How should a company's security program define roles and responsibilities?

This is a common issue that many organizations are running into today. Security is practiced in different silos, which prevents standardization or a real understanding of what the company's risk level is. To address the issue, a CISO or CSO position must be created, and that officer should be responsible for security in all of these areas. He/she has to set up processes, communication structures and reports. Someone in such a position can follow this security program implementation approach:

• Plan and organize
• Establish management commitment
• Create oversight steering committee
• Assess business drivers
• Carry out a threat profile on the organization
• Perform a risk assessment
• Develop security architectures at an organization, application, network and component level
• Identify solutions per architecture level
• Obtain management approval to move forward
• Implement
• Assign roles and responsibilities
• Develop and implement security policies, procedures, standards, baselines and guidelines
• Identify sensitive data at rest and in transit
• Implement the following programs:
• Asset identification and management
• Risk management
• Vulnerability management
• Compliance
• Identity management and access control
• Change control
• Software development life cycle
• Business continuity planning
• Security awareness training
• Physical security
• Incident response
• Implement solutions (administrative, technical, physical) per program
• Develop auditing and monitoring solutions per program
• Establish goals, service level agreements, and metrics per program
• Operate and maintain
• Follow procedures to ensure that all baselines are met in each implemented program
• Carry out internal and external audits
• Carry out tasks outlined per program
• Manage service level agreements per program
• Monitor and evaluate
• Review logs, audit results, collected metric values and SLAs per program
• Assess goal accomplishments per program
• Carry out quarterly meetings with steering committee
• Develop improvement steps and integrate into the "Plan and organize" phase

Your management needs to understand that one person has to be coordinating security within the organization and serving as the liaison between management and the rest of the company. The chief security officer (or chief information security officer) needs to then understand the risks that the company faces and reduce these risks to an acceptable level. This officer is responsible for understanding the organization's business drivers and should be creating and maintaining a security program that facilitates these drivers while providing compliance with a long list of regulations and laws.

Additionally, the security business leader must balance security requirements with business needs and ensure that business is not disrupted in any way due to security issues. This extends beyond IT and reaches into business processes, legal concerns, operational issues, revenue generation, reputation protection and risk management -- all of this needs to be done in a cost-effective manner, too!

It is also helpful for an organization to set up a security steering committee, which provides a more holistic approach to security and allows the current owners of security to work as a team. Such a committee is responsible for making decisions on tactical and strategic security issues within the enterprise and should not be tied to any particular business unit. The group should view the impact of security decisions on individual departments and then the organization as a whole. The CEO should head the steering committee, and the CFO, CIO, department managers and chief internal auditor should all be members of this group.

This committee should meet at least quarterly and have a well-defined agenda. Some of this group's responsibilities are listed below:

• Define the acceptable risk level for the organization
• Develop security objectives and strategies
• Determine priorities of security initiatives based on business needs
• Review risk assessment and auditing reports
• Monitor business impact of security risks
• Review major data security breaches and incidents
• Approve any major change to the security policy and program

Overall, it's important for an organization's management to adhere to this outline, so that the right people are charged with the right security responsibilities.

Rate this Tip To rate tips, you must be a member of SearchMidmarketSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Writing and enforcing security policies Acceptable use policy for Internet usage helps data protection efforts Midmarket security managers must push risk acceptance to the business Demystifying identity management Quiz: Building an identity and access management architecture Handling the politics of network access control policies Questions to ask when choosing your managed security service provider From the gateway to the application: Effective access control strategies Consider a compliance-driven security framework What controls can compensate when segregation of duties isn't economically feasible? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.