Tuesday, May 5, 2020
The Rookie Chief Iso free essay sample
CISOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. CISO Responsibilities: Lead operational risk management activities to enhance the value of the company and brand. Oversee a network of security directors and vendors who safeguard the companys assets, intellectual property and computer systems, as well as the physical safety of employees and visitors. Identify protection goals, objectives and metrics consistent with corporate strategic plan. Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology. Maintain relationships with local, state and federal law enforcement and other related government agencies. Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary. Work with outside consultants as appropriate for independent security audits. The CSO title is also used at some companies to describe the leader of the corporate security function, which includes the physical security and safety of employees, facilities and assets. Members of the Information Security Team assist the CISO with design, evaluation, implementation, and management of security programs for the organization. ii. Within your organizational chart, clearly identify the reporting structure for roles such as IT Security Compliaance Officer, Security Manager, CIO, CISO, IT Security Engineer, Privacy Security Professional, and IT Procurement Specialist. Chief Information Officer The Chief Information Officer (CIO) is accountable for directing the information and data integrity of the enterprise and its groups and for all Information Technology functions of the enterprise. This includes all data centers, technical service centers, production scheduling functions, help desks, communication networks (voice and data), computer program development, and computer systems operations. He or she is responsible for maintaining the integrity of all electronic and optical books and records of the enterprise. The CIO reviews all computerized and manual systems; information processing equipment and software for acquisition, storage and retrieval; and definition of the strategic direction of all information processing and communication systems and operations. He or she provides overall management and definition of all computer and communication activities within the enterprise including responsibility for providing a leadership role in the data to day operations of the Information Technology functions as well as providing direction as the enterprise grows through internal growth and external acquisition. The CIO interacts with the executive management team to monitor and validate the enterpriseââ¬â¢s compliance with its security policies, which includes but is not limited to Sarbanes Oxley Section 404. In addition the CIO works closely with the Chief Security Officer of the enterprise Security Manager Under general supervision, directs information technology security program. This includes developing, implementing, and maturing of security on all hospital IT systems in order to centrally manage physical access, access to systems, educate users of individual responsibilities, and minimize the possibility of malicious access. Guidelines include all departmental, hospital, and personnel policies and procedures. The position requires a high level of technical knowledge in the area of network, server and workstation security. Assessment of risks, implementing security and changing the culture of the institution through training and education, coordinating closely with the Health Sciences Center on security issues, compliance and preparing and enforcing policies. The position reports to the CIO, but recognizing the network-wide nature of the responsibility, will frequently be involved with policy development and systems security Information Technology Security Compliance Officer (SCO) Are overall responsibility for a comprehensive security program that includes information security policies, compliance, and management. They also develop long-term security strategies and ensure that the company meets all mandated security standards and client needs. He or she will provide security-related vision, leadership, and strategy required for the companyââ¬â¢s continued market place presence and success. They also assist in the responsible of developing and implementing a corporate culture of compliance and information security. They will maintain and reinforce this culture throughout the organization via employee training and motivation, so that the culture underpins all business decisions and choices made on a daily basis. The SCO reports to the Security Manager. Information Security Engineer Information security engineers ensure that an organizations data and sensitive digital information is kept safe from security breaches. Security engineers must always stay one step ahead of potential information security threats by making sure they are consistently informed of new technology and schemes used by hackers, as well as other types of cyber threats. The Information Security Engineer reports to the Security Manager. IT Procurement Administrator Specialist Directs the daily activities of the technology purchasing function. Reviews technology purchasing decisions, orders, and vendor contracts. Oversees the ordering of materials and supplies from vendors. Researches, interviews, and negotiates with suppliers to obtain prices and specifications. Creates purchase orders for the acquisition of materials and performs related administrative tasks.. Typically reports to CISO. iii. List the type of resources required to fulfill each forensic duty of the organization below each of the roles you identified. Management is responsible for supporting forensic capabilities, reviewing and approving forensic policy, and approving certain forensicactions. Legal advisors should carefully review all forensic policy and high-level guidelines and procedures, and they can provide additional guidance when needed to ensure that forensic actions are performed lawfully. The human resources department can provide assistance in dealing with employee relations and the handling of internal incidents. Auditors can help determine the economic impact of an incident, including the cost of forensic activity. Physical security staff can assist in gaining access to and physically securing evidence. Although these teams often do not play a prominent role in the forensic process, the services that these teams provide can be beneficial. iv. Align your organizational chart to reflect the Department of Homeland Security (DHS) EBK three areas of information security: physical security professional, privacy professional, and procurement professional. Provide comments and comparisions on how your organizational chart foster these values. The competencies in the physical security professional role assure the integrity and security of the physical elements of the system. The CISO and the Security Manager are responsible for these duties in the organizational chart I proposed for this assignment. The privacy professional duites are equally shared in my organization by the CISO and the Security Manager. The Information Secuirty Manager also has a part of these duties. All procurements are handled by the Procurement Department, who reports directly to the CISO. No procurements are ordered without going through a through review process. Part 2: Request for Proposal (RFP) Plan 2. Develop a RFP. Request for Proposal General Conditions Daniels Data INC is soliciting bids from qualified vendors for a Closed Circuit Television System for their Cloud Computer Faculty located in the Augusta, Richmond County Technology Park. The following request for proposal (RFP) is being provided to you for your consideration. To be considered, your company must meet the qualifications and satisfy the requirements set forth in this RFP. Bradford Daniels IT Manager Daniels Data Augusta, Ga. 30813 Final proposals must be received at the address noted above by 5:00 PM on Sunday, March 17, 2013. Although cost will be an important factor in awarding the contract, Daniels INC is not obligated by any statute or regulation to award the bid for the Closed Circuit Television Surveillance System on the basis of cost. Accordingly Daniels INC reserves the right to evaluate all proposals objectively and subjectively and to accept or reject any or all proposals or portion thereof. Additionally, Daniels INC reserves the right to negotiate changes in equipment with the company determined to have submitted the proposal that is in the best interest of Daniels INC.. It is to be understood that this RFP constitutes specifications only for the purpose of receiving proposals for services and does not constitute an agreement for those services. Withdrawal of Proposals Proposals shall remain valid for a period of thirty (30) days after submission. Modifications to proposals will not be accepted by the Daniels INC, except as may be mutually agreed upon following the acceptance of the proposal. Timetable RFP released: March 17, 2013 Deadline for receipt of bids: March 30, 2013 Recommendation to Library Board: March 30, 2013 Notification to all vendors as soon as possible after March 17, 2013 Requirements Bid specifications for the Closed Circuit Television System must match specifications on the bid sheet or be of equal specifications to be accepted. Please include all cost factors and a specific delivery time frame. Method of Evaluating Proposals After the bids have been evaluated, cost and other considerations will be evaluated. Once all factors have been evaluated, the Vendor that is the lowest responsive, responsible bidder will be selected for recommendation to the Library Board. Payment Final Payment to the successful bidder will be paid upon completion of delivery, installation of the product, and successful configuration and implementation of the equipment. a. Describe at least 2 perspectives that need to be closely monitored within the contract. Quality of the service rendered, and cost are the most important things that need to be monitored. Every action conducted by a Company has to make money. A substandard product could cause the investment to go over budget, which cost the company money and time. b. Give a perspective on at least 2 methods that can be used to evaluate and developed a qualified trusted supplier list. A qualified supplier will be added to a list of suppliers if they have demonstrated the abiltiy to deliver a product as specified with the minimum amount of potentila risk. A thorough background check on the supplier will also be conducted through research and surrveys with past clients Part 3 : Physical Security Plan 3. Recommend a physical security plan that could be used to protect sensitive areas such as telecom rooms, employee only areas, and manufacturing facilities in which you : a. Include at least three specific methods. This Security Plan constitutes the Standard Operating Procedures relating to physical, cyber, and procedural security for all Daniels Inc. facilities. It contains a comprehensive overview of the (Daniels INC)s security program, and in some sections, makes reference to other relevant plans and procedures. Security personnel, operators, and selected personnel shall be familiar with the information and procedures associated with this Security Plan. The (Daniels INC)s security systems include: 1. Fencing amp; Gates Fencing is the first layer of security at all of our Facilities, Transmission/Distribution points and (Daniels INC. ) facilities. The (Daniels INC) has standardized on 8-foot fencing, using tension wire in lieu of bars, placing fence barbs up, and securing the bottom of the fencing below grade.. All perimeters and access points are monitored 24/7 by CCTV or contracted security guards. 2. Exterior Lighting Exterior lighting has been strategically placed throughout Daniels INC to emphasize and highlight perimeters, gate and Guard Post access points, entry points into buildings, and areas of interest. Lighting can be activated by motion or photo-cell. Exterior lighting serves as a deterrent, as well as to aid in monitoring of the (Utility)s CCTV system. . CCTV Daniels INC has deployed over 100 CCTV cameras throughout the county. These cameras have Pan/Tilt/Zoom (PTZ) capabilities, and are strategically placed throughout the projects. Via our unique Fiber Optic infrastructure, these camera signals are sent back centrally to the (Daniels INC)s headquarters office where they are recorded 24/7. From this central point, Security ha s the ability to monitor and control all cameras. Daniels INC utilizes a comprehensive Electronic Access Control system, which has been installed throughout the projects and facilities. These card access points secure doors to buildings, access gates, and barrier arms. Through this technology, Security is able to effectively track and control access. Each employee and contractor is required to wear an identification/access badge which is individually tailored for specific access. Daniels INC has also installed a CIP-specific Electronic Access Control system which ensures restricted access to Critical Cyber Asset areas. These Electronic Access Control systems are monitored 24/7. 5. Intrusion alarms Intrusion alarms are utilized throughout the (Utility). These alarms serve two important functions: â⬠¢ Provide 24/7 monitoring in remote locations where staff is not always present. â⬠¢ Installed in all CIP-designated spaces. The alarm sensors include door/window contacts, motion detection, and glass break. These Intrusion alarm systems are monitored 24/7. Part 4: Enterprise Information Security Compliance Program 4. Establish an enterprise information security compliance program that addresses the concerns of the board of directors of the organization in which you: a. Describe specific plans and control objectives that could be adopted to address the known issues. There are seven steps chief information security officers can take to launch their organizations in the direction of InfoSec compliance, regardless of their available resources. â⬠¢ Identify current or potential vulnerabilities. The acknowledgement of auditing agency findings and the CISOs own observations and records may be good resources. â⬠¢ Apply objective values to issues requiring attention. Usually objective measurements coincide with cost. â⬠¢ Establish a priority list. The cost of security hardware and software is ever-increasing, and the demands on most budgets are greatââ¬âso choose carefully. Start complying. Any progress is progress! Without taking that first step, success can never be realized. Just get in the game. â⬠¢ Create a comprehensive security, education and awareness program. This is the first line of defense for information assurance in business, government and military enterprises. Users are often eager to assist and comply when they know the rationale behind such efforts. Make them well aware of the threat. While CISOs may desire to keep successful or attempted attacks confidential, it may be important to share such information with users. Market success. Sell your security and compliance program to upper management by illustrating real dollar savings. Everyone loves a winner! Success will be rewarded with dollars to further enhance compliance. â⬠¢ Always seek to increase budgets. Never miss an opportunity to ask for a budget increase to better safeguard information and enhance the companys bottom line. b. Suggest at least 3 information securities policies that could be developed and practiced within the organization for data security assurance. Gain a detailed understanding of the potential environmental risks (for example, viruses, hackers, and natural disasters). Making a proactive analysis of the consequences of and countermeasures to security breaches in relation to risks. Creating a carefully planned implementation strategy for integrating security measures into all aspects of an enterprise network, based on this understanding and analysis. c. Outline the steps you would take to define the security needs of the organization in duties, staffing, training, and processes. The essence of the process-oriented approach to security compliance is implementation of a comprehensive written security program that includes: à · Asset assessment ââ¬â identifying the systems and information that need to be protected à · Risk assessment ââ¬â conducting periodic assessments of the risks faced by the company à · Security measures ââ¬â developing and implementing security measures designed to manage and control the specific risks identified à · Address third parties ââ¬â overseeing third party service provider arrangements. Education ââ¬â implementing security awareness training and education à · Monitoring and testing ââ¬â to ensure that the program is properly implemented and effective à · Reviewing and adjusting ââ¬â to revise the program in light of ongoing changes. Part 5: Risk Management Plan 5. Develop a risk management plan in which you: a. Describe at least 3 possible risk management efforts that could be used to assess thre ats and unknown issues. b. Determine why defining priorities is an important part of the process when enumerating and having efficient risk control measures. c. Suggest specific technical and management controls that can be enacted in order to monitor risks accurately. The benefits of risk management in projects are huge. You can gain a lot of money if you deal with uncertain project events in a proactive manner. The result will be that you minimize the impact of project threats and seize the opportunities that occur. This allows you to deliver your project on time, on budget and with the quality results your project sponsor demands. Make Risk Management Part of Your Project The first rule is essential to the success of project risk management. If you dont truly embed risk management in your project, you cannot reap the full benefits of this approach. You can encounter a number of faulty approaches in companies. Some projects use no approach whatsoever to risk management. Identify Risks Early in Your Project The first step in project risk management is to identify the risks that are present in your project. This requires an open mind set that focuses on future scenarios that may occur. Two main sources exist to identify risks, people and paper. People are your team members that each bring along their personal experiences and expertise. Paper is a different story. Projects tend to generate a significant number of (electronic) documents that contain project risks. They may not always have that name, but someone who reads carefully (between the lines) will find them. The project plan, business case and resource planning are good starters. Other categories are old project plans, your company Intranet and specialized websites. Communicate About Risks Failed projects show that project managers in such projects were frequently unaware of the big hammer that was about to hit them. The frightening finding was that frequently someone of the project organization actually did see that hammer, but didnt inform the project manager of its existence. If you dont want this to happen in your project, you better pay attention to risk communication. A good approach is to consistently include risk communication in the tasks you carry out. If you have a team meeting, make project risks part of the default agenda (and not the final item on the list! ). This shows risks are important to the project manager and gives team members a natural moment to discuss them and report new ones. Consider Both Threats and Opportunities Project risks have a negative connotation: they are the bad guys that can harm your project. However modern risk approaches also focus on positive risks, the project opportunities. These are the uncertain events that beneficial to your project and organization. These good guys make your project faster, better and more profitable. Unfortunately, lots of project teams struggle to cross the finish line, being overloaded with work that needs to be done quickly. Make sure you create some time to deal with the opportunities in your project, even if it is only half an hour. Chances are that you see a couple of opportunities with a high pay-off that dont require a big investment in time or resources. Clarify Ownership Issues Some project managers think they are done once they have created a list with risks. However this is only a starting point. The next step is to make clear who is responsible for what risk! Someone has to feel the heat if a risk is not taken care of properly. The trick is simple: assign a risk owner for each risk that you have found. The risk owner is the person in your team that has the responsibility to optimize this risk for the project. The effects are really positive. At first people usually feel uncomfortable that they are actually responsible for certain risks, but as time passes they will act and carry out tasks to decrease threats and enhance opportunities. Priorities Risks Some risks have a higher impact than others. Therefore, you better spend your time on the risks that can cause the biggest losses and gains. Check if you have any showstoppers in your project that could derail your project. If so, these are your number 1 priority. Analyze Risks Understanding the nature of a risk is a precondition for a good response. Therefore take some time to have a closer look at individual risks and dont jump to conclusions without knowing what a risk is about. Risk analysis occurs at different levels. If you want to understand a risk at an individual level it is most fruitful to think about the effects that it has and the causes that can make it happen. The information you gather in a risk analysis will provide valuable insights in your project and the necessary input to find effective responses to optimize the risks. Plan and Implement Risk Responses Implementing a risk response is the activity that actually adds value to your project. You prevent a threat occurring or minimize negative effects. Execution is the key here. The other rules have helped you to map, prioritize and understand risks. This will help you to make a sound risk response plan that focuses on the big wins. If you deal with threats you basically have three options, risk avoidance, risk minimization and risk acceptance. Avoiding risks means you organize your project in such a way that you dont encounter a risk anymore. This could mean changing supplier or adopting a different technology or, if you deal with a fatal risk, terminating a project. Spending more money on a doomed project is a bad investment. The biggest categories of responses are the ones to minimize risks. You can try to prevent a risk occurring by influencing the causes or decreasing the negative effects that could result. If you have carried out (risk analysis) you will have plenty of opportunities to influence it. A final response is to accept a risk. This is a good choice if the effects on the project are minimal or the possibilities to influence it prove to be very difficult, time consuming or relatively expensive. Just make sure that it is a conscious choice to accept a certain risk. Register Project Risks This rule is about bookkeeping (however dont stop reading). Maintaining a risk log enables you to view progress and make sure that you wont forget a risk or two. It is also a perfect communication tool that informs your team members and stakeholders what is going on. Track Risks and Associated Tasks The risk register you have created will help you to track risks and their associated tasks. Tracking tasks is a day-to-day job for each project manager. Integrating risk tasks into that daily routine is the easiest solution. Risk tasks may be carried out to identify or analyses risks or to generate, select and implement responses. Tracking risks differs from tracking tasks. It focuses on the current situation of risks. Which risks are more likely to happen? Has the relative importance of risks changed? Answering these questions will help to pay attention to the risks that matter most for your project value. References Shoemaker. amp; Conklin A. (2012) Cyber security The Essential Body of Knowledge Boston MA Course Technology Press Risk Assessment Risk Management Guide- Computer Security Retrieved from http://www. csrc. nist. gov Request for Proposal (RFP) Information Technology IT Strategic Plan Retrieved from http:// www ebid. board. com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.