Information Security Management ResourceKit

A Public Service of SecureTheVillage

The Information Security Management & Leadership Team

Team Mission, Goals, and Objectives

Team Mission

The Information Security Management & Leadership Team is responsible for managing the organization’s risk-based Information Security Management Program, designed to protect the confidentiality, integrity, and availability of the organization’s information.

The Information Security Management & Leadership Team is also responsible for organizational leadership in creating a cybersecurity culture.

Team Goals

The Information Security Management & Leadership Team has seven goals.

  1. Ethical Responsibility: Manage the security of Information with the recognition that it is the lives and fortunes of our clients and customers, our people, and our community.
  2. Proportionate Risk: Manage the security of Information proportionate to the harm that its loss of confidentiality, integrity, or availability could cause the organization, its clients and customers, its people, and the community.
  3. Commercial Reasonableness: Manage the security of information in a manner that is commercially reasonable for the organization’s particular circumstances: industry, size, nature of information at risk, etc.
  4. Organizational Completeness: Manage information risk across the entire organization, to also include 3rd-parties and vendors.
  5. Minimize Operational Impact: Manage the security of Information in ways that minimize the impact on operations and staff productivity.
  6. Cost-Effectiveness: Manage the security of information to minimize the organization’s Total Cost of Information Security. SM
  7. Continuous Improvement: Continuously improve the organization’s ability identify and respond to (i) changes in the organization’s risk profile resulting from changes in the threat environment, laws and regulations, and contracts; (ii) the availability of new and improved countermeasures; and (iii) discovered weaknesses in existing countermeasures.

Team Objectives

The Information Security Management & Leadership Team is to

  1. Establish and maintain Information Security Policies and Standards to guide the organization in securing information.
  2. Ensure staff are provided awareness training, education and organizational leadership in creating a cybersecurity culture.
  3. Ensure IT security management conforms to organizational standards and commercially-reasonable practices.
  4. Maintain commercially reasonable assurance that vendors and 3rd-parties with whom information is shared properly protect that information.
  5. Ensure information resilience: the organization’s ability to detect and recover from security incidents and interruptions, and its ability to restore normal operations.
  6. Provide staff with information security tools (e.g., password management tools).
  7. Work with the Finance Department to manage the risk of online bank fraud.
  8. Ensure the organization is in compliance with laws, regulations and contractual agreements.
  9. Coordinate the organization’s use of cyber-insurance as a risk management vehicle.
  10. Support business development, primarily in response to inquiries from prospects and clients about our information security management program.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

 

Team Membership, Chair, and Meetings

Team Membership

Team Selection: The Chief Executive and the Information Security Manager (ISM) identify the team members.

Selection Criteria: Given the above Mission, Goals and Objectives, the team needs to include members at an executive level of authority. The team also must be sufficiently broad so that all staff and vendors are in a management chain led by a member of the team, i.e., every staff member and vendor is ‘represented’ by a member of the team. Vertically, the team must extend upwards to executive levels and horizontally, there are to be no ‘orphans.’

Required Team Members

  • Information Security Manager (ISM)
  • Chief Financial Officer
  • Highest-ranking IT person: CIO, CTO, Director of IT, IT Manager
  • Chief Risk Officer (if present)
  • Chief Legal Officer (if present)
  • If highest-ranking IT person is not an Officer, then the person to whom the highest-ranking IT manager reports

Additional Team Members

Other Team members are to be selected as appropriate to the organization’s size and organizational structure. These may include

  • Chief Operations Officer
  • Director of Human Resources
  • Other Department Heads: Sales, Marketing, Manufacturing, etc.
  • Partner-in-Charge of Administration (in a professional services firm)
  • Head of the Technology Committee (in a professional services firm)
  • Director of Development (in a non-profit)

Subject Matter Expertise

The Team is to include, or be supported by, information security subject matter expertise.

The Team is to have available, using as appropriate, subject matter experts in leadership and culture.

Team Chair

The ISM chairs the Information Security Management & Leadership Team.

Team Meetings

The Team is to meet at least monthly.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Team Operations

Get Started

  1. Initial Team Training.
  2. Implement information security management policies and standards.
  3. Provide basic awareness training to staff.
  4. Conduct an Information Security Risk Assessment.
  5. Develop Findings and Recommendations.

Develop the Initial Action Plan

Develop an Initial Action Plan based on the Findings and Recommendations of the Information Security Risk Assessment.

  1. What’s to be done in the next 3 months?
  2. What’s to be done in the next 6 months?
  3. What’s to be done in the next 12 months?

Monthly Meetings to Work the Plan

  1. The ISM and Team are to meet on a monthly basis to work the plan.
  2. What was planned for the month?
  3. What was accomplished?
  4. What was the basis for being under/over?
  5. What are the plans for next month?
  6. What are the rolling plans for the next 3 months, 6 months and year?

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Team Authority, Accountability, and Governance

Team Authority

  • In coordination with the Chief Executive, the Team has the authority to establish information security policies, standards and other materials and to hold staff accountable for compliance.
  • In coordination with the Chief Financial Officer, the Team has the authority to establish budgets, commit resources and direct expenditure of organizational resources.

Accountability and Governance

  • The Team will be held accountable by the Chief Executive (and Board) for implementing the organization’s Information Security Management Program.
  • The Team will meet quarterly with the Chief Executive to review the Information Security Management Program: plans; accomplishments; outcomes; and challenges.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

A Few Quotes about High Performance Teams

Trust is knowing that when a team member does push you, they’re doing it because they care about the team. … Patrick Lencioni

Talent wins games, but teamwork and intelligence wins championships. … Michael Jordan

Coming together is a beginning. Keeping together is progress. Working together is success. … Henry Ford

Perfection is not attainable, but if we chase perfection we can catch excellence. … Vince Lombardi

No one is as smart as everyone. … Tom Petzinger

There is no “I” in Team … Anonymous

If everyone is moving forward together, then success takes care of itself. … Henry Ford

 

Contributed by Citadel Information Group