Information Security Management ResourceKit

A Public Service of SecureTheVillage

Information Security Management & Governance

Information Security Manager

The Information Security Manager [ISM] is the organization’s most-senior level person with management and leadership responsibility for information security. The ISM may also be called the Chief Information Security Officer, CISO.

In mid-size and smaller organizations, the Information Security Management position is often not a full-time position. Thus the ISM will have other responsibilities, such as CFO, Chief Operations Officer, Managing Partner, Chief Legal Officer, Chief Risk Officer, or other.

The Information Security Manager is

  • Appointed by the organization’s Chief Executive with the responsibility, accountability and authority for information security management and the leadership responsibility for evolving a cyber-adaptive culture.
  • Leads the Information Security Management & Leadership Team to manage the organization’s information risk
  • Works with the organization’s attorneys and others to manage the organization’s operational compliance with applicable information security laws, regulations and contractual requirements
  • Works with IT to ensure security of the IT infrastructureis managed in accordance with documented security standards, such as SecureTheVillage’s Code of Basic IT Security Management Practices.
  • Works with HR and other managers to SecureTheHuman

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

The NIST Framework — The Information Security Management Chain

Following the NIST Framework for Improving Critical Infrastructure Cybersecurity, managing the security of information hinges on five security management capabilities:

  1. Identify: what information needs to be protected and where it is located
  2. Protect: that information
  3. Detect: information attacks and other incidents
  4. Respond: to information attacks and other incidents, especially successful attacks
  5. Recover: from the incident, returning back to normal operations

The information security management community has begun referring to these capabilities as information resilience: The ability of an organization to continue to provide an acceptable level of performance throughout all phases of the management chain, particularly respond and recover.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Team Mission, Goals, and Objectives

Team Mission

The Information Security Management & Leadership Team is responsible for managing the organization’s risk-based Information Security Management Program, designed to protect the confidentiality, integrity, and availability of the organization’s information.

The Information Security Management & Leadership Team is also responsible for organizational leadership in creating a cybersecurity culture.

Team Goals

The Information Security Management & Leadership Team has seven goals.

  1. Ethical Responsibility: Manage the security of Information with the recognition that it is the lives and fortunes of our clients and customers, our people, and our community.
  2. Proportionate Risk: Manage the security of Information proportionate to the harm that its loss of confidentiality, integrity, or availability could cause the organization, its clients and customers, its people, and the community.
  3. Commercial Reasonableness: Manage the security of information in a manner that is commercially reasonable for the organization’s particular circumstances: industry, size, nature of information at risk, etc.
  4. Organizational Completeness: Manage information risk across the entire organization, to also include 3rd-parties and vendors.
  5. Minimize Operational Impact: Manage the security of Information in ways that minimize the impact on operations and staff productivity.
  6. Cost-Effectiveness: Manage the security of information to minimize the organization’s Total Cost of Information Security. SM
  7. Continuous Improvement: Continuously improve the organization’s ability identify and respond to (i) changes in the organization’s risk profile resulting from changes in the threat environment, laws and regulations, and contracts; (ii) the availability of new and improved countermeasures; and (iii) discovered weaknesses in existing countermeasures.

Team Objectives

The Information Security Management & Leadership Team is to

  1. Establish and maintain Information Security Policies and Standards to guide the organization in securing information.
  2. Ensure staff are provided awareness training, education and organizational leadership in creating a cybersecurity culture.
  3. Ensure IT security management conforms to organizational standards and commercially-reasonable practices.
  4. Maintain commercially reasonable assurance that vendors and 3rd-parties with whom information is shared properly protect that information.
  5. Ensure information resilience: the organization’s ability to detect and recover from security incidents and interruptions, and its ability to restore normal operations.
  6. Provide staff with information security tools (e.g., password management tools).
  7. Work with the Finance Department to manage the risk of online bank fraud.
  8. Ensure the organization is in compliance with laws, regulations and contractual agreements.
  9. Coordinate the organization’s use of cyber-insurance as a risk management vehicle.
  10. Support business development, primarily in response to inquiries from prospects and clients about our information security management program.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

 

Team Membership, Chair, and Meetings

Team Membership

Team Selection: The Chief Executive and the Information Security Manager (ISM) identify the team members.

Selection Criteria: Given the above Mission, Goals and Objectives, the team needs to include members at an executive level of authority. The team also must be sufficiently broad so that all staff and vendors are in a management chain led by a member of the team, i.e., every staff member and vendor is ‘represented’ by a member of the team. Vertically, the team must extend upwards to executive levels and horizontally, there are to be no ‘orphans.’

Required Team Members

  • Information Security Manager (ISM)
  • Chief Financial Officer
  • Highest-ranking IT person: CIO, CTO, Director of IT, IT Manager
  • Chief Risk Officer (if present)
  • Chief Legal Officer (if present)
  • If highest-ranking IT person is not an Officer, then the person to whom the highest-ranking IT manager reports

Additional Team Members

Other Team members are to be selected as appropriate to the organization’s size and organizational structure. These may include

  • Chief Operations Officer
  • Director of Human Resources
  • Other Department Heads: Sales, Marketing, Manufacturing, etc.
  • Partner-in-Charge of Administration (in a professional services firm)
  • Head of the Technology Committee (in a professional services firm)
  • Director of Development (in a non-profit)

Subject Matter Expertise

The Team is to include, or be supported by, information security subject matter expertise.

The Team is to have available, using as appropriate, subject matter experts in leadership and culture.

Team Chair

The ISM chairs the Information Security Management & Leadership Team.

Team Meetings

The Team is to meet at least monthly.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

The Objective of Information Security Management

The Objective of Information Security Management is to Manage Information Risk

  • Cyber Fraud
  • Business Email Compromise
  • Information Theft
  • Ransomware
  • Denial of Service Attack
  • Regulatory compliance
  • Disaster

Information Risk Impacts Business Risk

  • Loss of Money
  • Loss of Brand Value
  • Loss of Competitive Advantage

Information Risk Measures

  • Thirty percent (30%) of cybercrime victims are smaller organizations
  • Sixty percent (60%) of these victims are out of business within 6 months
  • Eighty percent (80%) of these breaches are preventable with basic security management

Managing information risk means ensuring four things

  1. The confidentiality and privacy of sensitive information
  2. The integrity of information and data
  3. The availability of critical information
  4. The authenticity of communications

The Context of Information Security Management

Information security management augments insurance and other forms of risk transfer. It also takes place in the legal context of commercial reasonableness.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Team Operations

Get Started

  1. Initial Team Training.
  2. Implement information security management policies and standards.
  3. Provide basic awareness training to staff.
  4. Conduct an Information Security Risk Assessment.
  5. Develop Findings and Recommendations.

Develop the Initial Action Plan

Develop an Initial Action Plan based on the Findings and Recommendations of the Information Security Risk Assessment.

  1. What’s to be done in the next 3 months?
  2. What’s to be done in the next 6 months?
  3. What’s to be done in the next 12 months?

Monthly Meetings to Work the Plan

  1. The ISM and Team are to meet on a monthly basis to work the plan.
  2. What was planned for the month?
  3. What was accomplished?
  4. What was the basis for being under/over?
  5. What are the plans for next month?
  6. What are the rolling plans for the next 3 months, 6 months and year?

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.