Security Basics mailing list archives
Re: Re: Who should the Information Systems Security Officer report to?
From: sfmailsbm () gmail com
Date: Fri, 2 Oct 2009 01:08:08 -0600
my 2 cents: Understand what we are doing: Information Security vs Information Risk We must understand the subtle difference between the 2, are we doing pure IT Security stuff, i.e. focussing only on the technical issues and controls, e.g. patching, antivirus, root access, dba acess, etc - or are we considering afunction which is considering a holistic information risk management aproach that takes on board all types of information assets, on PC, Server, hardcopy, review the way it is being managed, identify threats and vulnerabilities and recommend mitigating controls Info Risk Mgmt, requires more involvement of the Business, since we are evaluating their business processes and recommending ways to secure the way they work, and ensure the business take 'ownership' of this risk and followup till it is reduced to an acceptable level IT Security will liase mostly with IT Admins to secure the technical infrastructure The way I see it, is that Info Risk mgmt will require more management support to be successful than IT Security activities (although both may be done by the same team) Mgmt support is needed to 'force' business to take on board Information Risk tasks, in addition to their day-to-day business, and this is not an easy stuff to achieve Info Risk Mgmt need an appropriate level of authority so that their recommendations are taken 'serously' Hence, i will conclude that there is a central Risk Management unit grouping all risk management bodies (e.g. credit risk, market risk, etc), then Info Risk Mgmt should report to this guy Else report to the CEO directly, since ultimately it is Top Management who is the ultimate owner of the organisation's information and its associated risk. In case of a security breach affecting customer data, financial data, it is the Top management who must ultimately answer! hope this helps! Ronish ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Re: Who should the Information Systems Security Officer report to? sfmailsbm (Sep 10)
- Re: Re: Who should the Information Systems Security Officer report to? MAlMozaiyn (Sep 14)