Information Security Titles “Out Of Control”

        We are in an era where Security and Compliance have made it to the forefront of corporate board room discussions. It is now one of the key topics on the agenda.  Are we protecting our corporate and personal data?  Are we meeting both corporate and regulatory requirements as it relates to data privacy? (HIPAA, GLBA, SOX, PCI DSS). 

With these questions hovering over the corporate leaders, there has been an overwhelming requirement to ensure that security positions are being filled to ensure compliance. Over the past 10+ years the roles of CSO, CISO, Director Security, Analyst, Engineer/Technical, IT Compliance Leader and Administrator have emerged.  But what have not been very clearly defined are the roles and responsibilities of these positions, and the need for these unique skill sets.  Larger companies have the luxury of finding highly skilled people to fill these individual jobs (comes down to dollars), where mid to small try to find people who have all the skill sets wrapped up in one.   Ahh…. The bearer of many hats to fill positions that are uniquely different.  By finding that person who has all these credentials you limit yourself to expertise needed in specific roles.  Jack of all trades and master of none is a dangerous mix in the security world.  I fully understand that in today’s economy more businesses are looking to cut back and consolidate. This is not an area where we want to get to frugal.  In the end, you may be paying a bigger ticket if you are compromised.

There are regulatory requirements that audit your roles and responsibilities of the security staff.  Due to conflict of interest issues, you may not be able to have the person enforcing security policies/procedures as the same person administering and monitoring those standards.  This makes it much too easy to have your environment compromised internally (collusion).  Each business needs to review their requirements. 

What you need to do is to find out what are your business drivers for security.  These drivers can be a combination of corporate and regulatory requirements. If you are a business where you accept credit cards but its low volume , then you may fall into a level 4 merchant as it relates to PCI DSS requirements for security controls. So, do you really need to have many levels of security on staff for your business?  Probably not.  You will not get hit with the same auditing control requirements as a Merchant Level 1 service provider. You need to assess your business first, and make  determinations for what is required based on risk/probability/severity/lost revenue if your data was compromised.  And again, the business drivers enforcing security for your establishment will help to make these determinations.  Many businesses have run a BIA ( Impact Analysis) study to help with determining level of risk to their data. 

I have picked a few key security roles and listed their responsibilities to help if you decide you need to fill security roles for your business.  These responsibilities will need to be tailored based on your type of business . But it’s a good starting point for you to work from.

Key security roles and their corresponding responsibly:

CSO (Chief Security Officer) / Director of Security

• Communicate with senior management about security risks and the current state of security of the business.
• Develop and implement a strategic business security plan that is aligned with enterprise-wide security initiatives.
• Support Legal, Compliance and HR in developing and implementing processes relating to privacy and the protection and use of PII, employee and business data.
• Interpret Corporate/Compliance security policies, procedures, guidelines and best practices to understand how they apply to the specific business.
• Develop, maintain and communicate business specific policies, procedures and guidelines.
• Ensure that security reviews and tests are conducted at recommended points within the Tollgate process.
• Verify that security is part of the change control process for all systems and applications.
• Define secure operational processes and monitor compliance.
• Support security operations such as secure account management, secure data access, etc.
• Advisor for implementation of secure network architectures and configuration of network devices.
• Monitor security compliance of networks, servers, and applications.
• Ensure client PCs are secure and contain correct versions anti-virus software and any other recommended security tools.
•  Provide security awareness within the business.
•  Ensure proper evaluation, test, and implementation of security technologies meet business needs.
• Develop, implement and track a security integration plan for acquisitions that is in compliance with company guidelines.
• Develop, implement and track a security separation plan for divestitures that is in compliance with company guidelines.
• Review and approve security for all network interfaces to other companies (i.e., third party connections).
• Review and approve appropriate security controls for outsourcing agreements.

CISO (Chief Information Security Officer) / Technical Manager

The Information CISO/Security Technical Leader will assume primary responsibility for the technical aspect of all security-related activities by direction of the CSO, including, but not limited to, those detailed below.

• Work with advance technology team to research, design, prototype, and potentially implement company information protection initiatives to meet security objectives.
• Provide leadership to multiple teams with a diversity of functions and attendant skills.
• Responsible for the development and maintenance of the Enterprise Information Security Architecture, tools, and associated technical procedures to ensure systemic protection of the business information.
• Responsible for ensuring that the organization's data systems and databases are secure through the development and implementation of information security architecture and standards.
• Coordinate security architectural principles with Enterprise Wide Technology Architecture team.
• Develop and maintain a security architectural framework in coordination with technology and business  partners.
• Develop, refine, or modify technical security standards as necessary to implement technical security controls.
• Assess technology infrastructure and collaborate with infrastructure group to design a scalable and secure infrastructure.
• Participate in complex designs of technology solutions to ensure information security architectural principles, standards, and requirements are incorporated in design. 
• Assess divisional and local security needs.
• Evaluate emerging threats and recommend preventative measures that will mitigate the threat to the business.
• Conduct research, develop and support positions, and document findings in white papers suitable for regulatory scrutiny on all aspects of information protection.
• Research and design tools used for security awareness training.
• Design and implement appropriate security technology to serve company security controls.
• Monitor security policy compliance by conducting periodic audits and approved penetration tests.  Be able to assess internal and external scan reports--identify false positives, research vulnerabilities, communicate results to IP management and system administrators.  Must be capable of challenging external experts when reports are erroneous.
• Recommend and implement checks to be included in a comprehensive internal audit/scanning program.
• Work with system administrators to implement security strategies, coordinate remediation tasks and adhere to published schedules.

Security Analyst

The Information Security Analyst will assume primary responsibility for all security-related requests and activities, including, but not limited to, those detailed below.

• Implement company information protection initiatives (policy, standards, guidelines, procedures, controls and associated technology) to meet security objectives.
• Participate in corporate information protection project teams.  Assess divisional and local security needs and communicate them.
• Respond to client due diligence and audit requests.  Work with IT groups and other departments as necessary to obtain the necessary information for responses.  Document remediation requests and communicate them to local and IP management.
• Conduct security awareness training.
• Implement appropriate security controls to meet company security objectives.
• Monitor security policy compliance by conducting periodic audits and approved penetration tests.  Be able to assess internal and external scan reports--identify false positives, research vulnerabilities, communicate results to IP management and system administrators.
• Recommend checks to be included in a comprehensive internal scanning program.
• Work with system administrators to implement remediation strategies and adhere to schedules.
• Respond when alerted to security events, whether in real time via monitoring tools or through log analysis.  Work individually and with other incident response team members as necessary to identify, assess, report and recover from incidents.
• Be familiar with the company’s problem management and change management procedures, and ensure that incident responses invoke them appropriately.
• Recommend security improvements based on assessing current technology and practices, evaluating trends, and anticipating requirements.
• Review firewall and router rules.
• Review and approve network change requests (ACL’s, firewall rules) on behalf of Information Protection, based on company security policies.
• Review intrusion detection system reporting, network device logs and other security logs daily.
• Follow trends in the Information Protection area (new vulnerabilities, technology, legislation, etc.).  Contribute to development of appropriate corporate responses as such changes occur.
• Advise local management as requested on site security matters (exposures, mitigation, etc.).

Manager of IT Compliance (position may be needed based on size and complexity of your environment)

The Information Technology Compliance Leader will assume primary responsibility for the oversight of IT Compliance regulatory audit reviews along with policy and procedural security requirements including, but not limited to, those detailed below.

• Communicate with the audit functions of external entities as needed to maintain compliance:
• Clients
• Regulatory compliance groups: financial auditors, SOX, Department of Commerce (Safe Harbor), SAS 70
• Other certifying organizations: Cybertrust, PCI, ISO
• Ensure that the information requirements of audits are met:
• Respond to the IT portions of client risk assessment questionnaires
• Respond to the IT portions of client RFPs
• Host IT portions of client on-site audits.  Coordinate meetings with IT technical support and Office Services staff if required.  Obtain supporting documentation.
• Facilitate scans, vulnerability testing, penetration testing, etc., to meet auditor requirements while ensuring the ongoing confidentiality, integrity and availability of business information assets.
• Communicate audit findings to the appropriate groups for remediation. 
• Communicate remediation plans and project status to clients.
• Specifically for SOX (IT general controls):
• Maintain archives of process narratives, control descriptions, testing methods, and test materials
• Communicate self-assessment schedules to IT departments
• Track progress of self-assessment activities, report progress to management
• Train project participants in the use of mandated tools
• Review draft contracts (master services agreements, marketing agreements, non-disclosure agreements, service level agreements, statements of work, etc.) with clients and vendors.  Recommend appropriate security-related language.
• Conduct information security risk assessments of current and potential vendors via questionnaires and on site visits.  Communicate remediation recommendations and requirements to business and vendor management.  Monitor remediation progress.
• Maintain the Information Security Management System (ISO27001)
• Develop policy and procedure for IT and other departments on security-related matters.
• Assess and recommend tools for compliance reviews of IT infrastructure, applications and network traffic.  Arrange for purchase, installation, tuning and maintenance of approved tools.
• Develop, implement and maintain a program of internal audits to monitor compliance with security policy.  The scope of the program will encompass processes and technology throughout the company in all domains of information security. 
• Identify gaps requiring remediation. 
• Provide summary reports of findings to management. 
• Provide detail reports to technical support groups and others for remediation. 
• Monitor and report progress of remediation activities.
• Monitor network traffic for intrusion attempts and other malicious activity (NIDS, NIPS)

The Security Leader shall be designated as the final security authority for all information services hosted or housed.