The development of a security strategy is highly influenced by the organizational structure. Organizational structure pertains to the roles and responsibilities of different individuals, the reporting hierarchy, whether the organization functions in a centralized or decentralized way, and so on. A flexible and evolving organizational structure is more open to the adoption of a security strategy, whereas an organization with a more constrained structure might not adopt a security strategy.
The independence of the security function is the most important factor to be considered, from a practical as well as the exam perspective, while evaluating organizational functions. This can be assessed through the reporting structure of the security function.
Board of Directors
The ultimate responsibility for the appropriate protection of an organization's information falls on the board of directors. The involvement of board members in information security initiatives can be an indicator of good governance. In the event of an incident, the company directors can be protected from liability if the board has exercised due diligence. Many laws and regulations make the board responsible in the event of data breaches. Even cyber security insurance policies require the board to exercise due diligence as a prerequisite for insurance coverage.
Security Steering Committee
The security steering committee is generally composed of senior management from different business units. The security steering committee is best placed to determine the level of acceptable risk (risk capacity) for the organization. They monitor and control the security strategy. They also ensure that the security policy is aligned with the business objectives.
Reporting of Security Functions
In the past, security functions in most organizations reported to the chief information officer (CIO). However, it has since been observed that CIOs are primarily concerned with IT performance and cost, with security as a secondary objective. During a conflict between performance and security, security is sometimes ignored.
However, with increased awareness and more experience, the responsibility for security is now entrusted to senior-level functionaries directly reporting to the chief operating officer (COO), chief executive officer (CEO), or board of directors. This ensures the independence of security functions.
Organizations' security functions can work in either a centralized or decentralized way.
Centralized vis-à-vis Decentralized Security Functioning
In a centralized process, information security activities are handled from a central location, usually the head office of the organization. In a decentralized process, the implementation and monitoring of security activities are delegated to the local offices of the organization.
The following table shows the differentiation between centralized and decentralized processes:
Centralized Process
|
Decentralized Process
|
More consistency in security processes
|
Less consistency
|
Optimum utilization of information security resources
|
Greater resource requirements. Better alignment with decentralized unit requirements
|
Less alignment with the requirements of decentralized units
|
Better alignment with decentralized unit requirements
|
A centralized process will generally take more time to process requests due to the larger gap between the information security department and the end user
|
Faster turnaround of requests compared to centralized processes
|
Figure 1.7: Differences between centralized and decentralized processes
Centralization of information security management results in greater uniformity and easier monitoring of processes. This in turn promotes better adherence to security policies.
Practice Question Set 5
- Which of the following is a characteristic of a centralized information security management process?
- Processes are costlier to manage compared to decentralized processes
- Better adherence to policy compared to decentralized processes
- Better alignment with business unit requirements compared to decentralized processes
- Faster turnaround of requests compared to decentralized processes
- Who should determine the acceptable level of information security risk?
- Legal department
- CISO
- Audit department
- Steering committee
- As an information security manager, how do you characterize a decentralized information security process?
- Consistency in information security processes
- Better compliance with policy
- Better alignment with decentralized unit requirements
- Optimum utilization of information security resources
Information Security Roles and Responsibilities
It is very important to ensure that security-related roles and responsibilities are clearly defined, documented, and communicated throughout the organization. Each employee of the organization should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate effective access rights management, as access is provided based on the respective job functions and job profiles of employees – that is, on a need-to-know basis (least privilege) only.
RACI Chart
One of the simplest ways to define roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.
This chart indicates who is responsible for a particular function, who is accountable with regard to the function, who should be consulted about the function, and who should be informed about the function. Clearly defined RACI charts make the information security program more effective.
The following defines RACI in more detail:
- Responsible: This is the person who is required to execute a particular job function.
- Accountable: This is the person who is required to supervise a job function.
- Consulted: This is the person who gives suggestions and recommendations for executing a job function.
- Informed: This is the person who should be kept updated about the progress of the job function.
In the next section, you will go through the various roles that are integral to information security.
Board of Directors
The role of board members in information security is of utmost importance. Board members need to be aware of security-related key risk indicators (KRIs) that can impact the business objectives. The intent and objectives of information security governance must be communicated from the board level down.
The current status of key security risks should be tabled and discussed at board meetings. This helps the board to determine the effectiveness of the current security governance.
Another essential reason for the board of directors to be involved in security governance is liability. Most organizations obtain specific insurance to deal with their financial liability in the event of a security incident. This type of insurance requires those bound by it to exercise due care in the discharge of their duties. Any negligence from the board in addressing the information security risk may make the insurance void.
Senior Management
The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. Senior management is required to provide ongoing support to information security projects in terms of budgets, resources, and other infrastructure. In some instances, there may be disagreement between IT and security. In such cases, senior management can take a balanced view after considering performance, cost, and security. The role of senior management is to map and align the security objectives with the overall business objectives.
Business Process Owners
The role of a business process owner is to take ownership of the security-related risks impacting their business processes. They need to ensure that information security activities are aligned and support their respective business objectives. Further, they need to monitor the effectiveness of security measures on an ongoing basis.
Steering Committee
A steering committee comprises the senior management of an organization. The role of a steering committee is as follows:
- To ensure that security programs support the business objectives
- To evaluate and prioritize the security programs
- To evaluate emerging risks, security practices, and compliance-related issues
The roles, responsibilities, and scope of a steering committee should be clearly defined.
Chief Information Security Officer
The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the CEO. The role of the CISO is fundamentally regulatory, whereas the role of the CIO is to generally focus on IT performance.
Chief Operating Officer
The COO is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives and is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.
Data Custodian
The data custodian is a staff member who is entrusted with the safe custody of data. The data custodian is different from the data owner, though in some cases, both data custodian and data owner may be the same individual. A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals on the basis of the approval of the data owner. From a security perspective, a data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy.
Communication Channel
A well-defined communication channel is of utmost importance in the management of information security. A mature organization has dedicated systems to manage risk-related communication. This should be a two-way system, wherein management can reach all employees and at the same time employees can reach a designated risk official to report identified risks. This will help in the timely reporting of events, as well as disseminating important security information. In the absence of an appropriate communication channel, the identification of events may be delayed.
Indicators of a Security Culture
The following list consists of some of the indicators of a successful security culture:
- The involvement of the information security department in business projects
- End users are aware of the identification and reporting of incidents
- There is an appropriate budget for information security programs
- Employees are aware of their roles and responsibilities regarding information security
Understanding the roles and responsibilities as covered in this section will help the security manager to implement an effective security strategy.
Key Aspects from the CISM Exam Perspective
The following are some key aspects from the exam perspective:
Question
|
Possible Answer
|
What is the best course of action when there is disagreement on the security aspects between the IT team and the security team?
|
To refer the matter to senior management along with any necessary recommendations
|
What is the immediate benefit of well-defined roles and responsibilities?
|
Better accountability
|
Who has the ultimate responsibility for legal and regulatory requirements?
|
The board of directors and the senior management (when the board delegates them the responsibility)
|
What is the best way to prioritize information security projects?
|
Security projects should be assessed and prioritized based on their impact on the organization
|
Who has the responsibility to enforce the access rights of employees?
|
The data custodian/security administrators
|
What is the most important factor on which the data retention policy is based?
|
The business requirements
|
What is the prime responsibility of an information security manager?
|
To manage the risks to information assets
|
Which models are used to determine the extent and level of maturity of processes?
|
- The maturity model
- The process performance and capability model
|
What is the major concern if database administrators (DBAs) have access to DBA-related logs?
|
The unauthorized modification of logs by the DBA
|
What is the main objective of integrating security-related roles and responsibilities?
|
To address security gaps that exist between assurance functions
|
What is the role of the information owner with regard to the data classification policy?
|
To determine the level of classification for their respective data
|
What is the role of the information security manager with regard to the data classification policy?
|
To define and ratify the data classification process
|
What is the best way to ensure that responsibilities are carried out?
|
Assign accountability
|
Who is responsible for complying with the organization's security policies and standards?
|
- All organizational units
- Every employee
|
What is the principle of proportionality for providing system and data access?
|
The principle of proportionality requires that access be proportionate to the criticality of the assets and access should be provided on a need-to-know basis
|
What is the segregation of duties?
|
- Segregation of duties (SoD) is a control wherein a critical function or job is divided into two parts and each part is handled by a separate individual
- The objective of SoD is to prevent error and fraud
|
What is a compensatory control?
|
- Compensatory controls are controls that are placed in lieu of main controls as main controls are difficult to implement. The objective of compensatory controls is to address the risk until the main controls are implemented.
- Compensatory controls are also referred to as alternative controls.
|
What is the principle of least privilege?
|
The principle of least privilege ensures that access is provided only on a need-to-know basis, and it should be restricted for all other users
|
Figure 1.8: Key aspects from the CISM exam perspective
Practice Question Set 6
- The information security team is mapping job descriptions to relevant data access rights. This is based on:
- The principle of accountability
- The principle of proportionality
- The principle of integration
- The principle of the code of ethics
- As an information security manager, you are reviewing the function of the data custodian. The data custodian is primarily responsible for:
- Approving access to the data
- The classification of assets
- Enhancing the value of data
- Ensuring all security measures are in accordance with the organizational policy
- You are an information security manager for a bank. One of your critical recommendations is not accepted by the IT head. What should your next course of action be?
- Refer the matter to an external third party for resolution
- Request senior management to discontinue the relevant project immediately
- Ask the IT team to accept the risk
- Refer the matter to senior management along with any necessary recommendations
- As an information security manager, you strongly recommend having well-defined roles and responsibilities from an information security perspective. The most important reason for this recommendation is:
- Adherence to security policies throughout the organization
- Well-structured process flows
- The implementation of SoD
- Better accountability
- What is the prime role of an information security manager in a data classification process?
- To define and ratify the data classification process
- To map all data to different classification levels
- To provide data security, as per the classification
- To confirm that data is properly classified
- Which of the following is the area of most concern for the information security manager?
- That there are vacant positions in the information security department
- That the information security policy is approved by senior management
- That the steering committee only meets on a quarterly basis
- That security projects are reviewed and approved by the data center manager
- An information security manager should have a thorough understanding of business operations with the prime objective of which of the following?
- Supporting organizational objectives
- Ensuring regulatory compliance
- Concentrating on high-risk areas
- Evaluating business threats
- In a big multi-national organization, the best approach to identify security events is to do which of the following?
- Conduct frequent audits of the business processes
- Deploy a firewall and intrusion detection system
- Develop communication channels across the organization
- Conduct vulnerability assessments of new systems
- Legal and regulatory liability is the responsibility of which of the following?
- The chief information security officer
- The head of legal
- The board of directors and senior management
- The steering committee
- What is the best way to gain support from senior management for information security projects?
- Lower the information security budget
- Conduct a risk assessment
- Highlight industry best practices
- Design an information security policy
- Prioritization of information security projects is best conducted based on which of the following?
- The turnaround time of the project
- The impact on the organization's objectives
- The budget of the security project
- The resource requirements for the project
- Who is responsible for enforcing the access rights of employees?
- The process owner
- The data owner
- The steering committee
- The security administrators
- Who is responsible for information classification?
- The data administrator
- The information security manager
- The information system auditor
- The data owner
- What is the data retention policy primarily based on?
- Indus\try practices
- Business requirements
- Regulatory requirements
- Storage requirements
- What is the most important security aspect for a multi-national organization?
- The local security program should comply with the corporate data privacy policy
- The local security program should comply with the data privacy policy of the location where the data is collected
- The local security program should comply with the data privacy policy of the country where the headquarters are located
- The local security program should comply with industry best practices
- The ultimate accountability for the protection of sensitive data lies with which of the following?
- The security administrators
- The steering committee
- The board of directors
- The security manager
- The most likely authority to sponsor the implementation of new security infrastructure for business processes is which of the following?
- The CISO
- The COO
- The head of legal
- The data protection officer
- Who should determine the requirements for access to data?
- The security officer
- The data protection officer
- The compliance officer
- The business owner
- The responsibility for establishing information security controls in an application resides with which of the following?
- The information security steering committee
- The data owner
- The system auditor
- The system owner