Isn't it a chore writing security policies? Aren't they just the most persnickety part of our job communicating security requirements to users? Whenever I teach human factors in information assurance, I emphasize the value of Charles Cresson Wood's famous Information Security Policies Made Easy (ISPME) to policy writers. I mentioned his work in one of my earliest columns for Network World back in 2000 and again in a column in 2001.

Charles Cresson Wood, CISSP, CISA, CISM, is a distinguished contributor to our field; in addition to extensive consulting in a wide range of industries, publication of hundreds of professional articles and five books, and service as a professional editor, he has also contributed expert commentary to the public news media.

Today I'm pleased to report on yet another fine contribution from Wood: his Information Security Roles & Responsibilities Made Easy. Now in its second edition, this compendium provides a complement to the ISPME by providing what it claims - an extensive compilation of well-defined roles and responsibilities. The chapters are listed here. 

Wood explains how to use the book in his introduction (Chapter 1):

“The entire process of developing and/or revising information security roles and responsibilities documentation has been scripted for you. The chapters in this book are deliberately sequenced so as to step you through all the important tasks on the road to developing professional, relevant, and effective information security roles and responsibilities documentation. The book provides you with all the detailed information you will need to prepare credible and meaningful memos to management to advance an information security roles and responsibilities project.”

An interesting point comes at the end of Chapter 2:

“Perhaps the most significant reason to establish and document clear roles and responsibilities involves increasing worker productivity. Statistical studies of business economics indicate that about half of productivity growth over time comes from more efficient equipment, and about half comes from better trained, better educated, and better managed labor. Thus the clarification and publication of information security roles and responsibilities can have a substantial positive impact on productivity, and thereby markedly improve profits.” The chapter includes 35 other good reasons for establishing clear roles and responsibilities.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.