search

Who is responsible for secure information information security?

1 anos atrás
Comentários: 0
Visualizações: 196

If you noticed your neighbor’s house was on fire, you would call the fire department. You would want to help the neighbor and also ensure that the fire doesn’t spread to other homes. It takes a lot of people to protect your neighborhood. Everyone in the neighborhood has some responsibility to ensure everyone’s safety.

Show

Information has a life of its own. It travels by many different methods; it is collected on paper forms, through Web sites and over the phone. It is processed by people and used in business transactions, such as transferring money or mailing bank statements. Information resides on desktops, laptops and servers.

No single person is responsible for the security of the information. It is the responsibility of the whole to ensure the privacy and accuracy of the information.

Those responsible for securing information include:

Managers, data custodians and system owners

These groups collaborate with business partners, technologists, employees and users to ensure that policies, procedures and best practices are implemented. They are aware of the risks to managing the information and how it is processed. They identify resources for addressing these risks. They may lead efforts to:

  • Classify the information by understanding what information is vital to the organizational mission.
  • Document a security program to ensure that the organization understands the security controls and procedures.
  • Address risks as information systems are implemented, updated and taken off line.

Business partners

Business partners are responsible for processing the information. They collaborate with technologists to implement systems that digitally collect, store and transfer the information. Business Partners collaborate internally and externally to build and maintain information systems. Business partners may work with:

  • System owners to classify information and to identify and address risks.
  • Technologists to build requirements that include secure management of information.
  • Employees, system users and vendors to build awareness of how to securely manage information, including how to comply with policies and procedures.

Employees

Employees are responsible for following the policies and procedures for managing the information in a secure manner. Examples include but are not limited to:

  • Shred documents with restricted data such as Social Security numbers, bank and account numbers, and health information. Maintain documents in accordance with the policies and practices of the archives and records management services.
  • Manage/secure workstations by using a strong password or passphrase, using anti-virus software and not storing restricted information on local workstations or mobile devices.
  • Report risks and incidents to System Owners.

Technologists

Technologists develop, implement and maintain the information systems by setting up servers, developing code, administering applications, maintaining networks and building security controls and procedures. They implement controls and processes to protect the information. Their job functions include:

  • Implement access controls to enforce least privilege and separation of duties.
  • Establish good practices for managing changes to application code, servers and the network.
  • Protect the network by implementing network controls such as firewalls, intrusion detection/prevention devices and encryption of the information over the network.

Vendors

Business partners often rely on vendors as a solution for implementing services in a cost-effective manner. In contractual agreements, system owners and business partners should identify how the vendor should manage the information. Contractual agreements should include:

  • A statement of organizational policies and procedures that the vendor is responsible for following.
  • A statement that classifies the information.
  • Instructions for securing the information.

System users

System users are responsible for understanding policies and procedures that apply to them. Unlike employees, they might not work for the system swner (for example, applicants to UW use our system but are not employees). They should also be aware of how to protect their identity information. System Users will benefit from an understanding of:

  • The appropriate uses of the system.
  • Terms and usage agreements for the system
  • If and how their information may be shared with other parties in specific situations.
  • How to create and maintain a strong password.
  • How to identify a trusted web site or email.

The role of the Chief Information Security Officer (CISO) requires a combination of technical and soft skills, such as business acumen, leadership, communications and relationship building. Additionally, a CISO must adopt a continuous approach to learning and up-skilling in order to maintain pace with the cyber threat landscape and new technologies. It is expected that a CISO show innovation and imagination in conceiving and delivering cyber security strategies for their organisation.

Providing cyber security leadership and guidance

To provide cyber security leadership and guidance within an organisation, it is important that the organisation appoints a CISO.

Control: ISM-0714; Revision: 5; Updated: Oct-20; Applicability: All; Essential Eight: N/A
A CISO is appointed to provide cyber security leadership and guidance for their organisation.

Overseeing the cyber security program

The CISO within an organisation is responsible for overseeing their organisation’s cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. They are likely to work with a Chief Security Officer, a Chief Information Officer and other senior executives within their organisation.

Control: ISM-1478; Revision: 1; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation.

Control: ISM-1617; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.

Control: ISM-0724; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO implements cyber security measurement metrics and key performance indicators for their organisation.

Coordinating cyber security

The CISO is responsible for ensuring the alignment of cyber security and business objectives within their organisation. To achieve this, they should facilitate communication between cyber security and business stakeholders. This includes translating cyber security concepts and language into business concepts and language, as well as ensuring that business teams consult with cyber security teams to determine appropriate controls when planning new business projects. Additionally, as the CISO is responsible for the development of their organisation’s cyber security program, they are best placed to advise projects on the strategic direction of cyber security within their organisation.

Control: ISM-0725; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis.

Control: ISM-0726; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO coordinates security risk management activities between cyber security and business teams.

Reporting on cyber security

The CISO is responsible for reporting cyber security matters to their organisation’s senior executive or Board. Reporting should cover:

  • the organisation’s security risk profile
  • the status of key systems and any outstanding security risks
  • any planned cyber security uplift activities
  • any recent cyber security incidents
  • expected returns on cyber security investments.

Reporting on cyber security matters should be structured by business functions, regions or legal entities and support a consolidated view of an organisation’s security risks.

It is important that the CISO is able to translate security risks into operational risks for their organisation, including financial and legal risks, in order to enable more holistic conversations about their organisation’s risks.

Control: ISM-0718; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
The CISO reports directly to their organisation’s senior executive or Board on cyber security matters.

Overseeing incident response activities

To ensure the CISO is able to accurately report to their organisation’s senior executive or Board on cyber security matters, it is important they are fully aware of all cyber security incidents within their organisation.

The CISO is also responsible for overseeing their organisation’s response to cyber security incidents, including how internal teams respond and communicate with each other during an incident. In the event of a major cyber security incident, the CISO should be prepared to step into a crisis management role. They should understand how to bring clarity to the situation and communicate effectively with internal and external stakeholders.

Control: ISM-0733; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO is fully aware of all cyber security incidents within their organisation.

Control: ISM-1618; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO oversees their organisation’s response to cyber security incidents.

Contributing to business continuity and disaster recovery planning

The CISO is responsible for contributing to the development and maintenance of their organisation’s business continuity and disaster recovery plans, with the aim to improve business resilience and ensure the continued operation of critical business processes.

Control: ISM-0734; Revision: 3; Updated: Jun-21; Applicability: All; Essential Eight: N/A
The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster.

Developing a cyber security communications strategy

To facilitate cyber security cultural change across their organisation, the CISO should act as a thought leader by continually communicating their strategy and vision. A communication strategy can be helpful in achieving this. Communications should be tailored to different parts of their organisation and be topical for the intended audience.

Control: ISM-0720; Revision: 1; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO develops and maintains a cyber security communications strategy for their organisation.

Working with suppliers

The CISO is responsible for ensuring that consistent vendor management processes are applied across their organisation, from discovery through to ongoing management. As supplier relationships come with additional security risks, the CISO should assist personnel with assessing cyber supply chain risks and understand the security impacts of entering into contracts with suppliers.

Control: ISM-0731; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO oversees cyber supply chain risk management activities for their organisation.

Receiving and managing a dedicated cyber security budget

Receiving and managing a dedicated cyber security budget will ensure the CISO has sufficient access to funding to support their cyber security program, including cyber security uplift activities and responding to cyber security incidents.

Control: ISM-0732; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO receives and manages a dedicated cyber security budget for their organisation.

Overseeing cyber security personnel

The CISO is responsible for the cyber security workforce within their organisation, including plans to attract, train and retain cyber security personnel. The CISO should also delegate relevant tasks to cyber security managers and other personnel as required and provide them with adequate authority and resources to perform their duties.

Control: ISM-0717; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO oversees the management of cyber security personnel within their organisation.

Overseeing cyber security awareness raising

To ensure personnel are actively contributing to the security culture of their organisation, a cyber security awareness training program should be developed. As the CISO is responsible for cyber security within their organisation, they should oversee the development and operation of the cyber security awareness training program.

Control: ISM-0735; Revision: 2; Updated: Oct-20; Applicability: All; Essential Eight: N/A
The CISO oversees the development and operation of their organisation’s cyber security awareness training program.

Further information

Further information on responding to cyber security incidents can be found in the managing cyber security incidents section of the Guidelines for Cyber Security Incidents.

Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing.

Further information on the procurement of outsourced services can be found in the managed services and cloud services section of the Guidelines for Procurement and Outsourcing.

Further information on cyber security awareness training programs can be found in the cyber security awareness training section of the Guidelines for Personnel Security.

System owners

System ownership and oversight

System owners are responsible for ensuring the secure operation of their systems. However, system owners may delegate the day-to-day management and operation of their systems to system managers.

Control: ISM-1071; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
Each system has a designated system owner.

Control: ISM-1525; Revision: 1; Updated: Jan-21; Applicability: All; Essential Eight: N/A
System owners register each system with its authorising officer.

Protecting systems and their resources

Broadly, the risk management framework used by the Information Security Manual has six steps: define the system, select controls, implement controls, assess controls, authorise the system and monitor the system. System owners are responsible for the implementation of this six step risk management framework for each of their systems.

Control: ISM-1633; Revision: 0; Updated: Jan-21; Applicability: All; Essential Eight: N/A
System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised.

Control: ISM-1634; Revision: 1; Updated: Jun-22; Applicability: All; Essential Eight: N/A
System owners select controls for each system and tailor them to achieve desired security objectives.

Control: ISM-1635; Revision: 2; Updated: Jun-22; Applicability: All; Essential Eight: N/A
System owners implement controls for each system and its operating environment.

Control: ISM-1636; Revision: 1; Updated: Jun-22; Applicability: All; Essential Eight: N/A
System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended.

Control: ISM-0027; Revision: 4; Updated: Jan-21; Applicability: All; Essential Eight: N/A
System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation.

Control: ISM-1526; Revision: 2; Updated: Jun-22; Applicability: All; Essential Eight: N/A
System owners monitor each system, and associated cyber threats, security risks and controls, on an ongoing basis.

Annual reporting of system security status

Annual reporting by system owners on the security status of their systems to their authorising officer can assist the authorising officer in maintaining awareness of the security posture of systems within their organisation.

Control: ISM-1587; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
System owners report the security status of each system to its authorising officer at least annually.

Further information

Further information on using the Information Security Manual’s six step risk management framework can be found in the applying a risk-based approach to cyber security section of Using the Information Security Manual.

Further information on monitoring systems and their operating environments can be found in the event logging and monitoring section of the Guidelines for System Monitoring.

Q&A Who

Postagens relacionadas

How many ways can you distribute R identical balls into n distinct boxes with exactly m boxes empty?
How many ways can you distribute R identical balls into n distinct boxes with exactly m boxes empty?

What is the process of dividing a physical server into several virtual servers called virtual private servers?
What is the process of dividing a physical server into several virtual servers called virtual private servers?

Select the map that shows the first permanent english settlement in what is now the united states.
Select the map that shows the first permanent english settlement in what is now the united states.

What ideas did the framers borrow from enlightenment thinkers
What ideas did the framers borrow from enlightenment thinkers

How to change time on lexus rx 350 2008
How to change time on lexus rx 350 2008

What are some of the current challenges that operations managers face in each decision area?
What are some of the current challenges that operations managers face in each decision area?

What is the meaning of unstructured data?
What is the meaning of unstructured data?

What is the importance of learning the cone of experience in delivering your activities to your students?
What is the importance of learning the cone of experience in delivering your activities to your students?

What is synergistic effect of drugs
What is synergistic effect of drugs

What are three advantages of a company manufacturing overseas and 2 disadvantages?
What are three advantages of a company manufacturing overseas and 2 disadvantages?

Best way to season ribs for the oven
Best way to season ribs for the oven

Where to buy sk8 the infinity manga
Where to buy sk8 the infinity manga

Esqueci de tomar o antibiótico na hora certa o que fazer
Esqueci de tomar o antibiótico na hora certa o que fazer

What is the correct order in which sound waves are transmitted through the ear I tympanic membrane II ossicles III external auditory canal IV cochlea?
What is the correct order in which sound waves are transmitted through the ear I tympanic membrane II ossicles III external auditory canal IV cochlea?

Which is the correct order of events of sound transmission through the ear 1 sound waves strike the eardrum?
Which is the correct order of events of sound transmission through the ear 1 sound waves strike the eardrum?

2022 mazda cx-5 grand touring reserve vs signature
2022 mazda cx-5 grand touring reserve vs signature

How do you make glasses on little alchemy?
How do you make glasses on little alchemy?

What is the 5 benefits in planting trees?
What is the 5 benefits in planting trees?

The Nine Lives of Chloe King Alek
The Nine Lives of Chloe King Alek

Where can I watch Rick and Morty
Where can I watch Rick and Morty

Publicidade

ÚLTIMAS NOTÍCIAS

How many factors of 400 are not multiples of 2
1 anos atrás . por WhisperedBaker
A relatively new discipline, motion graphics began with
1 anos atrás . por EnhancedSolitude
A policy loan is made possible by
1 anos atrás . por AffirmativeBonus
Its a small world meaning
1 anos atrás . por PollutedTossing
Which of the following nutrients yield energy?
1 anos atrás . por Blue-grayWarmth
What was the significance of the first continental congress in 1774?
1 anos atrás . por AtmosphericTyrant
When was Fairfield CA founded?
1 anos atrás . por IntermediateApparatus
When assessing the intensity of a patients pain, which question by the nurse is appropriate
1 anos atrás . por Door-to-doorHamburger
How many liters of water must be added to 16 liters of milk and water contains 10% water to make it 20% water in it?
1 anos atrás . por BogusMorale
How many spectral lines are obtained when an electron drops from 4th Shell to ground shell?
1 anos atrás . por BadAllegiance

Toplistas

#1
Top 8 mensagem de 30 anos de aniversário 2022
2 anos atrás
#2
Top 7 jogo do bicho palpite do dia de hoje 2022
2 anos atrás
#3
Top 7 melhor comprimido para dor de cabeça 2022
2 anos atrás
#4
Top 6 explique a influência da corrente do golfo no atlântico norte sobre a europa ocidental 2022
1 anos atrás
#5
Top 7 como é o nome da música 2022
2 anos atrás
#6
Top 7 cloridrato de meclizina para que serve 2022
2 anos atrás
#7
Top 4 existe outra regionalização que é utilizado para dividir o país em três partes 2022
1 anos atrás
#8
Top 7 500g de presunto preço 2022
2 anos atrás
#9
Top 8 o país que mais emite gases de efeito estufa atualmente é há uma grande probabilidade 2022
1 anos atrás
#10
Top 8 um elemento químico da família dos halogênios (7 elétrons na camada de valência) 2022
1 anos atrás

Publicidade

Populer

Token Data

Publicidade

Sobre

Jurídica

Ajuda

Social

homeendefrjakoptzhhi
direito autoral © 2024 cemle Inc.