- How to make new stuff from your piles of obsolete tech
- Why your computer sucks
- 10 recession-proof IT skills
- Juniper execs share network vision
- 9-year-old plots his fifth Microsoft certification
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
Isn't it a chore writing security policies? Aren't they just the most persnickety part of our job communicating security requirements to users? Whenever I teach human factors in information assurance, I emphasize the value of Charles Cresson Wood's famous Information Security Policies Made Easy (ISPME) to policy writers. I mentioned his work in one of my earliest columns for Network World back in 2000 and again in a column in 2001.
Charles Cresson Wood, CISSP, CISA, CISM, is a distinguished contributor to our field; in addition to extensive consulting in a wide range of industries, publication of hundreds of professional articles and five books, and service as a professional editor, he has also contributed expert commentary to the public news media.
Today I'm pleased to report on yet another fine contribution from Wood: his Information Security Roles & Responsibilities Made Easy. Now in its second edition, this compendium provides a complement to the ISPME by providing what it claims - an extensive compilation of well-defined roles and responsibilities. The chapters are listed here.
Wood explains how to use the book in his introduction (Chapter 1):
“The entire process of developing and/or revising information security roles and responsibilities documentation has been scripted for you. The chapters in this book are deliberately sequenced so as to step you through all the important tasks on the road to developing professional, relevant, and effective information security roles and responsibilities documentation. The book provides you with all the detailed information you will need to prepare credible and meaningful memos to management to advance an information security roles and responsibilities project.”
An interesting point comes at the end of Chapter 2:
“Perhaps the most significant reason to establish and document clear roles and responsibilities involves increasing worker productivity. Statistical studies of business economics indicate that about half of productivity growth over time comes from more efficient equipment, and about half comes from better trained, better educated, and better managed labor. Thus the clarification and publication of information security roles and responsibilities can have a substantial positive impact on productivity, and thereby markedly improve profits.” The chapter includes 35 other good reasons for establishing clear roles and responsibilities.
The text includes explicit discussions of how to communicate effectively with upper management. For example:
“With the intention to quickly obtain management approval, you should refrain from merging an information security roles and responsibilities project with any other project… Beyond a memo, a brief meeting to discuss the project scope and the involvement of other groups is also recommended. At such a meeting, you can solicit management's ideas about all the different job titles and departments that in one way or another have something to do with information security. A good agenda for such a meeting would be:
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment