With cybersecurity attacks on the rise, the ability of an organization to insure uninterrupted operations is an imperative. No longer can an organization solely rely upon software applications to identify and mitigate cyber risks. It takes a skilled team lead by an experienced manager to holistically address an organizations technology risks. The National Infrastructure Advisory Council’s (NIAC) definition of infrastructure resilience is “the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.” A Chief Information Security Officer is a senior-level executive within an organization; responsible for proactively protecting the information assets of the organization. The CISO must understand the scope of the organizations needs and goals. Reducing risk through education and training also falls within the CISOs responsibilities. The CISO is a key senior leader within an organization that must be intimately involved in the development of an organizations a resiliency plan. The CISO utilizes current technology tools to assess and provide feedback to key stakeholders about the potential and current risks to the organization’s technology infrastructure. Balancing confidentiality, integrity, and availability (CIA Triad) is always at the forefront of every decision. While security (confidentiality and integrity) is important to an information security professional, availability is just as important to the heads of each department and the customer. The CISOs ability to communicate at the target audiences’ level of understanding is key to gaining support in the pursuit of securing the organizations data and systems. By utilizing the eight domains of the CISSP Common Body of Knowledge, a CISO can build a proactive information security defense structure that will protect the organizations interests. The following sections will provide a description of each domain and provide examples of how a Chief Information Security Officer can utilize this framework to develop a solid information security program for their organization. Security and Risk Management
Upon acceptance into a new position, a CISO should assess the organization’s compliance to regulatory guidance as it pertains to information security both locally and internationally. A CISO must understand and align security functions to goals, mission, and objectives off the organization. Operational goals (daily), Tactical goals (mid-term), and Strategic goals (long-term) must be addressed according to the current and future security posture necessary for the industry that organization operates within. A CISO would best support their organization by effectively balancing Availability with Integrity and Confidentiality of information services. Understanding the legal requirements as they pertain to information security both nationally and internationally is necessary for the CISO to protect the organization from potential violations, privacy, or licensing concerns. In addition to providing regulatory requirements regarding reporting and audits of information systems and networks, this domain will provide information about security governance principals which will assist in developing the organizations policies and incident response procedures.
People, internal and external, are always the priority; both in safety and liability. By developing personnel security polices and information assurance training programs, the CISO will address some of the risk concerns of the organization. These programs and policies must also address external personnel that would have access to networks and or internal data. Asset Security
Assigning roles, permissions, classification levels, data security controls, and encryption are focuses within this section of the CISSP CBK. Determining sensitivity and criticality of the data is necessary in determining the method of control and transport of data. The CISO must be in communication with the data, systems, and business/mission owners to ensure there is a cooperative effort in developing policies regarding data security controls. The CISO would assist key stakeholders in understanding the risks involved with different states of data (Data in Transit, Data at Rest, data remanence, etc.) and establish handling and destruction requirements.
Handling data is just as much about people as it is about systems. Data ownership and responsibilities should be clearly defined and agreed upon. The CISO should assist data owners in understanding their level of accountability when handling data. Without clearly communicating these responsibilities and liabilities, data integrity and quality are at risk.
The method of sending or storing data can be difficult to manage for a CISO. Network security and media handling methods must incorporate means of protecting the data in transit or at rest. Up to date methods of encryption must be used to reduce the risk of compromising he organizations data. The CISO should be familiar with different standards and be able to implement and enforce the appropriate standards within their organization. This domain provides links to some of the primary publications that will assist in asset security goals: