'Re: Who should the Information Systems Security Officer report to?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Who should the Information Systems Security Officer report to?
From:       Mike Kizerian <security () kizerian ! net>
Date:       2009-09-30 21:53:28
Message-ID: 15B9F6FE-D238-4440-98DA-0C9800E63D0A () kizerian ! net
[Download RAW message or body]

The CISSP material suggests that a CISO should report to the CEO.

Security touches every aspect of business and it is important that  
someone with that knowledge has the CEO's ear.  He/She should be at  
meetings with the other 'C' level execs to ensure that all aspects of  
the business have the appropriate security considerations.

-- 
Mike Kizerian, GPEN, GCFA
210.218.9750
mike@kizerian.net






On Sep 30, 2009, at 1:42 PM, Keith Tomler wrote:

> Thanks for the feedback.
> 
> Four (4) people think the Informations System Security Officer should
> report to the CIO.
> 
> Six (6) people think otherwise (responses include The Board of
> Trustees, CEO, CSO (who is a peer of the CIO), and CIA (Chief of
> Internal Audit)).
> 
> But as the ISSO, you are technically reporting on an area that is
> under the governance of the CIO.
> If the CIO bottom lines your eval, doesn't this effect objectivity and
> impartiality?
> 
> I tried to find a best practice, but the best I could find were ISACA
> articles that said:
> 
> "..."The CISO’s domain has traditionally been the IT function, usually
> reporting to the CIO or another senior IT manager. The broadened focus
> on information security has begun to alter this reporting line. The
> CISO now often reports to a business function such as the chief
> financial officer or chief operating officer, or occasionally directly
> to the CEO.  Another increasingly common line of reporting is to the
> chief risk officer..."
> 
> However, this article was over two years old.  A separate (but
> undated) article on ISACA said:
> 
> "...Information security should have an independent reporting
> structure to ensure that concerns, accomplishments and views on
> governance are properly represented to those ultimately responsible to
> the stakeholders..."
> 
> If you were setting up shop today, who would you have the ISSO/CISO  
> report to?
> 
> Thanks again.
> 
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
> 
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
> 


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL \
certificate.  We look at how SSL works, how it benefits your company and how your \
customers can tell if a site is secure. You will find out how to test, purchase, \
install and use a thawte Digital Certificate on your Apache web server. Throughout, \
best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic