Security Basics mailing list archives
Re: Who should the Information Systems Security Officer report to?
From: Keith Tomler <ktomler () gmail com>
Date: Wed, 30 Sep 2009 14:42:06 -0400
Thanks for the feedback. Four (4) people think the Informations System Security Officer should report to the CIO. Six (6) people think otherwise (responses include The Board of Trustees, CEO, CSO (who is a peer of the CIO), and CIA (Chief of Internal Audit)). But as the ISSO, you are technically reporting on an area that is under the governance of the CIO. If the CIO bottom lines your eval, doesn't this effect objectivity and impartiality? I tried to find a best practice, but the best I could find were ISACA articles that said: "..."The CISO’s domain has traditionally been the IT function, usually reporting to the CIO or another senior IT manager. The broadened focus on information security has begun to alter this reporting line. The CISO now often reports to a business function such as the chief financial officer or chief operating officer, or occasionally directly to the CEO. Another increasingly common line of reporting is to the chief risk officer..." However, this article was over two years old. A separate (but undated) article on ISACA said: "...Information security should have an independent reporting structure to ensure that concerns, accomplishments and views on governance are properly represented to those ultimately responsible to the stakeholders..." If you were setting up shop today, who would you have the ISSO/CISO report to? Thanks again. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Who should the Information Systems Security Officer report to? Keith Tomler (Sep 29)
- Re: Who should the Information Systems Security Officer report to? Mike Hale (Sep 29)
- RE: Who should the Information Systems Security Officer report to? Bahrs, Art (Sep 29)
- RE: Who should the Information Systems Security Officer report to? Jens C. Laundrup (Sep 30)
- Re: Who should the Information Systems Security Officer report to? Keith Tomler (Sep 30)
- Re: Who should the Information Systems Security Officer report to? Dan Anderson (Sep 30)
- RE: Who should the Information Systems Security Officer report to? Bahrs, Art (Sep 29)
- Re: Who should the Information Systems Security Officer report to? Mike Hale (Sep 29)