Insights

The Wide Range of Information/Cybersecurity Responsibilities

The Wide Range of Information/Cybersecurity Responsibilities


Aug 09, 2017

It’s a tough job, but somebody has to do it.

In many organizations, an information security officer position is responsible for facilitating the development, implementation, and oversight of all information/cybersecurity activities. This position can go by many different names: Chief Information Security Officer (CISO), Information Security Officer (ISO), or Chief Security Officer (CSO), to name a few.

No matter what you call the individual in charge of information/cybersecurity, the thing that matters to companies both big and small is having a knowledgeable, experienced leader in charge of all aspects of organizational security management.

That leader’s responsibilities make up a long and critical list (see below). Is anything missing from your information/cybersecurity leader’s list? Here are some of the key responsibilities* that should be on it:

  • Oversee, verify compliance, and enforce all activities necessary to comply with the regulatory requirements and the organization’s policies and procedures.
  • Create and maintain formal organizational and operational information/cybersecurity policies and procedures.
  • Manage the information/cybersecurity risk management program and proactively evaluate the effectiveness of the program, making changes as needed on an ongoing basis through compliance and vulnerability management activities.
  • Ensure plans for training, testing, and monitoring workforce compliance are developed, implemented, maintained, and regularly reviewed.
  • Perform or oversee technical and nontechnical assessments to validate compliance with information/cybersecurity policies and procedures.
  • Document security-related activities and completed assessments and retain in accordance with federal and state record retention requirements.
  • Ensure security activities (e.g., implementing controls, correcting nonconformities) are coordinated in advance and communicated throughout the entire organization.
  • Assess program effectiveness annually.
  • Manage the organization’s information/cybersecurity education, training, and awareness programs. Ensure the workforce receives initial training (upon hire) and annual refresher training.
  • Facilitate the security incident/breach response team.
  • Ensure that all systems undergo a security review annually or when changes that could impact system security occur.
  • Ensure that new systems undergo a thorough security review prior to being put into production to ensure that the confidentiality, availability, and integrity of data are properly maintained.
  • Assist Human Resources, when necessary, on matters pertaining to workforce background investigations and disciplinary action related to noncompliance with security policies and procedures.
  • Ensure that all service providers, contractors, consultants, etc., have undergone a vendor risk assessment prior to any information exchange or access to information systems.
  • Assist in the administration and oversight of vendor agreements.
  • Provide annual “State of the Information/Cybersecurity Program” briefings to senior leadership and the board of directors/trustees on the overall posture of the information/cybersecurity program, including areas of risk that require attention and an overview of incidents that occurred during the last year and what actions were taken to prevent reoccurrence.
  • Participate as a member of the incident management, crisis management, business continuity, and disaster recovery teams.
  • Work with and advise facility management on matters related to physical and environmental security.
  • Work with senior leadership to ensure the information/cybersecurity program is properly staffed and receives adequate funds needed to successfully maintain the program.
  • Provide clear direction and visible management support for security initiatives.
  • Manage security measures designed to reduce the risk of identity theft/insider threats.

*Based on numerous industry standards and not intended to be an all-inclusive list of responsibilities of person(s) responsible for information/cybersecurity.


Author(s)

Rick Ensenbach
Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP
Senior Manager
View Profile

Comments

Write a Comment

* = required fields

(will not be published)

(will not be published)

WipfliSecurity Blog

Subscribe to WipfliSecurity


Submit