Ideally the information security officer has responsibility for monitoring and enforcing organizational governance associated with the protection of all the business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability. As cloud computing becomes more ingrained into an organization’s operations, these responsibilities will only expand, and execution of these responsibilities must be shared with one or multiple cloud service providers. This also forces the abandonment of a risk-averse culture and the infusion and institutionalization of risk management processes into organizational IT governance. Some of the typical responsibilities for the security officer and their team include:
- Ensuring that the security policies, procedures, baselines, standards, and guidelines are written to address the information security needs of the organization. However, this does not mean that the security department must write all the policies by themselves, nor should the policies be written solely by the security department without the input and participation of the other departments within the organization, such as legal, human resources, information technology, compliance, physical security, the business units, and others that have to implement the policies. Approval of policy must be done at the executive level. Typically, standards, procedures, and baselines do not require that level of approval.
- Implementing and operating computer incident response teams (CIRTs). CIRTs are groups of individuals with the necessary skills, including management, technical staff, infrastructure, and communications staff, for evaluating the incident, evaluating the damage caused by an incident, and providing the correct response to repair the system and collect evidence for potential prosecution or sanctions.
- Providing the leadership for the information security awareness program by ensuring that the program is delivered in a meaningful, understandable way to the intended audience. Security officers must be involved in the management teams and planning meetings of the organization to be fully effective. Central to the security officer’s success within the organization is to understand the vision, mission, objective/goals, and plans of the organization. This understanding increases the chances of success, allowing security to be introduced at the correct times during the project lifecycle, better enabling the organization to carry out the corporate mission.
- Communicating risks to executive management. The information security officer is responsible for understanding the business objectives of the organization, ensuring that a risk assessment is performed, taking into consideration the threats and vulnerabilities impacting the organization, and subsequently communicating the risks to executive management.
- Ensuring that the information presented to executive management is based upon a real business need and that the facts are represented clearly. Recommendations for specific controls should be risk based. Ultimately, it is the executive management of the organization that is responsible for information security.
- Staying abreast of emerging regulatory developments to enable response in a timely manner. Planning and documentation are very critical regarding proof of compliance. Periodic compliance, whether through internal or external inspection, ensures that the procedures, checklists, and baselines are documented and practiced. Compliance reviews are also necessary to ensure that end users and technical staff are trained and have read the security policies.
- Maintaining the appropriate balance between acceptable risk and ensuring that business operations are meeting the mission of the organization. In this context, executive management is not concerned with the technical details of the implementations, but rather with the cost/benefit of the solution and what residual risk will remain after the safeguards are implemented.
