The course is part of this learning path
This course looks at where the security function fits within the organizational structure and the role of the Information Security Officer in developing information security policies, standards and procedures. It then provides an understanding of the principles of information security governance, how to carry out a security audit and the importance of stakeholder engagement in implementing the organization’s information assurance programme. Finally, it looks at the incident management process and investigates the role digital forensics play in this, before reviewing the legal framework information security operates within.
The objectives of this course are to provide you with and understanding of:
- Where the security function fits within the organizational structure
- The role of the Information Security Officer
- Developing information security policies, standards and procedures
- The principles of information security governance
- How to carry out a security audit
- Implementing an information assurance programme and the importance of stakeholder engagement
- The incident management process and the role of digital forensics
- The legal information security framework
- Information assurance standards and how they should be applied within an organization
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
About the Author
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.
Welcome to this video on organizational responsibilities.
Modern businesses are structured in many different ways, depending on the industry they operate in and the requirements of their stakeholders. Whatever structure an organization has, the information security function needs to be able to influence policy and ensure the appropriate security processes and behaviours are implemented.
This video defines the organizational structures of modern businesses and where the role of the Information Security Manager sits within this. It also looks at the responsibilities of the Board and management teams in implementing effective security practices throughout the organization.
Let’s start by looking at how organizations are structured.
The Chief Executive Officer (CEO) or Managing Director is generally the head of the organization and most businesses of significant size also have a Board of Directors who report to the shareholders. The Board monitors what the CEO does.
The executive leadership group – often known as the C-suite – report to the CEO, although some may also be members of the Board. They perform a variety of functions aligned to business areas such as Finance, IT, HR, Operations, Marketing and Sales.
Each business area is managed by an executive and these roles typically include the Chief Financial Officer (CFO), Chief Information Officer (CIO) and Chief Operating Officer (COO). Each senior manager has a subset of responsibilities allocated to them by the CEO. For example, the CIO looks after the organization’s information strategy and the COO is responsible for the day-to-day running of the business.
Now let’s look at where the ownership of information sits within the organization structure to see which stakeholders are concerned with information risk.
Generally, the Chief Information Security Officer (CISO) reports either to the senior management team or directly to the CEO. However, as you can see, there are different structural variations. Establishing a clear organizational structure that allows the business to manage information security is vital if risks are to be successfully mitigated.
There be a nominated individual with the responsibility for day-to-day management of all information security areas and authority, for information security must be present at the right level of the organization – a level that can influence other areas.
There’s little point having a security manager that nobody listens to or policies that aren’t taken seriously. The CISO or Information Security Manager (ISM) needs to understand the information assurance risks facing the organization.
Risks come from outside threat agents, such as competitors, foreign governments, terrorists and journalists, as well from employees inside the organization. Security breaches can also happen by accident.
Responsibilities of the CISO or ISM include:
• Co-ordinating information assurance across the organization;
• Creating information assurance policies;
• Communicating the information assurance policy and guidelines to the rest of the organization;
• Qualifying the appetite of the business for risk and taking appropriate mitigating action;
• Monitoring emerging threats and establishing guidelines for responses;
• Monitoring and reporting on the effectiveness of security measures to senior management; and
• Creating a security culture that will use security to the benefit of the organization.
If the organization is very risk averse, strict policies might lead to fully locked down IT systems and tight processes. If the organization’s risk appetite is greater, a more balanced approach might be taken. The balance is driven from the business imperatives defined by the Board, such as cost and usability.
Management teams within the organization must actively support the Information Security Manager. This is achieved by appointing a security lead in each of the business areas or having members of the Information Security Team seconded into the business units.
Security responsibility always starts at the top of the business with the CEO, flowing down through all levels, including contract and temporary staff. Where there’s a need for a larger team of information security experts, for example in the IT support department of a large financial institution, there may be further delegation of responsibility.
Governance is an important aspect of the information assurance structure. A high-level forum, often called the Security Working Group or Security Steering Committee, should meet on a regular basis to provide oversight and promote good security practices.
The working group should be chaired by the Information Security Manager and be attended by line-of-business heads from all parts of the organization. External stakeholders should also be included if they’re required to support planning or governance.
The Security Working Group should be the advocate for information security throughout the organization. Members should have written terms and conditions and be advocates for information assurance in their own work areas. This helps create a security culture.
If an organization can’t justify the expense of maintaining a full-time security manager or security team, they might employ external specialists on a part-time basis. For example, it might not be cost effective for an organization to employ a team of penetration testers; so, if their security policy requires periodic health checks, then they would bring in an external resource to complete the activity.
Having a relationship with a trusted, specialist company with appropriate certifications and accreditations allows an organization to meet its objectives without the cost of employing a team of experts.
Terms of reference for anybody involved in information security should be clearly defined, especially where responsibilities are delegated to individuals who aren’t members of the Information Security Team. This helps to distinguish security responsibilities from other core areas and establishes reporting lines to the Information Security Manager.
The responsibilities should reflect the organization’s information assurance policies, as well as any legislative or compliance aspects that the staff member must understand.
Adding these responsibilities to the individual’s job description helps to embed them in ‘business as usual’ activities.
A critical element of information security management is communicating with and educating staff. A security awareness programme should be rolled out across the organization. It’s essential that the key elements of the organization's security policies are communicated, and training should be evaluated to establish the organization’s current level of awareness.
The security awareness programme should be designed by the Information Security Team in conjunction with specialist training designers. It should then be introduced across the organization to meet the requirements identified in the training needs analysis.
Security awareness training should incorporate an assessment and the results should be recorded. This helps to identify the level of awareness and what measures are required to make improvements. Every individual in an organization has a responsibility for security.
However, it’s only possible to fully promote this level of personal accountability if the Information Security Manager has successfully introduced a security awareness programme.
Then, every member of staff will understand their responsibilities in relation to the organization’s security posture, including the security-related aspects of their own job and the part they play in the security of the organization.
That’s the end of this video on organizational responsibilities.