amounts are being spent on acquiring latest security
products. But without creating a security organization
responsible for implementing the security process this
expenditure would be wasted. by Avinash Kadam
my first article, I had covered the topic 'Why Information
Security is important for your organization'. It was
followed by a second article, 'Writing an Information
Security Policy.' If you've been following this column,
you've probably guessed that this article would be about
'Security Organization.' That's because this happens
to be the next domain in the 10 domains of Information
Security Management System as suggested by BS 7799.
I propose to cover each of these 10 domains sequentially,
so that anyone interested in implementing the information
security management guidelines of BS 7799 would have
the necessary background material.
Need for a Security Organization
Information security is now the key concern of all organizations.
Large amounts are being spent on acquiring the latest
security products. Unless equal efforts are spent on
creating a security organization that is responsible
for implementing the security process, this expenditure
would be wasted.
Physical security in an organization is usually very
visible, with a high ranking retired officer from armed
forces or police, managing the security. Information
security is still a nebulous concept. Information may
be stolen, but there may be no trace of the theft, nothing
physically missing. Losses suffered due to theft of
information may be much more than that incurred due
to theft of physical assets. Based on risk assessment,
we are usually in a position to measure the consequences
of information theft.
For managing information security, we need to follow
the 'Plan-Do-Check-Act' or PDCA cycle. Creating an appropriate
security organization is part of the planning phase.
Security organization also helps us in defining roles
and responsibilities of various individuals who would
be entrusted with implementing information security
in the organization. If we do not follow this process
and assume that security is everybody's responsibility,
then ultimately, it will be nobody's responsibility.
Who should be part of the Security Organization?
The information security organization must have three
levels of hierarchy:
1. Top management - the people who approve the security
policy and security budgets; review the security implementation
efforts, take note of the effectiveness of various measures
and decide on the priorities. Involvement of top management
will induce the organization to take security matters
2. Security management teams consisting of people who
have specific security-oriented tasks assigned to them.
These teams are the backbone of the security organization.
Enthusiasm of these teams will really make the organization
3. End usersthe success or failure of the security
initiative depends on their responsiveness to information
The Chief Information Security Officer (CISO) should
unite these three levels towards the same objective,
of securing the organization's information assets.
Roles and Responsibilities
Each of the levels described above has a different role
to play and different contributions to make. Let's look
at the roles and responsibilities that could be defined
for each of the levels.
Top management: Security Steering Committee (SSC)
Top management has enough on their plate to cope with.
But, all the same, they still have to be involved in
planning the information security strategies and policy
matters. Otherwise, they may not appreciate the business
risks of deploying information technology. It is worthwhile
to create a security forum or security steering committee,
which will meet at least once in three months with a
The SCC's responsibilities are:
Provide management's support to the security process
Develop security objectives, strategies and policies
Review the risk assessment reports and monitor the
exposure of information assets to major threats and
the business impact thereof
Define the status of various security initiatives
Review major security incidents
Approve any major changes to IS security policy
The committee must be headed by the CEO and other members
should be various business managers, Chief Finance Officer,
Chief Information Officer, Chief Internal Auditor and
Chief of Physical Security.
The CISO should be the secretary of this committee.
He should be functionally responsible to this committee.
Administratively, he should report to the CEO or to
the Chief Internal Auditor. This will ensure adequate
independence for him to perform his job.
Security Management Teams
Information security is a complex subject involving
many specialists. This is not a one-time job performed
by a single expert, but needs day-to-day co-operation
of the whole organization. The CISO should create a
number of teams with specific responsibilities. For
some teams, this will be a full time job. For others,
this may be in addition to their existing responsibilities.
Security policy owners: The security policies must be
authored by persons with good knowledge of business
and also IT, in order to make the policies practical
and enforceable. Some of the policies will pertain to
technical aspects where in-depth knowledge is required.
Some policies will involve the Human Resources Department.
The CISO has to ensure that each owner/author of the
security policy defines an appropriate policy, which
meets the needs of the organization. The policies also
need to be reviewed at least once every year.
Security maintenance team: This team should consist
of hardcore IT/IS technical experts. The responsibility
of this team is to understand various security alerts
issued by manufacturers or independent security organizations.
They should assess the need for implementing the requisite
patches after proper testing. This team should also
track exploits that could be used to expose the vulnerabilities
faced by organizations due to new weaknesses revealed
by either manufacturers or various security organizations
like SANS, CERT, Security Focus etc. This team should
comprise of IT/IS technology experts with specialized
knowledge of various security measures. The team should
also be responsible for reviewing various logs like
firewall logs, intrusion detection system logs and detecting
if there has been an attack on the organization.
Security incidence response team: This team should consist
of persons who can take decisive action if your worst
fears come true. They should decide the steps to be
taken in case of an incident/attack/penetration. They
should try to identify, isolate and contain the incident
to ensure that it does not spread to other devices or
units. During the Code Red II attack on organizations,
most were not prepared to react to such an incident
and many had to shut down services for a few days.
The security incidence response team may also have to
liaise with local law enforcement bodies, Internet service
providers, and telecommunication bodies for better coordination
during a crisis.
Disaster recovery team: The responsibility for making
a business continuity plan and a disaster recovery plan
lies with the CISO or a BCP manager, if the organization
has a separate department for this purpose. The disaster
recovery team should be involved in keeping the disaster
recovery plans ready and periodically test them so that
they are not outdated when needed.
Security training team: The responsibility of this team
is to provide security awareness training at all levels
in the organization. This team could also be made responsible
to prepare do's and don'ts, security awareness posters,
security competitions, observing security week, anti-virus
day and all such things which keep security in the limelight.
Information security will only be as strong as its weakest
link. Unfortunately, end users could undo the best security
efforts. Bruce Schneier, the famous security expert
once said, "Amateurs hack systems, professionals
hack people." The most effective attacks on information
are social engineered attacks. A con artist posing as
an authorized person can get any information, including
passwords from unsuspecting end users. The victims of
social engineering are typically receptionists, telephone
operators, computer operators, system administrators
and end users.
Other areas of concern are noncompliance of the security
policies. Organization may have framed elaborate policies
about e-mail, Internet connections and so on, but if
end users do not observe these policies, they may put
information security to risk.
End users and all in the IT team must be informed about
their job responsibilities, the information security
policy and the penalties for breaching the policy. Non-disclosure
agreements, confidentiality agreements, password secrecy
policy etc. should be part of the appointment letter.
It is not too late to do this paperwork for existing
employees. This will create seriousness about information
security and also help if an investigation needs to
be done to probe a cyber crime.
This is a key position to ensure the successful management
of information security. The CISO should interact with
top management and explain to them the security risks
in the language of the business. He should handle various
security management teams comprising of technical people.
He should also interact with end users and patiently
explain to them why it is necessary to follow certain
steps, which may slow down the system but make information
more secure. In case of an incident, he has to calmly
take stock of the situation and take damage control
The main responsibilities of a CISO are:
Secretary of the security steering committee: He should
prepare the agenda and ensure the follow up of all
the issues discussed in this committee. He should
report the status of various security initiatives
and also major security incidences faced by the organization.
He should also prepare the annual information security
Custodian of information security policy: The CISO
is responsible for the information security policy.
He should ensure that it is periodically reviewed.
Maintainer of information security management system
(ISMS): The CISO will keep the ISMS up to date with
all the procedures, guidelines, baselines and standards
properly documented and available to all the concerned
Security risk assessor: The CISO should establish
and review the security risk assessment methodology
and select appropriate controls for risk mitigation.
He should also maintain statement of applicability
in case of controls, which are not applicable to the
Leader of various security management teams: The CISO
should guide the security maintenance team, security
incidence response team, disaster recover team and
security training team.
Monitor of the compliance with security standards:
The CISO should report the compliance or the lack
of compliance to the concerned authorities.
Verifier of the information security asset base: The
CISO should define the identification and classification
methods and correctness of the information assets.
Representative of the organization: The CISO should
interact with external agencies who could be of help
to maintain information security for the organization.
In-charge of overall security: The CISO should also
liaise with the physical security department for safeguarding
Reviewer of the security requirements of the third
Review security requirements in outsourcing contracts.
Ensure co-operation between external security auditors
and the organization: The CISO should ensure rectification
of any non conformities observed by the auditors.
CISO should obtain and retain the BS 7799 certificate.
Information security management requires good planning
of various security measures, proper organization of
resources, efficient implementation by competent individuals,
and monitoring by the top management on a continuous
Kadam is Chief Executive - Assurance and Training at
Miel e-Security, Pvt. Ltd. He can be reached at firstname.lastname@example.org