The role of the Information Security Officer (ISO) is to ensure a proper Information Security Program is in place. It has been a standard practice for several years that regulated industries (i.e. financial institutions and healthcare providers) have appointed a designated ISO. This approach was necessary due to regulatory pressure to establish a focus on all aspects of Information Security, and also provide independent oversight of the IT group.
In recent years, it has become more common for non-regulated organizations to establish a formal ISO role. This is due to many reasons:
- Best practice frameworks and standards – Internationally accredited organizations outline the need for an ISO.
- Reputation risk – Financial damages caused by a security breach typically cost much more than the ongoing costs of an effective Information Security Program.
- Damage control – A strategic approach has proven to be more effective with preventing, identifying, responding, and minimizing the damages caused by cyber-attacks.
- Competitive advantage – The commitment to clients, business partners, and shareholders who expect their data and personal information to be protected.
- Data is an asset – An ISO’s primary function is to ensure data is properly confidential, accurate, and available.
- IT group accountability – Organizations want to confirm their IT group is acting in the best interests of the organization and held accountable….and don’t hold the “keys to the castle”.
- Proactive approach – Privacy and data protection laws continue to become stricter and affect almost all organizations.
- Personal liability – Senior leadership of organizations are now held personally accountable (with possible civil and criminal repercussions) for the Information Security approach and practices of an organization.
Before you can determine if your organization needs an information security officer, it is important to define Information Security. It is defined as:
- Practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction
- Includes electronic and physical data
- Information in storage, processing, or transit, and against denial of service to authorized users
- Includes measures necessary to detect, document, and counter threats
- Composed of policies, procedures, training, monitoring, testing, segregation of duties, and accountability
- CIA – Confidentiality, Integrity, Availability
The ISO role typically includes the following responsibilities:
- Managing the Information Security Organization (ISO group) if more than one person is needed to provide proper oversight.
- Ensure data is properly protected (confidential, integrity, availability)
- Disaster Recovery and Business Continuity
- Information Security policies, procedures, and documentation
- Standards for vendor management
- Reporting to senior leadership and the Board
- Information Security strategic planning
- Involvement in IT steering meetings and strategic planning
- Establishing Information Security meetings
- Managing internal/external Information Security audits, assessments, and testing
- IT group oversight in regards to Information Security
- Budgeting and project prioritization
- Data access and security controls
- Coordinates and interacts with regulatory bodies, etc.
- Monitors security alerts and events that could impact the organization
- Creates an employee security awareness program
- Continuing education on new threats, emerging technologies, and protective measures
- Thought leadership for the entire organization
- Liaison between IT group and senior leadership
- Works with the legal group for proper data retention policies and litigation procedures
- Software licensing compliance
- Interact with public, clients, and business partners concerning Information Security
- Create and manage an incident response program
It is possible that the roles and responsibilities outlined above are being filled by current employees. This is typical, but there is often a lack of communication, cohesion of approach, and alignment between these employees.
We recommend a more holistic approach that would unify these various roles and responsibilities under an Information Security Officer. This doesn’t usually require a complete overhaul of how these tasks are performed, but the ISO should have adequate authority to ensure that these roles and responsibilities remain properly segregated and are appropriate for the organization.
For more information, contact us.