Hi Larry:
Some of the reporting models for CISO I have come across:
1. Reports to CIO. Other IT-operational heads also report here
2. Reports to Audit committee of the Board
3. Report to the Risk Management Committee( Security is seen as an integral
part of overall business risk management)
In some instances the priorities of Operations team and Security team might
be in conflict. Hence its best not to merge security under operations.
While the focus of operations maybe on continuous uptime security might want
to take a downtime to apply an important patch. Sometimes it is good to have
someone who is senior and knowledgeable of IT (still not involved directly
in operations) to play the role of mediator.
Security is not always convenient for the users nor for the admins. Hence
many times operations will not be in favor of implementing that additional
layer of encryption or one more set of Firewalls. Non-operations person will
be able in taking prudent decisions in these cases.
Jose Varghese
Paladion Networks | Mumbai | India
Ph: +91 22 5591 0513 (Ext: 26) | Fax: +91 22 5591 3580,
Mobile: +91 98201 99818|
Application Security Magazine : http://palisade.paladion.net
-----Original Message-----
From: Larry Erdahl [mailto:larryerdahl@msn.com]
Sent: Tuesday, August 16, 2005 1:52 AM
To: security-management@securityfocus.com
Subject: Security program development (Plan)
I have been asked by my organization to develop a IT security program
(plan) that will
meet today's security standards. I am planning on following ISO 17799, but I
am having a little trouble getting out of the starting blocks.
Can anyone point me to documentation or studies on the proper roles,
responsibilities,and reporting structure needed in today's security
departments.
I am specially interested in any thing that suggests that the security
manager or CISO should not report to the Operations Director.
I would appreciate it if you could share your expertise and experience in
what you did in building your security departments (off line if need be).
Thanks...
