Security manager/security officer/security director roles and respnsibility

 Often, this is the senior security person within an organization. In some cases, the organization has a CSO (mentioned in the preceding entry of this list), in which case the security officer is a member of senior management. When the senior security role is not a member of senior management, the reporting hierarchy is an essential element of determining the importance and influence security has within the organization. For instance, an organization wherein the security manager reports directly to the CEO places a great deal of importance on security; an organization that has the security manager reporting to an administrative director, who in turn reports to a vice president, who reports to senior management, obviously does not. The security manager is typically responsible for advising senior management on security matters, may assist in drafting security policy, manages day-to-day security operations, represents the organization’s security needs in groups and meetings such as the Configuration Management Board and similar committees, contracts for and selects security products and solutions, and may manage the organization’s response to incidents and disasters.

Note: According to industry best practices, the security manager should not report to the same role/department that is in charge of information technology (IT) because the functions are somewhat adversarial (the security team will be reporting on/reviewing the operations and productivity of the IT team). Having the same department responsible for both functions would constitute a form of conflict of interest. The exception to this is when both the security office and the IT department report to the chief information officer (CIO); this is usually an acceptable form of hierarchy.

Comments

Post a Comment

Popular posts from this blog

Security Control Frameworks with full details

Image
Security Control Frameworks In formalizing its security governance, an organization might implement a security control framework ; this is a notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization. The framework is often used by the organization to describe its security efforts, for both internal tracking purposes and for demonstration to external entities such as regulators and auditors. There are a variety of security frameworks currently popular in the industry, each offering benefits and capabilities, usually designed for a certain industry, type of organization, or approach to security. The following list of framework examples is by no means exhaustive or intended to be exclusive; the security practitioner should have a working familiarity with the frameworks on this list, as well as whatever framework is used by their own organization (if any). Some of these framewor...
Read more

Concepts of (CIA) confidentiality, integrity and availability

Image
  CIA Triad explanation: As a security professional or a trainee you need to know CIA (Confidentiality, integrity and availability) down to its core. We will focus on the three key principles as we will now refer them as CIA triad. In the field of information security , we have assets which can be tangible (something you can touch) for example your organization computers, servers, employees, data etc. and non-tangible (something you cannot touch) for example your reputation, your market share, your share or stock value etc. all of these assets requires security and the first thing as a security practitioner you will do is to utilize the CIA principle to assess what level of security you need to apply as per your business, security and compliance requirements. This is true even for data that is stored in any form, be it electronically or in printed hardcopy. It also applies to any systems, mechanisms, techniques used to process/manipulate/store/transmits that data. For CIA examples...
Read more

Organizational Processes and their impact to security

Security governance is a process which defines how a decision is made within an organization. This task is accomplished in different ways as per organization culture, management style and other variety of factors. Inn large organizations the task is much more organized and at times can be more complicated as there are multiple levels of decision makers which are required to be involved. IN small private business and or organizations the decision making process may be as simple as one or two person, who at the end of the day make a decision based on consultation or derived from a personal experience of the decision makers. In government or public organizations there is a chartered legislative body or a corporation which makes strategic decision based defined policies, procedures, board of directors etc. Each organization will have its own process for making decision, based on a defined structure, goals, nature of the industry, regulations. Some companies/organizations create a govern...
Read more