Roles Of The Chief Information Officer (CISO)

The roles of the chief information officer (CIO) and the chief information security officer (CISO) are both critical positions in strategic planning and implementation of security, operational policies, and procedures. Traditionally, the CISO reports to the CIO, but their goals are not exactly the same. The CIO has a broad range of responsibilities to include interpreting an organization’s strategy plan into practical departmental objectives. In addition, the CIO is accountable for and maintains oversight of the CISO, security managers, systems, networks, administration, and technicians (Whitman & Mattford, 2013). The CIO reports to executive staff and also provides counsel and assistance to senior management, as well as improves and maintains
As a result, a smaller organization may incorporate or delegate the CISO responsibilities along with the CIO. The position of CISO utilizes the tactical plan to establish, place in order, and attain means necessary for paramount assignments while providing support and security for the tactical plan. This position is more security oriented than the CIO. The CISO reports to the CIO and is responsible for adopting and creating internal strategies that support the overall plans of the organization (Whitman & Mattford, 2013). The responsibilities of the CISO concentrates primarily on security management and process improvement. The CISO works to protect and ensure that an organization’s trade secrets, financial data, and proprietary information are secure on a daily basis. The CISO serves not only as a business’s spokesperson and law enforcement representative, but also is responsible for balancing the security needs with the organization’s business plan, identifying risks, and presenting solutions. This position develops security policies and procedures, as well as plans and test responses related to security
As outlined in the lesson plan an “information security policy (ISP) provides rules for the protection of the information assets of an organization” (Whitman & Mattford, 2013). The policy serves as a guideline to safeguard an organization’s operations and data properties to ensure that all users, or people on the IT network structure follow the rules regarding the safe and secure use of information. When the application of security controls, data ownership, and security infrastructure are upheld a strong security position can be achieved (Mass.gov, 2013). The elements of an information security policy should include purpose, scope, objectives, authority and access, data classification, and data support and operations. The purpose of an ISP is to create a general methodology to information security, detect and anticipate compromised or misused information and systems, protect the organization, and uphold the rights of the customers (Infosec Institute, 2014). The purpose is the foundation of the ISP which guides the rest of the policy. The scope references everyone, including those contracted that are governed by the policy. The scope also includes which information, systems, and technology infrastructure will abide by the ISP. The security objectives should accomplish three main goals: confidentiality, integrity, and availability. By ensuring confidentiality data and information properties are