e running a successful CISO function

0 comments 6.832 views

Clients can outsource the setting up of the privacy program to CyTRAP Labs, ensuring that all the necessary policies, functions and processes are set up in an appropriate, effective and cost efficient manner.
Policies and regulations must be administered effectively while violations must be documentedAnnual or more frequent audit reports should help the firm in improving information security.
Information security assurance is critical to protect the firm’s reputation and retain clients’ trust.

By far the greatest challenge is that many organizations are taking a linear approach to compliance, of which privacy is an important part of. As a result, firms are looking at privacy as a regulation that represents a one-shot deal; they set up a solution and then move on to the next compliance issue.

Instead, businesses need to understand not only that the regulatory compliance burden is not going away and will need to be dealt with each year but also that over time there will be more regulations to comply with.

As well, businesses are usually setting up independent teams to deal with each regulation, instead of working on them in concert. Hence, a successful privacy function has to be part of the firm’s overall compliance strategy.

What is needed to operate a well-structured information security program office

As the company’s senior security officer, this person also has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and corporate awareness. In this function, the person oversees, develops and/or manages:

– independent security audits,
– the development and implementation of security policy, standards, guidelines and procedures,
– compliance management and reporting pertaining ot the security function,
– ongoing education programs,
– monitoring of third parties,
– incident response planning,
– investigation of security violations or breaches,
– providing technical advice for network and system design, and
– developing acquisition specifications that address IT security considerations.

The above processes and systems must be developed, implemented and administered (see also below).

Information security – reviewing policies

Corporate information security policies are created either as a guideline for the business units or for customer consumption, or both. It is general and legal in nature.

Business units may create specific policies, based on the corporate guidelines, to reflect the unique nature of their business. Each business unit tracks specific policies for every customer data repository (e.g., the enterprise resource planning system also called ERP database) such as:

– purpose,
– use,
– disclosure,
– archiving or retention,
– access polices for ‘personal data’ (e.g., customer’s name, phone number, credit card info),
– corporate security policies and directions

An enterprise’s overall information security policy may have to serve as a template for subsidiaries while national regulations may require slight adjustments. However, the better the corporate template the less likely a local subsidiary will have to adjust the policy. Put differently, information security policy that integrates German, Canadian, U.S. and European Union regulation regarding personal data security breaches, is unlikely to require much local modification if any. In fact, it may exceed most local requirements. Hence, the policy will work in more than one jurisdiction. Having a policy that works across the organization is far more effective than running multiple policies across the enterprise.

Conducting periodic audits

The information security officer is usually required by regulation to provide at least one annual audit in writing.

– plans, organizes and conducts systems security evaluations,
– ensure accountability by taking periodic external, independent and impartial evaluations of current IT security and risk management efforts;
– gathers documentation and analyzes findings; and
– consults with systems users to identify remedies for compliance violations; and
– disclose the results of the external audit to the principal stakeholders, like customers, investors, executives, government inspectors and auditors, in a transparent and timely manner.

Education programs

Education programs are a key component of the successful implementation of information security policies. They are also a regulatory requirement.

Hence the information security officer designs and conducts or supports the delivery of training to staff regarding security rules, regulations, policies and practical issues (what to do when… how).

For more information, contact us directly