Overview of InfoSec Program Management
Previously, I have written about Information Security Program Development and the Security Program Scope, while this time we are going to see the concepts in simple terms of Information Security Program Management. This is the process of oversight, monitoring and controlling all of the information security activities, and always in support of the objectives of our business or organization. Of course we have to combine this with management to know which resources are available to meet our goals in an optimum fashion.
Information Security Program Management is like managing other organizational units or aspects of our business. The problem we are running into here is the challenge that the security management and the program management aren't usually well defined. This is a new discipline that it is misunderstood and there is one area that it isn't fill very well from security managers because most people who are working in a security role are technicians, they are engineers with technical backgrounds who understand security standards, security mechanisms, mitigations, vulnerabilities, hacking tools, threats, etc and they find themselves in a new paradigm with these management responsibilities and they don't have well-defined standards based on years of experience.
The security manager should focus on administrative duties of overseeing daily security operations. Although the manager should also be included in the incident management responding to incidents, also in the disaster recovery, but not into putting in the place systems but actually responding to disasters, and in any investigations working with locals and federal state authorities to help to investigate security breaches on behalf of our organization and other land force entities.
Typically the information security program manager will be one person, may be two people, in small and medium size business advising and answering to CIO, who is more strictly concerned with hardware and software solutions. However, in large organizations we can find infosec managers at corporate executive level advising and answering directly to CEOs, who report to the board of directors.
The InfoSec Manager can have duties like physical security, data security and compliance. Some of this duties may include physical security at the perimeter and at the facilities protecting servers, networking devices, end-users workstations and the actual data security itself, which can be data stored, in transit, over the wire or wireless data. The InfoSec Manager should also treat privacy issues and compliance like LOPD, LSSI, PCI-DSS, etc. In addition, the InfoSec Manager may be part of the process of Business Continuity Plan and Disaster Recovery, which go hand and hand, and also the manager can take part of the overall planning and implementation of the security architecture. This mean that the manager is involved in reporting to executives with steering committees, who are responsible for putting together our programs, our policies and our initiatives of our ongoing security projects.
Best regards my friend and remember, if you have any question, go ahead!!