Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security program development (Plan)

from [Mark Teicher] Network Security [Permanent Link]
Subject: RE: Security program development (Plan)
Date: Fri, 19 Aug 2005 17:20:25 -0400 (GMT-04:00) 
Where would a CSO report to in this type of organizational hierarchy?  Would a 
CSO also dabble in the direction of security consulting for other business 
units?  IMHO, a CSO is a CSO and a Security Practice Director is a Security 
Practice Director and mixing the two together for press purposes blurs the 
lines, since a CSO should report directly to a OpsDirector and not a Vp of 
Sales.

CSO at most companies also do not have quotas.

/m

-----Original Message-----
From: Joe_Wulf <Joe_Wulf@yahoo.com>
Sent: Aug 16, 2005 12:07 PM
To: 'Larry Erdahl' <larryerdahl@msn.com>, security-management@securityfocus.com
Subject: RE: Security program development (Plan)

Larry,

Check out the NIST website (www.nist.gov), they have a wealth of organizational,
policy and procedural material that you can benefit from.

One point you made struck me: '... anything that suggests that the security
manager or CISO should not report to the Operations Director'.  My first
thoughts were that you are either aware of a personality conflict with the
OpsDir, or do not like/respect this person.  If such is the case, believe me, I
can feel your pain; been there, experienced that.  I suggest taking the
longer-term view and not institute an organizational structure based upon
individual personalities, but upon factual and objective evidence to best fit
the requirements of the organizational needs into the existing structure.
Objectivity being the key aspect there.  I know it is hard to do, but in the
long run, for your business needs as well as the organization itself, this is
for the best.
 
R,
-Joe Wulf, CISSP
 ProSync Technology Group, LLC
 www.prosync.com
 Senior IA Engineer

-----Original Message-----
From: Larry Erdahl [mailto:larryerdahl@msn.com] 
Sent: Monday, August 15, 2005 16:22
To: security-management@securityfocus.com
Subject: Security program development (Plan)

I have been asked by my organization  to develop a IT security program
(plan) that will
meet today's security standards. I am planning on following ISO 17799, but I am
having a little trouble getting out of the starting blocks.

Can anyone point me to documentation or studies on the proper roles,
responsibilities,and  reporting structure  needed in today's security
departments.

I am specially interested in any thing that suggests that the security manager
or CISO should not report to the Operations Director.

I would appreciate it if you could share your expertise and experience in what
you did in building your security departments (off line if need be).

Thanks...
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: anti-phishing implementation, Lyal Collins
Next by Date:  CIA checklist, Toto A Atmojo
Previous by Thread:  RE: Security program development (Plan), Jose Varghese
Next by Thread:  anti-phishing implementation, Bjorn Borg
Indexes:  [Date] [Thread] [Top] [All Lists]