Contents
1: What This Tool Can Do For You
2: Reasons To Establish Clear Roles & Responsibilities
3: Persuading Management To Document Roles and Responsibilities
Sample Memo To Management – Why Document Security Roles and Responsibilities
4: Before You Document Roles & Responsibilities
5: Updating Roles & Responsibilities
6: Who Should Write Roles & Responsibilities Documents
7: Review & Approval Of Roles &Responsibilities
8: Resources Required To Document Roles & Responsibilities
9: Time Estimates To Document Roles & Responsibilities
10: Key Information Security Documents
Information Security Department and Other Department Missions
Information Security Staff and Other Staff Job Descriptions
Information Security Department Reporting Relationships Diagram
Information Security Awareness Pamphlet
Information Security Awareness Reminder Memos
Information Security Policy Manual
Information Security Standards Document
Information Security Architecture Document
Information Security Action Plan
Information Security Forms
Systems Administration Procedures Manual
Risk Acceptance Memos
Information Systems Contingency Planning Manual
Organizational Code of Conduct
Standard Operating Procedures (SOP) Manual
Systems Development Process Manual
Application System Requirements Documents
User and Computer Operations Application Manuals
Records Management Policies and Procedures Manual
Worker Performance Reviews
Systems Usage Responsibility Agreements
Outsourcing and Consulting Agreements
Confidentiality and Non-Compete Agreements
Human Resources Manual
Physical Security Pamphlet
Sample Organizational Mission Statements (Ch. 11)
Information Security Department
Physical (Industrial) Security Department
Internal Audit Department
EDP Audit Unit
Ethics and Compliance Unit
External Auditing Firm
Records Management Department
Information Technology Department
Help Desk Unit
Network Operations Unit
Computer Operations Unit
Systems Administration Unit
Database Administration Unit
Data Administration Unit
Insurance and Risk Management Department
Contingency Planning Unit
Computer Emergency Response Team
Legal Department
Human Resources Department
Information Security Management Committee
Information Technology Steering Committee
Board of Directors – Audit Committee
Internal Control Committee
Facilities Management Outsourcing Firm
Sample Job Descriptions For Specific Roles
Information Security Department Manager
Access Control System Administrator
Internal Information Security Consultant
Information Security Engineer
Information Security Documentation Specialist
Information Systems Contingency Planner
Local Information Security Coordinator
Chief Information Officer
Information Systems Analyst/Business Analyst
Systems Programmer
Business Applications Programmer
Computer Operations Manager
Computer Operator
Information Systems Quality Assurance Analyst
Help Desk Associate
Archives Manager/Records Manager
Telecommunications Manager
Systems Administrator/Network Administrator
Web Site Administrator/Commerce Site Administrator
Database Administrator
Data Administration Manager
Physical Security Department Manager
Physical Asset Protection Specialist
Building and Facilities Guard
Office Maintenance Worker
Internal Audit Department Manager
EDP Auditor
Internal Intellectual Property Attorney
Human Resources Department Manager
Human Resources Consultant
Receptionist
Outsourcing Contract Administrator
In-House Trainer
Insurance and Risk Management Department Manager
Insurance and Risk Management Analyst
Business Contingency Planner
Public Relations Manager
Chief Financial Officer
Purchasing Agent
Chief Executive Officer
Chapter 13: Information Security Reporting Relationships
Option 1: Information Technology
Option 2: Security
Option 3: Administrative Services
Option 4: Insurance & Risk Management
Option 5: Strategy & Planning
Option 6: Legal
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance through I.T.
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations
Summary
Chapter 14: Template Customization Factors
Local Laws and Regulations
Industry Category
Criticality to the Business
Line or Staff Organizational Culture
Scope of Information Security Function
Information Security Effort Sophistication
Size of Organization
Outsourcing
Intended Audience
Separation of Duties
Cross-Training and Backup
Formatting
Chapter 15: Owner, Custodian, And User Roles
Chapter 16: Roles & Responsibilities Of Product Vendors
Chapter 17: Roles & Responsibilities Of Outsourcing Firms
Chapter 18: Adjustments For Smaller Organizations
Chapter 19: A Centralized Organizational Structure
A Few Critical Distinctions
Information Security Activities That Should Be Centralized
Why Centralized Information Security Management Is Advisable
Drawbacks Of Centralized Information Security Management
Resolving A Variety Of Implementation Issues
Chapter 20: Workers In Information Security Related Positions Of Trust
Nature Of The Problem
Suggested Strategies
Chapter 21: Common Mistakes You Should Avoid
Appendix A: Information Security Staffing Levels Information Security Staffing: Calculating the Standard of Due Care
Appendix B: Personal Qualifications
Excellent Communication Skills
Ability to Resolve Conflicts Between Security and Business Objectives
Ability to See the Big Picture
Basic Familiarity with Information Security Technology
Commitment to Staying on Top of the Technology
Familiarity with Information Security Management
Tolerance for Ambiguity and Uncertainty
Ability to Manage Many Important Projects Simultaneously
Ability to Work Independently
A Certain Amount of Polish
Appendix C: Performance Criteria
Information Security Department Metrics
Individual Worker Metrics
Appendix D: Professional Certifications
Appendix E: Responsibility and Liability
Appendix F: Sample User Responsibility Agreement
Appendix G: Disclosing Roles and Responsibilities
Appendix H: Role Based Access Control
About the Author: Charles Cresson Wood
What's New in Version 3?
Information Security Roles and Responsibilities Made Easy, Version 3 is the new and updated version of the best-selling security resource by Charles Cresson Wood, CISSP, CISA, CISM. Version 3 is based on the 30 year consulting and security experience of Mr. Wood and contains these new, updated features to help you save money while establishing a due-care information security organization:
New Department Mission Statements
1. Updated information-security-related committee, board, and department mission statements, including new descriptions for Disaster Recovery Team, Change Control Committee, Privacy Oversight Committee, and a Board Of Directors Governance Committee.
New information-security-related job descriptions
2. Over forty updated information-security-related job descriptions including brand new job descriptions for Chief Privacy Officer (CPO), Chief Security Officer (CSO), Chief Knowledge Officer (CKO), Ethics Officer and Data Librarian.
3. Expanded job descriptions and mission statements reflecting the latest business and technological developments (such as digital rights management systems and wireless networks) and legislative and regulatory requirements such as those of the Sarbanes Oxley Act.
More Expert Advice on Building the Security Organization
4. Additional management justifications for compiling, documenting and updating roles and responsibilities, including ways in which this effort minimizes the cost of providing adequate information security services.
5. A significantly expanded discussion of the pros and cons of outsourcing the information security function, including outsourcing-firm due-diligence, secure outsourcing procedures, and possible conflicts of interest when retaining a third party.
6. Actions you should take to reduce your organization’s exposure to workers in information security related positions of trust.
7. Added citations supporting the legal notion of the standard of due care as it relates to management responsibility, including discussion of the Hooper Doctrine, to help justify an investment in information security organizational infrastructure.
8. An expanded discussion of the personality characteristics needed for work in information security, including discussion about the pros and cons of hiring hackers and others who have been on the wrong side of the law
9. New decision-making criteria for releasing or withholding roles and responsibilities documentation to/from various external parties.
10. Updated information security professional certifications with web sites, phone numbers, and addresses so the reader can easily get more information about them.
11. A new appendix which explores the synergy between role based access control (RBAC) and clarification of information security roles and responsibilities.
Information Security Roles and Responsibilities Made Easy, Version 3.0 contains easily-customized documents in MS-Word format
About the Author
About Charles Cresson Wood
Recipient of Computer Security Institute’s Lifetime Achievement Award
Charles Cresson Wood, CISSP, CISM, CISA is an author, researcher, and management consultant based in Mendocino, California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.
He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.
He has published over 375 technical articles and six books in the information security field. In addition to various TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe.
For over 10 years, Mr. Wood was a Senior North American Editor for the Elsevier academic research journal called “Computers &Security” and the practitioner’s newsletter entitled “Computer Fraud & Security Bulletin.” For over 17 years, for the Computer Security Institute, he wrote a monthly column about information security policies for the newsletter entitled “Computer Security Alert.” He as also been an information security strategy columnist for the global technology media company called TechTarget.
He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has also passed the Certified Public Accountant (CPA) examination. He is a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.” Mr Wood is currently attending St. Francis School of Law, on a part-time basis, and when he graduates and passes the California bar exam, he intends to specialize in intellectual property protection and privacy matters.
Here is a sampling of the over 375 security related articles by Charles Cresson Wood:
“Researchers Must Disclose All Sponsors And Potential Conflicts,” Computer Security Alert, No. 197, March 2000; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.220]
“Integrated Approach Includes Information Security,”Security, pp. 43-44,February 2000; Publisher: Cahners, Des Plains, IL. [pub. no.219]
“Get Data Safety Policies In Place,” American Banker, 11 February 2000, p. 7;Publisher: American Banker, New York, NY.[pub. no. 218]
“All Internet Personal Data Gathering Techniques Must Be Disclosed,” Computer Security Alert, No. 196,
February 2000; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 217]
“The Information Security Profession: Evolutionary Career Paths,” Information Security, November 1999;Publisher: published by ICSA.net, Norwood, MA. [pub. no. 214]
“Disclosures Of Private Information Without Data Subject Consent,” Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.212]
“Termination Of Outsourcing Contracts For Security Violations,” Computer Security Alert, No. 191, September 1999; Publisher:Computer Security Institute, San Francisco, CA. [pub. no. 210]
“Top Ten Impediments To Implementing An Information Security Policy,” Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story). [pub. no.209]
“A Functional Comparison Of Tandem Data Replication Software Packages,”
an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino,CA. [pub. no. 207]
“Subjects Given Opportunity To Block Private Information Disclosures,”Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 205]
“Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information,” Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute,
San Francisco, CA. [pub. no.202]
“All Systems Access Privileges Cease When Workers Terminate,” Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.202]
“Non-Compliance And Disciplinary Action,” Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 198]
“Convenience Versus Multi-Factor User Authentication,” Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.196]
“Twelve New Vulnerabilities Introduced by Internet Commerce,” Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no.195]
“All Telephone Transactions Require Positive Caller Identification,” Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute,San Francisco, CA. [pub. no.193]
“The Truth About Masquerading and Spoofing,” Network Magazine, February 1998; Publisher: Miller Freeman,San Francisco, CA. [pub. no.183]
“Unauthorized Information Disclosure and Loss of Stock Options,” Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.185]
“Managing Perceptions About Internet Electronic Commerce Security,” Computer Security, Audit & Control, February 1997; Publisher: Management Advisory Services Publications, Wellesley Hills,MA. [pub. no. 165]
“Information Security: Are We Winning the Game?” Computer Fraud &Security Bulletin, January 1997;
Publisher: Elsevier Science Technology,Oxford, England. [pub. no.162]
“Encryption for Files Left on Anonymous FTP Servers,” Computer Security Alert, No. 163, October 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.159]
“Encryption Systems Must Include Key Escrow,” Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 152]
“Cryptography Plays Central Role in Future Electronic Commerce,” March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England. [pub. no.151]
“Users Must Not Attempt to Eradicate Viruses,” Computer Security Alert, No. 156, March 1996; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.150]
“EDP Audit Must Be Independent of Information Security,” Computer Security Alert, No. 155, February1996; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.147]
“Reliance on Information Downloaded From Internet,” Computer Security Alert, No. 153, December 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.145]
“When to Report Computer Crimes to Law Enforcement,” Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.141]
“New Intellectual Property and the Need for Information Security,” Computer Fraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England. [pub.no. 139]
“Require Approval for Official Statements Posted to the Internet,” Computer Security
Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.136]
“Internet Anarchy and the Effectiveness of Laws,” Computerworld, 12 June1995. Expanded version also appears as “Need for Worldwide Internet Laws,” in Computer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England. [pub. no.133]
“ISO9000 and Information Security,” Computers & Security, vol. 14, no. 4,pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford,England (co-author Karen Snow). [pub.no. 131]
“Why SATAN Should Not Have Been Distributed As It Was,” Computer Security Alert,No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA.[pub. no. 128]
“Destroy Archived Electronic Mail Periodically,” Computer Security Alert, No. 142, January 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.124]
“Wireless Network Security,” Proceedings of Wireless Datacom ’94 Conference held in Washington, DC, 6-8 December 1994;Publisher: Business Communications Review,Hinsdale, IL. [pub. no.122]
“Fifty Ways to Secure Dial-Up Communications,” Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England. [pub. no.118]
“Identity Token Usage at American Commercial Banks,” Computer Fraud & Security Bulletin, March 1995; Publisher:Elsevier Science Publishers, Oxford England, pp. 14-16. [pub. no.114]
“Security Problems in Collaborative Computing,” Network World, October 1994; Publisher: International Data Group, Framingham,MA. [pub. no. 113]“The Newest Threat to Information Security: Open Book Management,” EDPACS, August 1994; Publisher: WarrenGorham Lamont, Boston,MA. [pub. no. 110]
“Principles of Secure Information Systems Design with Groupware Examples,” Proceedings of the Groupware ’92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA. [pub. no. 75]“A Strategy for Developing Information Security Documents,”
Journal of Information Systems Security, vol. 1, issue 2,Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New
York, NY (co-author: Juhani Saari). [pub. no. 68]
“Using Information Security to Achieve Competitive Advantage,” Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California.[pub. no. 58]“Data Dictionaries and Information Security,” Proceedings of SECURICOM ’84 International Conference, Cannes, France,29 February – 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris,
France. [pub. no. 24
“International Barriers to Information Flows,” SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA. [pub. no. 10]
“Computer Crime: Criminal Justice Resource Manual,” with Parker, Donn B., Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710,
1979. [pub. no. 1]
