Date: Thu, 28 Mar 2024 23:18:32 +0000 (UTC) Message-ID: <1545867005.7179.1711667912705@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7178_1266805265.1711667912704" ------=_Part_7178_1266805265.1711667912704 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
IT security governance is the system by which an organization directs an= d controls IT security (adapted from ISO 38500). IT security governance sho= uld not be confused with IT security management. IT security management is = concerned with making decisions to mitigate risks; governance determines wh= o is authorized to make decisions. Governance specifies the accountability = framework and provides oversight to ensure that risks are adequately mitiga= ted, while management ensures that controls are implemented to mitigate ris= ks. Management recommends security strategies. Governance ensures that secu= rity strategies are aligned with business objectives and consistent with re= gulations.
NIST describes IT governance as the process of establishing and maintain= ing a framework to provide assurance that information security strategies a= re aligned with and support business objectives, are consistent with applic= able laws and regulations through adherence to policies and internal contro= ls, and provide assignment of responsibility, all in an effort to manage ri= sk.
Enterprise security governance results from the duty of care owed by lea= dership towards fiduciary requirements. This position is based on judicial = rationale and reasonable standards of care [1]. The five general governance= areas are:
"Governing for enterprise security means viewing adequate security as a = non-negotiable requirement of being in business." [1]
Governance: doing the right thing.
Management: doing things right.
Governance |
Management |
---|---|
Oversight |
Implementation |
Authorizes decision rights |
Authorized to make decisions |
Enact policy |
Enforce policy |
Accountability |
Responsibility |
Strategic planning |
Project planning |
Resource allocation |
Resource utilization |
Characteristics of effective security governance [1]
The eleven characteristics of effective security governance are critical= for an effective enterprise information security information program. They= are:
Appendix A lis= ts some excellent comparisons of effective and ineffective governance chara= cteristics from the CERT GES [1].
The following principles describe preferred behavior to guide governance= decision making [7].
Listed below are challenges of ineffective governance [1]. These challen= ges can be very useful in presenting rationale to leadership for implementi= ng an effective institution security governance model.
Outcomes of effective information security governance should include: [4= ]
Defining the Information Security Program (so as to define what = needs to be governed) [1]
Activities of an information security program directly support/trace to = an institutional risk management plan. In other words, the information secu= rity program is targeted to managing institutional risk. An effective infor= mation security program requires the development and maintenance of:
Information Security Program hierarchical relationships
Some colleges and universities employ risk managers and some do not. Of = those institutions that do employ a risk manager, there are few that appear= to have an institution-level risk management plan.
The reference to an information security program serving as a business p= lan for securing digital assets is a simple yet effective communication tec= hnique.
Information Security Governance Best Practices [5]
Why is IT governance important [3]
Directors could be held accountable for breaches of [7]= :
Benefits of information security governance [4]
Question to engage institutional leaders [4]
Thought provoking questions that institutional leaders can ask (and shou= ld be able to answer) to determine the state of their security governance e= fforts.
Questions individuals responsible for governance should ask and be able = to answer.
The ISO position is evolving from a primary technical position to one th= at combines both technical and managerial functions. Today IT security is a= n institutional imperative with critical policy and operational aspects wit= h attention dedicated from the CIO, general counsel, internal auditor and e= xecutive leadership. While the list of tasks for the ISO continues to grow,= unfortunately the authority and challenges to that authority of the role a= re often institutionally handled with senior administrators, legal counsel = or law enforcement. The ISO must rely on institutional policy and legal com= pliance in order to effectively control IT security. Building a relationshi= p and consensus with many groups on campus is a key to having security poli= cy compliance. One progressive step is the growing recognition of departmen= t managers to accept responsibility for their data and its protection. Shif= ting the role of the ISO from compliance dictator to offering assistance re= alizes the concept of security as a service [22].
The ISO position is limited usually where the number of staff positions = limits the ability to assign exclusive roles to individuals and thus dedica= ting a single entity to enterprise-wide information security. Larger organi= zations, usually with enrollments over 8,000, recognize security as a top a= dministrative concern and have either created an ISO position or delegated = this responsibility to the CIO. However the shift from security being IT's = responsibility to being everyone's responsibility seems to have a greater i= mpact on whether an appointment has been given those specific objectives. T= he identification of the responsibility is clear; less clear is the manner = in which it should be addressed. As this profession gradually changes and i= ncreases in visibility (unfortunately through continued breaches, incidents= and responses), the need for individuals with the experience of managing t= hese episodes will evidence themselves. As the number of skilled profession= als entering this field multiplies, the hope is that the role will be bette= r defined with the proper authority given [22].
Governance frameworks, COBIT, ITIL, the ISO 17799 information security m= anagement standard, and the ISO 9000 quality management standard - are used= in the IT governance processes and structures. ITIL and ISO 17799 are the = most common frameworks in use. [23]
Unplanned and uncoordinated localization of authority poses great challe= nges for institution-wide compliance with security, copyright, privacy, ide= ntity and other regulation. It makes it awkward for CIOs to account well fo= r the breadth and depth of overall IT activity, and it can be inefficient. = Localization of authority in some areas is critical. The question is not "t= o centralize or not to decentralize" but where to centralize (or not) and h= ow to harmonize institutional efforts and investments in IT. [23]
IT governance-related committees include [23]:
Governance structures depend on desired outcomes
CERT GES [3] desribes structure based on desired outcomes.
Information Security Governance Structures
The NIST Security Handbook [5] states that governance is highly dependen= t on the overall organization structure.
Political Archetypes
Weill and Ross use political archetypes in IT Governance [3] to= describes people or groups who have decision rights.
Different types of decisions might use different archetypes [3].
Decisions |
IT Principles |
IT Architecture |
IT Infrastructure |
Business Applications |
IT Investment |
---|---|---|---|---|---|
Archetypes |
|
|
|
|
|
Business Monarchy |
|
||||
IT Monarchy |
|
||||
Feudal |
|
||||
Federal |
|
||||
IT Duopoly |
|
|
|||
Anarchy |
|||||
Don't know |
What Governance Arrangements Work Best [3]
The ISO or CISO is an emerging profession with highly-motivated individu= als seeking their own professional development through membership in organi= zations, participation in training where they can find it and constant shar= ing of ideas and advice with others both internally and externally to their= organization. There does not seem to be a clearly defined path for this ne= w subfield within IT. The vast majority of those in an ISO/CISO position he= ld previous positions in IT and came from higher education backgrounds. Ins= titutions appear to be recruiting security officers from IT managerial rank= s. Often these folks started with very strong technical experience and have= now developed skills in business process analysis, thus moving away from h= ands-on activities [22].
In addition to certifications, ISOs find the following "soft skills" ben= eficial [22].
These soft skills are critical for effective engagement with diverse cam= pus audiences.
Primary ISO responsibilities [22]
Supportive functions of an ISO [22]
Decision-Making Structures
Weill and Ross [3] describe organizational units and roles responsible f= or making IT decisions, such as committees, executive teams, and business/I= T relationship managers.
Who should be concerned with information security governance? [4]
What should the board of directors/trustees and senior executive= s be doing? [4]
Roles and Responsibilities for an Institution-Wide Security Prog= ram
The CERT framework [1] assumes a board risk committee (or equivalent) at= the highest governance level.
There are nine groups of personnel involved in developing and sustaining= an effective institution-wide security program.
Explanations and examples of each role or team are provided in more deta= il in Article 2. The matrix in Table 2 of this document coul= d be used to assist in building an institution-wide security program for hi= gher education.
CERT GES [1] offers more detail on selected roles and responsibilities i= n the following documents.
Summary Roles and responsibilities [2]
|
|
---|---|
Chief Executive Officer |
- Oversee overall corporate security posture =
(accountable to the Board) |
Chief Security Officer |
- Set security policies, procedures, program =
and training |
Mid-Level Manager |
- Compliance |
Enterprise staff/employees |
- Implement policies |
To Whom Does the ISO Report [25]
|
2007 | 2008 | 2009 | 2010 | Percent Change |
---|---|---|---|---|---|
Chief Information Officer |
38 |
34 |
32 |
23 |
-39% |
Board of Directors |
21 |
24 |
28 |
32 |
+52% |
Chief Executive Officer |
32 |
34 |
35 |
36 |
+13% |
Chief Financial Officer |
11 |
11 |
13 |
15 |
+36% |
Chief Operating Officer |
9 |
10 |
12 |
15 |
+67% |
Chief Privacy Officer |
8 |
8 |
14 |
17 |
+113% |
Appendix B lis= ts descriptions of information security roles and responsibilities from the= NIST Security Handbook [5].
<Also see CERT EBK, http://www.u= s-cert.gov/ITSecurityEBK/ ><= /p>
Strategic Plans, annual performance plans and annual program performance= reports equal the recurring cycle of reporting, planning and execution.
Each security plan must include:
The plans must be revisited when major changes happen including legislat= ion, regulations, directives, agency mission priorities, emerging informati= on security issues.
Information Security Policy and Guidance [5]
Information security policy is an aggregate of directives, rules, and pr= actices that prescribes how an organization manages, protects, and distribu= tes information. Information security policy is an essential component of i= nformation security governance---without the policy, governance has no subs= tance and rules to enforce.
Information security policy should be based on a combination of appropri= ate legislation, such as FISMA; applicable standards, such as NIST Federal = Information Processing Standards (FIPS) and guidance; and internal agency r= equirements.
Information security policy at the institutional level should address th= e fundamentals of institution's information security governance structure, = including:
Candidate policy topics at the governance level (which could be sections= in existing, broader policies) may include: [1]
IT and data within higher education information systems are becoming inc= reasingly regulated and scrutinized. This regulation ranges from pressures = for disclosure and transparency to pressures for privacy. These pressures a= ccent the need for common approaches, common solutions, and consistent high= -quality data. [23]
Challenges and Keys to success [5]
Higher education information systems continue to be subject to a large n= umber of security threats. The ability to secure the gamut of intuitional I= T resources and data has become a compelling and increasingly urgent need. = [23]
Risk management is the ongoing process of iden= tifying information security risks and implementing plans to address them. = Often, the number of assets potentially at risk exceeds the resources avail= able to manage them. It is therefore extremely important to know where to a= pply available resources to mitigate risk in an efficient and cost-effectiv= e manner. Risk assessmentis the part of the ongoi= ng risk management process that assigns relative priorities for mitigation = plans and implementation. These sorts of decisions are institutional in nat= ure (and not technical) and require a governance structure to address them.= Depending upon the governance model selected, the governance group may be = able to make such institutional priority decisions itself or may make recom= mendations to even higher decision-making bodies. Please see the Risk Management = Framework for a more complete description and a well-defined process ou= tline. See the R= isk Management section in the Information Security Guide for more infor= mation.
Asset inventories and asset ownership
Before an effective risk management problem can be established, critical= assets must be identified, documented and tracked. Engaging senior adminis= tration to review asset value provides a good opportunity to get security o= n their agenda. [24]
The following resources provide more information about asset management.=
Acquisition and Procurement
IT products that are expensive or will have a significant impact on an i= nstitutions liability should be reviewed for IT security risks before purch= ase. In large institutions, IT product acquisition provides an opportunity = to evaluate centralization vs. proliferation of IT resources and the result= ing impact on security. Acquisition also serves as a good control point for= information security evaluation before investments are made. Contract lang= uage might be needed to protect the institution's data, especially with pro= ducts known as 'software as a service' or SaaS.
Listed below are resources for the acquisition of IT products.
Performance [4] measurement should be a system of measuring, monitoring = and reporting information security governance metrics to ensure that instit= utional objectives are achieved. Development/maintenance of a security and = control framework that consists of standards, measures, practices, and proc= edures is essential to the metric evaluation of the governance structure.= p>
A key metric is the adverse impacts of information security incidents ex= perienced by the institution. An effective security program will show a tre= nd of impact reduction. Quantitative measures can include trend analysis of= impacts over time.
Measuring, monitoring and reporting on information security processes en= sure that institutional objectives are achieved. Some example metrics might= include:
University at Buffalo, New York, Information Security Adviso= ry Structureand IT Policies
University of Florida, Office of the Chief Information Officerand IT Security Regu= lations
We asked others how they successfully engaged senior management support = for security initiatives-- "What methods worked at your institution? We've = suggested some methods below. Let us know which ones have worked for you an= d identify others ideas not listed:
Here are some of the responses we received:
For senior management, I would say, "It's all about risk" and risk mitig= ation.
Performing a risk assessment helps us out. If you can get them to commit= a few hours of staff time to an RA then you can provide some assurance tha= t whatever steps you recommend are well reasoned and show a risk-based stra= tegy for identifying solving security problems. This helps me to avoid the = impression that an initiative is just the security people being paranoid.= p>
While I don't recommend it, a breach certainly helped get upper manageme= nt's attention! After the clean up and notification, we were able to garner= some addition resources.
On occasion, an audit issue or an incident will also help drive somethin= g forward. In my experience though you have to capitalize on those pretty q= uickly otherwise priorities will shift and they'll be forgotten about.
Years ago I learned the technique of 'digging in front' as in, "If you w= ant to move a large boulder, digging in front of it before pushing from beh= ind makes it much easier to move the boulder." When I want to make somethin= g happen, I spend time talking individually with every key player who might= have a stake in it (especially those who might be uncertain or against to = the idea). Digging in front goes a long way.
In advance, evaluation and testing of new security tools and bringing ve= ry colorful graphs to senior management, before ask for anything.
What also helps - Working behind the scenes, lots of 1-1 engagement in t= he community (even if not defined as 'key' players), incremental steps and = not trying to make the issue so big, encompassing, or scary that it loses c= redibility, or asking for disproportionate funding or level of authority - = it helps to work within the culture.
On the policy front, we've used several methods to achieve support from = senior management. When we put a policy in place to address HIPAA security = requirements, we worked up-front with the Office of General Counsel to ensu= re the policy accurately reflected regulatory requirements and then it was = simply a matter of saying, hey this is required by law. The policy was acce= pted by the University without a hitch. It helped that it was our General C= ounsel that said that to the President's Council (was approves all policies= ). We also spent a lot of time building relationships with HR and Student H= ealth since they were the primary stakeholders.
We're currently having a lot of success with our Information Security Po= licy proposal. Our technique there has really just been understanding busin= ess requirements, being flexible and selling it in a manner that makes sens= e for whichever audience we're presenting to. Letting people talk through t= heir concerns and taking a real interest in addressing those concerns is al= so very valuable. We've really had little resistance to this point and we'r= e moving along much faster than I would have originally anticipated. I gues= s this fits into relationship building with key players. There are just a l= ot of key players when dealing with something that impacts the entire unive= rsity.
We realized that nearly every department on campus has departmental meet= ings (larger ones may have more than one kind - a more frequent one for sup= ervisors and another for all staff). These meetings were often looking for = agenda items and special speakers. We started calling and got ourselves inv= ited to make small presentations. After a few of these we had a kit full of= ready-made presentations that we could modify and use over and over. These= visits went a long way to building relationships, raising awareness, and g= iving others a voice in what we were planning.
Compliance with laws can be a major driver - state data breach law was a= motivator here.
We found that having Internal Auditing do an audit and issuing a report = an excellent way to get what we need for security. Complying with IA is alw= ays a powerful motivator.
Our university is required to have guidelines that are compatible with S= tate IT security policies and, as a result, our IT security officers develo= ped a comprehensive set of guidelines that address risk management, securit= y policy, access controls, network security, nonpublic information, encrypt= ion, and other areas. These guidelines were vetted with the State legislati= ve auditors and are periodically updated to align with revisions to the Sta= te IT Security Policy. All of our campuses are required to report on the st= atus of implementation of these guidelines annually and some of the institu= tional security officers have taken advantage of this reporting process to = engage senior management.
I regularly send out breach reports to senior management and even though= I am a member of senior management - I use these to get my points across a= nd it is quite effective. I was able to obtain funding for whole disk encry= ption just recently.
Development, adoption, deployment, and compliance monitoring of an IT Se= curity Governance Industry Standard such as ISO 17799. Concurrent with this= - Enterprise ITSEC Strategy (ITSEC is a risk management issue not a techni= cal one!), enabling programs, federated compliance monitoring tools, and pe= rformance metrics.
Suggested approach includes:
Hands down the activity that has shown the most success and has proven t= he most beneficial to our security cause is our incident response strategy = when an incident involves confidential data. When this is the case I stand = up before our data incident response team to talk through the situation and= determine what actions the university needs to take. Since the team involv= es the appropriate data steward, Dean or unit head where the incident occur= red, technical staff in that unit, CIO, University Counsel, Audit, Risk Man= agement, Police and a couple of others, all the right people get to hear fi= rst hand our challenges and the consequences of when things don't go right.=
After doing this for well over three years I don't need to spend much ti= me around campus trying to sell the need for security.
At our state university, the Vice Chancellor for IT and CIO sits on the = Executive Cabinet and periodically briefs the Chancellor and senior managem= ent on IT security and policy matters on campus, and in the higher educatio= n community. In addition, we had an external security review conducted by a= group of experts in IT security and policy from other higher education ins= titutions in 2005, and again early in 2008. The review team provided a repo= rt with a number of recommendations that helped "raise the awareness" of th= e importance of IT security at the institution. We also formed an IT Securi= ty & Policy Advisory Committee with representatives from all over campu= s and have had success in moving forward with a number of security initiati= ves.
I say, bombard them with information. There are several sites but this o= ne deals with Educational Security Incidents
We have a couple of real-time graphics that help to convey the message w= ithout a lot of tech-talk.
We depict the traffic crossing our border with a 256x256 grid of dots fo= r every possible IP address here. When a packet passes the border, the corr= esponding dot for the sender/recipient on our end lights up. So, we see how= busy various parts of our network are. We also see when we get scanned.
In a 5 minute presentation to one or a group of VPs, you can usually see= a scan. Sometimes it's a sequential scan and is pretty obvious, and the re= st of the time it's "snow" from a randomized scan that hits our darknet are= as as well as the subnets that are assigned. We include in the display the = probes that are blocked by border firewall rules. That shows how much we ar= e pre-emptively blocking as well as how much is still getting through. We'v= e talked about having an outside machine that we could use to launch a scan= (with a small TTL) during a presentation, but we've never needed to go to = the trouble. The hackers are always very accommodating. This is a useful to= ol for talking with local reporters who can then help get the word out to o= ur users about the importance of patches, updates, firewalls, virus protect= ion, etc.
The second graphic is a dynamic visualization of a subset of our traffic= , selected by port or IP range, showing the source and destination and band= width in use. We can show unauthorized email servers (like hacked spammers)= , or unusual DNS queries, or remote desktop connections to unusual outsider= s or to sensitive insiders, etc. (We mention that we are careful to not sho= w this second display to reporters.)
With these tools we can visually demonstrate to administrators that we a= re always subject to probes and frequently have "misbehaving" systems. A pi= cture is worth a thousand words and, for us, a realtime dynamic visualizati= on is worth a thousand pictures.
In general, comparisons with peer institutions and industry standards al= so goes a long way for us in anything we do. Its pretty much expected that = we evaluate what other universities are doing.
Information Security Governance
IT Governance
Process=
and Politics: IT Governance in Higher Education, ECAR study
EDUCAUSE Information Technology Governance Summit (September 10-11=
, 2007)
Effective/Ineffective Governance Compared
Effective Governance |
Ineffective Governance |
---|---|
Board members understand that information sec=
urity is critical to the organization and demand to be updated quarterly on=
security performance and breaches. | Board members do not understand that informat=
ion security is in their realm of responsibility, and focus solely on corpo=
rate governance and profits. |
The board establishes a risk committee that u=
nderstands security's role in achieving compliance with applicable laws and=
regulations, and in mitigating organization risk. |
Security is addressed adhoc, if at all. |
The board risk committee conducts regular rev=
iews of the enterprise information security. |
Reviews are conducted following a major incid=
ent, if at all. |
The board's audit committee ensures that annu= al internal and external audits of the security program are conducted and r= eported. |
The BAC defers to internal and external audit= ors on the need for reviews. There is no audit plan to guide this selection= . |
The board risk committee and executive manage=
ment team set an acceptable risk level. This is based on comprehensive and =
periodic risk assessments that take into account reasonably foreseeable int=
ernal and external security risks and magnitude of harm. |
The CISO locates boilerplate security policie=
s, inserts the organization's name, and has the CEO sign them. |
The resulting risk management plan is aligned= with the entity's strategic goals, forming the basis for the company's sec= urity policies and program. |
If a documented security plan exists, it does= not map to the organization's risk management or strategic plan, and does = not capture security requirements for systems and other digital assets. = |
A cross-organizational security team comprise=
d of senior management, general counsel, CFO, CIO, CSO and/or CRO, CPO, HR,=
internal communication/public relations, and procurement personnel meet re=
gularly to discuss the effectiveness of the security program, new issues, a=
nd to coordinate the resolution of problems. |
CEO, CFO, general counsel, HR, procurement pe=
rsonnel, and business unit managers view information security as the respon=
sibility of the CIO, CISO, and IT department and do not get involved. |
The CSO/CRO reports to the COO or CEO of the =
organization with a clear delineation of responsibilities and rights separa=
te from the CIO. |
The CRO does not interact with the CISO or co=
nsider security to be a key risk for the organization. |
Operational policies and procedures enforce s= egregation of duties and provide checks and balances and audit trails again= st abuses. |
The CISO reports to the CIO. The CISO is resp= onsible for all activities associated with system and information ownership= . |
Risks (including security) inherent at critic=
al steps and decision points throughout business processes are documented a=
nd regularly reviewed. |
All security activity takes place within the =
security department, thus security works within a silo and is not integrate=
d throughout the organization. |
Executive management holds business leaders r=
esponsible for carrying out risk management activities (including security)=
for their specific business units. |
Business leaders are not aware of the risks a= ssociated with their systems or take no responsibility for their security.<= /p> |
Critical systems and digital assets are docum=
ented and have designated owners and defined security requirements. |
Systems and digital assets are not documented=
and not analyzed for potential security risks that can affect operations, =
productivity, and profitability. System and asset ownership are not clearly=
established. |
There are documented policies and procedures =
for change management at both the operational and technical levels, with ap=
propriate segregation of duties. |
The change management process is absent or in=
effective. It is not documented or controlled. |
There is zero tolerance for unauthorized chan= ges with identified consequences if these are intentional. |
The CIO (instead of the CISO) ensures that al= l necessary changes are made to security controls. In effect, separation of= duties is absent. |
Employees are held accountable for complying =
with security policies and procedures. This includes reporting any maliciou=
s security breaches, intentional compromises, or suspected internal violati=
ons of policies and procedures. |
Policies and procedures are developed but no =
enforcement or accountability practices are envisioned or deployed. Monitor=
ing of employees and checks on controls are not routinely performed. |
The ESP implements sound, proven security pra=
ctices and standards necessary to support business operations. |
No or minimal security standards and sound pr=
actices are implemented. Using these is not viewed as a business imperative=
. |
Security products, tools, managed services, a=
nd consultants are purchased and deployed in a consistent and informed mann=
er, using an established, documented process. |
Security products, tools, managed services, a=
nd consultants are purchased and deployed without any real research or perf=
ormance metrics to be able to determine their ROI or effectiveness. |
They are periodically reviewed to ensure they= continue to meet security requirements and are cost effective. |
The organization has a false sense of securit= y because it is using products, tools, managed services, and consultants.= p> |
The organization reviews its enterprise secur=
ity program, security processes, and security's role in business processes.=
|
The organization does not have an enterprise =
security program and does not analyze its security processes for improvemen=
t. |
The goal of the enterprise seurity program is= continuous improvement. |
The organization addresses security in an ad-= hoc fashion, responding to the latest threat or attack, often repeating the= same mistakes. |
Independent audits are conducted by the BAC. =
Independent reviews are conducted by the BRC. Results are discussed with le=
aders and the Board. Corrective actions are taken in a timely manner, and r=
eviewed. |
Audits and reviews are conducted after major =
security incidents, if at all. |
Roles and Responsibilities from the NIST Security Handbook
Agency Head
Chief Information Officer
Senior Agency Information Security Officer of Chief Information Security= Officer
Chief Enterprise Architect
Inspector General (IG)
The IG is a statutory office within an organization that, in addition to o=
ther responsibilities, works to assess an organization's information securi=
ty practices and identifies vulnerabilities and the possible need to modify=
security measures. The IG completes this task by:
Chief Financial Officer
The CFO is the senior financial advisor to the investment review board (IR=
B) and the agency head. Information security investments fall within the pu=
rview of the CFO and are included in the CFO's reports. In this capacity, t=
he CFO is responsible for:
Chief Privacy Officer
The chief privacy officer is responsible for privacy compliance across an =
organization, including privacy compliance measures that apply to informati=
on security assets and activities. The chief privacy officer works to maint=
ain a balance between security and privacy requirements, and works to ensur=
e that one is not compromised for the sake of the other. To this end, the c=
hief privacy officer serves as the senior official responsible for:
Physical Security Officer or other designated official with physical sec= urity responsibilities. The physical security officer is responsible for th= e overall implementation and management of physical security controls acros= s an organization, to include integration with applicable information secur= ity controls. As information security programs are developed, senior agency= officials should work toensure this coordination of complementary controls= . In consideration of information security, the physical security officer s= erves as the senior official responsible for:
Personnel Security Officer
This responsibility is often resident within the Human Resources or Human =
Capital organization. The personnel security officer is responsible for the=
overall implementation and management of personnel security controls acros=
s an organization, to include integration with specific information securit=
y controls. As information security programs are developed, senior agency o=
fficials should work to ensure this coordination of complementary controls.=
In consideration of information security, the personnel security officer s=
erves as the senior official responsible for:
Acquisitions/Contracting
The Acquisitions/Contracting function is responsible for managing contract=
s and overseeing their implementation. Personnel executing this function ha=
ve the following responsibilities in regards to information security:
Questions or= comments? Contact us.
Except wher= e otherwise noted, this work is licensed under a Creative Commons Attributi= on-NonCommercial-ShareAlike 4.0 International License (= CC BY-NC-SA 4.0).