Identity Theft is the fastest growing crime in the US according to the FBI
 

Information Security Titles “Out Of Control”

Written by OSAblog on Tuesday, May 12th, 2009

        We are in an era where Security and Compliance have made it to the forefront of corporate board room discussions. It is now one of the key topics on the agenda.  Are we protecting our corporate and personal data?  Are we meeting both corporate and regulatory requirements as it relates to data privacy? (HIPAA, GLBA, SOX, PCI DSS). 

With these questions hovering over the corporate leaders, there has been an overwhelming requirement to ensure that security positions are being filled to ensure compliance. Over the past 10+ years the roles of CSO, CISO, Director Security, Analyst, Engineer/Technical, IT Compliance Leader and Administrator have emerged.  But what have not been very clearly defined are the roles and responsibilities of these positions, and the need for these unique skill sets.  Larger companies have the luxury of finding highly skilled people to fill these individual jobs (comes down to dollars), where mid to small try to find people who have all the skill sets wrapped up in one.   Ahh…. The bearer of many hats to fill positions that are uniquely different.  By finding that person who has all these credentials you limit yourself to expertise needed in specific roles.  Jack of all trades and master of none is a dangerous mix in the security world.  I fully understand that in today’s economy more businesses are looking to cut back and consolidate. This is not an area where we want to get to frugal.  In the end, you may be paying a bigger ticket if you are compromised.

There are regulatory requirements that audit your roles and responsibilities of the security staff.  Due to conflict of interest issues, you may not be able to have the person enforcing security policies/procedures as the same person administering and monitoring those standards.  This makes it much too easy to have your environment compromised internally (collusion).  Each business needs to review their requirements. 

What you need to do is to find out what are your business drivers for security.  These drivers can be a combination of corporate and regulatory requirements. If you are a business where you accept credit cards but its low volume , then you may fall into a level 4 merchant as it relates to PCI DSS requirements for security controls. So, do you really need to have many levels of security on staff for your business?  Probably not.  You will not get hit with the same auditing control requirements as a Merchant Level 1 service provider. You need to assess your business first, and make  determinations for what is required based on risk/probability/severity/lost revenue if your data was compromised.  And again, the business drivers enforcing security for your establishment will help to make these determinations.  Many businesses have run a BIA ( Impact Analysis) study to help with determining level of risk to their data. 

I have picked a few key security roles and listed their responsibilities to help if you decide you need to fill security roles for your business.  These responsibilities will need to be tailored based on your type of business . But it’s a good starting point for you to work from.

Key security roles and their corresponding responsibly:

CSO (Chief Security Officer) / Director of Security

  • Communicate with senior management about security risks and the current state of security of the business.
  • Develop and implement a strategic business security plan that is aligned with enterprise-wide security initiatives.
  • Support Legal, Compliance and HR in developing and implementing processes relating to privacy and the protection and use of PII, employee and business data.
  • Interpret Corporate/Compliance security policies, procedures, guidelines and best practices to understand how they apply to the specific business.
  • Develop, maintain and communicate business specific policies, procedures and guidelines.
  • Ensure that security reviews and tests are conducted at recommended points within the Tollgate process.
  • Verify that security is part of the change control process for all systems and applications.
  • Define secure operational processes and monitor compliance.
  • Support security operations such as secure account management, secure data access, etc.
  • Advisor for implementation of secure network architectures and configuration of network devices.
  • Monitor security compliance of networks, servers, and applications.
  • Ensure client PCs are secure and contain correct versions anti-virus software and any other recommended security tools.
  •  Provide security awareness within the business.
  •  Ensure proper evaluation, test, and implementation of security technologies meet business needs.
  • Develop, implement and track a security integration plan for acquisitions that is in compliance with company guidelines.
  • Develop, implement and track a security separation plan for divestitures that is in compliance with company guidelines.
  • Review and approve security for all network interfaces to other companies (i.e., third party connections).
  • Review and approve appropriate security controls for outsourcing agreements.

CISO (Chief Information Security Officer) / Technical Manager

The Information CISO/Security Technical Leader will assume primary responsibility for the technical aspect of all security-related activities by direction of the CSO, including, but not limited to, those detailed below.

  • Work with advance technology team to research, design, prototype, and potentially implement company information protection initiatives to meet security objectives.
  • Provide leadership to multiple teams with a diversity of functions and attendant skills.
  • Responsible for the development and maintenance of the Enterprise Information Security Architecture, tools, and associated technical procedures to ensure systemic protection of the business information.
  • Responsible for ensuring that the organization’s data systems and databases are secure through the development and implementation of information security architecture and standards.
  • Coordinate security architectural principles with Enterprise Wide Technology Architecture team.
  • Develop and maintain a security architectural framework in coordination with technology and business  partners.
  • Develop, refine, or modify technical security standards as necessary to implement technical security controls.
  • Assess technology infrastructure and collaborate with infrastructure group to design a scalable and secure infrastructure.
  • Participate in complex designs of technology solutions to ensure information security architectural principles, standards, and requirements are incorporated in design. 
  • Assess divisional and local security needs.
  • Evaluate emerging threats and recommend preventative measures that will mitigate the threat to the business.
  • Conduct research, develop and support positions, and document findings in white papers suitable for regulatory scrutiny on all aspects of information protection.
  • Research and design tools used for security awareness training.
  • Design and implement appropriate security technology to serve company security controls.
  • Monitor security policy compliance by conducting periodic audits and approved penetration tests.  Be able to assess internal and external scan reports–identify false positives, research vulnerabilities, communicate results to IP management and system administrators.  Must be capable of challenging external experts when reports are erroneous.
  • Recommend and implement checks to be included in a comprehensive internal audit/scanning program.
  • Work with system administrators to implement security strategies, coordinate remediation tasks and adhere to published schedules.

 

Security Analyst

The Information Security Analyst will assume primary responsibility for all security-related requests and activities, including, but not limited to, those detailed below.

  • Implement company information protection initiatives (policy, standards, guidelines, procedures, controls and associated technology) to meet security objectives.
  • Participate in corporate information protection project teams.  Assess divisional and local security needs and communicate them.
  • Respond to client due diligence and audit requests.  Work with IT groups and other departments as necessary to obtain the necessary information for responses.  Document remediation requests and communicate them to local and IP management.
  • Conduct security awareness training.
  • Implement appropriate security controls to meet company security objectives.
  • Monitor security policy compliance by conducting periodic audits and approved penetration tests.  Be able to assess internal and external scan reports–identify false positives, research vulnerabilities, communicate results to IP management and system administrators.
  • Recommend checks to be included in a comprehensive internal scanning program.
  • Work with system administrators to implement remediation strategies and adhere to schedules.
  • Respond when alerted to security events, whether in real time via monitoring tools or through log analysis.  Work individually and with other incident response team members as necessary to identify, assess, report and recover from incidents.
  • Be familiar with the company’s problem management and change management procedures, and ensure that incident responses invoke them appropriately.
  • Recommend security improvements based on assessing current technology and practices, evaluating trends, and anticipating requirements.
  • Review firewall and router rules.
  • Review and approve network change requests (ACL’s, firewall rules) on behalf of Information Protection, based on company security policies.
  • Review intrusion detection system reporting, network device logs and other security logs daily.
  • Follow trends in the Information Protection area (new vulnerabilities, technology, legislation, etc.).  Contribute to development of appropriate corporate responses as such changes occur.
  • Advise local management as requested on site security matters (exposures, mitigation, etc.).

 

Manager of IT Compliance (position may be needed based on size and complexity of your environment)

The Information Technology Compliance Leader will assume primary responsibility for the oversight of IT Compliance regulatory audit reviews along with policy and procedural security requirements including, but not limited to, those detailed below.

  • Communicate with the audit functions of external entities as needed to maintain compliance:
  • Clients
  • Regulatory compliance groups: financial auditors, SOX, Department of Commerce (Safe Harbor), SAS 70
  • Other certifying organizations: Cybertrust, PCI, ISO
  • Ensure that the information requirements of audits are met:
  • Respond to the IT portions of client risk assessment questionnaires
  • Respond to the IT portions of client RFPs
  • Host IT portions of client on-site audits.  Coordinate meetings with IT technical support and Office Services staff if required.  Obtain supporting documentation.
  • Facilitate scans, vulnerability testing, penetration testing, etc., to meet auditor requirements while ensuring the ongoing confidentiality, integrity and availability of business information assets.
  • Communicate audit findings to the appropriate groups for remediation. 
  • Communicate remediation plans and project status to clients.
  • Specifically for SOX (IT general controls):
  • Maintain archives of process narratives, control descriptions, testing methods, and test materials
  • Communicate self-assessment schedules to IT departments
  • Track progress of self-assessment activities, report progress to management
  • Train project participants in the use of mandated tools
  • Review draft contracts (master services agreements, marketing agreements, non-disclosure agreements, service level agreements, statements of work, etc.) with clients and vendors.  Recommend appropriate security-related language.
  • Conduct information security risk assessments of current and potential vendors via questionnaires and on site visits.  Communicate remediation recommendations and requirements to business and vendor management.  Monitor remediation progress.
  • Maintain the Information Security Management System (ISO27001)
  • Develop policy and procedure for IT and other departments on security-related matters.
  • Assess and recommend tools for compliance reviews of IT infrastructure, applications and network traffic.  Arrange for purchase, installation, tuning and maintenance of approved tools.
  • Develop, implement and maintain a program of internal audits to monitor compliance with security policy.  The scope of the program will encompass processes and technology throughout the company in all domains of information security. 
  • Identify gaps requiring remediation. 
  • Provide summary reports of findings to management. 
  • Provide detail reports to technical support groups and others for remediation. 
  • Monitor and report progress of remediation activities.
  • Monitor network traffic for intrusion attempts and other malicious activity (NIDS, NIPS)

 

The Security Leader shall be designated as the final security authority for all information services hosted or housed.

Peter Gallinari, CSO, CHS III, has 32 years experience in information technology in such diverse industries as healthcare, publishing, and financial services; and was a member of the GNYHA Committee (NYCLIX). He served as Chief Security Officer of GE Capital, managed its IT Division, and headed up its Business Continuity and Disaster Recovery. He holds several security certifications from SANS Institute, ICS(2), and American College of Forensic Examiners for Homeland Security. He also holds certificates in Six Sigma and disaster recovery disciplines. Peter is famous for a song he wrote and performed for the victims of the Indonesian tsunami disaster, Oklahoma Disaster, Virginia Tech Shootings. He has performed with members of KISS, Toto, The Vanilla Fudge (Carmine Appice), Anton Fig (David Letterman Show), Leslie West & Mountain and many others.

Article Source:http://www.articlesbase.com/security-articles/information-security-titles-out-of-control-911097.html

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • NewsVine
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • Yahoo! Buzz
  • Twitter
  • Technorati
  • Live
  • LinkedIn
  • MySpace
  • E-mail this story to a friend!
  • RSS
  • Turn this article into a PDF!

Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!

  • Share/Bookmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Blog Traffic Exchange Related Posts
  • Network Auditing Protects Your Business from Cyber Attacks Network Security has become increasingly important as companies both large and small are attacked by cyber criminals.  This article will provide you information about network auditing and how you can use it to protect your business.  Whether you’re a business owner, an executive, or an IT manager, the following information......
  • Business Risks Associated With Data Breaches The EU Data Protection Supervisor – the independent EU supervisory authority responsible for protecting personal data within the EU – recently pushed for the EU ePrivacy directive to be amended to provide for a pan-European data breach notification requirement. In parallel, the UK Information Commissioner, who is charged with enforcing......
  • Security in E-Business Security in E-Business: An Introduction           A central issue in the commercial use of the Internet is security. Surveys state that the economic success of electronic business applications is inhibited because the Internet lacks appropriate security measures. One way to increase the trust of consumers in electronic business applications is......
  • Importance of IT Support Services for Large Business Since the IT networks have grown to be more business focused, reducing and minimizing the network downtime has become exceptionally important for large businesses in order to stay productive. When we talk about large business, we also talk about large number of employees, large client list, and large flow of......
  • Identity Theft and What You Can Do About It - Part One Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.  Unlike your fingerprints, which are unique to you and cannot be given......
Blog Traffic Exchange Related Websites
  • bloggingEnhancing your Business with Blogging Blogging has become an extremely popular activity for businesses, and it also has created a very important impact in other circles as well, including an activity for the political scene as well as for ordinary individuals as well. Google purchased Blogger in 2003, and ever since, blogging has continued to......
  • This Secondarysystem Will Augment The Earnings Of Your Internet Business. How to make use of a secondary program to boost your online earnings. I doubt that any profitable online marketer is involved with just one program because I've noticed since I started to use the internet as a source for income that so many names become well-known and they are......
  • Let's boost CompactFlash speed Lexar will produce impressive new faster and higher capacity CompactFlash cards. Seems that these new cards will have a speed close to UDMA 6's thereshold of 100MB/second. This means doubling the speed of actual cards! Actual top cards from Lexar use UDMA standard, practically a transfer data speed of 45MB/second.......
  • Cyberwarrior Shortage Threatens U.S. SecurityCyberwarrior Shortage Threatens U.S. Security [/caption] There may be no country on the planet more vulnerable to a massive cyberattack than the United States, where financial, transportation, telecommunications and even military operations are now deeply dependent on data networking. What's worse: U.S. security officials say the country's cyberdefenses are not up to the challenge.......
  • Microsoft v/s Google – the battle continues Then Google announced the launch of its operating system, the Google Chrome OS. The launch is scheduled for H2 2010 and is expected to create a cult status among the open source community. Google OS already exists in its Android phone, which was in turn produced to compete with Apple’s......
 

Leave a Comment

CommentLuv Enabled

« How To Use Firewall To Prevent Virus Attacks | Home | Beware of the angantivirus09 Scam »