Larry,
Check out the NIST website (www.nist.gov), they have a wealth of organizational,
policy and procedural material that you can benefit from.
One point you made struck me: '... anything that suggests that the security
manager or CISO should not report to the Operations Director'. My first
thoughts were that you are either aware of a personality conflict with the
OpsDir, or do not like/respect this person. If such is the case, believe me, I
can feel your pain; been there, experienced that. I suggest taking the
longer-term view and not institute an organizational structure based upon
individual personalities, but upon factual and objective evidence to best fit
the requirements of the organizational needs into the existing structure.
Objectivity being the key aspect there. I know it is hard to do, but in the
long run, for your business needs as well as the organization itself, this is
for the best.
R,
-Joe Wulf, CISSP
ProSync Technology Group, LLC
www.prosync.com
Senior IA Engineer
-----Original Message-----
From: Larry Erdahl [mailto:larryerdahl@msn.com]
Sent: Monday, August 15, 2005 16:22
To: security-management@securityfocus.com
Subject: Security program development (Plan)
I have been asked by my organization to develop a IT security program
(plan) that will
meet today's security standards. I am planning on following ISO 17799, but I am
having a little trouble getting out of the starting blocks.
Can anyone point me to documentation or studies on the proper roles,
responsibilities,and reporting structure needed in today's security
departments.
I am specially interested in any thing that suggests that the security manager
or CISO should not report to the Operations Director.
I would appreciate it if you could share your expertise and experience in what
you did in building your security departments (off line if need be).
Thanks...
