Saturday 8 September 2012

InfoSec & Senior Management

Within an organisation the buck stops with the Senior Management of the organisation, they have a duty of care to all the stakeholders to ensure the organisation is run correctly. Through the process of governance which relates to consistent management, cohesive policies, guidance, processes and decision-rights for a given area of responsibility

Senior management can delegate the implementation of meeting regulatory and statutory requirements but they always retain the responsibility for compliance with those requirements.

Governance is about the prudent man rule (showing due care and due diligence) http://geraintw.blogspot.co.uk/2012/05/prudent-man-rule.html

In terms of Information Security the senior management set the agenda for information security, the priorities for implementation and provide resources to Information security in order that the Information Security Officer (ISO) and they team can implement a information security management system.

The decision the senior management make is based on the information they have about threat agents, vulnerabilities, likelihood and potential impact, along with possible countermeasures, the reduction in risk and the cost. This information will come from information security, however they can be a case of conflict of interest, often with larger organisations an enterprise wide committee with responsibility for security will provide the information, this committee will be made up of individuals from different businesses and organisation units and could include external experts.

The senior management will expect assurances that the polices have been carried out to their instructions and expectations, this will come from reports and audits.

Reporting, information security will provide reports back to senior management and other parts of the industry, a common form of reporting for those who do not understand the technical details will be the use of dashboards including the use of traffic light reporting to provide a quick visual summary of the state of security within the organisation.

Auditing provides assurances to the senior management that the information security management system is being implemented and run in a manner they find acceptable. However successful auditing requires suitable metrics and accountability.

Senior management will along with setting the corporate policy will also set the acceptable level of risk taking for the organisation, the organisations risk appetite, KPMG have a good document on this subject http://www.kpmg.com/CN/en/IssuesAndInsights/ArticlesPublications/Documents/Risk-appetite-O-200806.pdf

In summary the senior management own the information security risk, they sent what they consider to be an acceptable risk appetite for the organisation. They will empower the information security team to implement the policies, decisions and priorities as set by the senior management. However senior management will expect assurances via reporting and auditing about the success of the information security policy. They would expect the information security management system to deliver a positive return on investment of the resources they allocated.

1 comment:

  1. Needed to post you that very small remark just to thank you so much as before considering the pleasant information you’ve discussed above. This has been simply particularly generous with people like you to allow unreservedly what exactly a lot of people would’ve offered for sale as an e-book to help make some money on their own, chiefly seeing that you might have tried it in case you wanted. The creative ideas as well served as the fantastic way to fully grasp someone else have the identical keenness really like my very own to find out more and more with regards to this issue. I’m sure there are numerous more pleasurable times up front for folks who look over your site. QMS Audits

    ReplyDelete