[...]... business and organization Your Mission: If You Choose to Accept It So what does a good security team do? What are the team’s objectives? The answers to these questions will change from organization to organization, dependent on the particular information security strategy.The factors that may influence the answers, detailed at length in the next chapter, include legal requirements, regulatory requirements,... events, managing them is a core skill that’s essential for the survival of an organization’s information systems Legal and Regulatory Considerations A key role of the security team is legal and regulatory compliance.The security team must help the company and its legal advisors interpret security and data protection legislation and regulations.This task can vary from advising on monitoring of e-mails to. .. requirements, and supplier and customer information security requirements This section describes the common activities of an information security department Role of the Security Function: What’s in a Job? Figure 1.2 shows the well-respected security team of a live organization Figure 1.2 A Large Information Security Team www.syngress.com 7 8 Chapter 1 • The Security Organization This chart provides a good... fire that destroys their servers www.syngress.com 9 10 Chapter 1 • The Security Organization Since September 11, 2001, and the Enron failure, the United States has led the world in proactive legislation that forces companies to take a responsible line on information security In some states, for example, companies that suffer hacks that could impact customer data are obliged by law to inform the customers... high enough to have a “whole business” remit ■ It shows everyone that your organization is taking security seriously Cons Disadvantages of positioning the security team below the CEO/CTO/CFO include: ■ The security team will be accused of being in an ivory tower (but so what) www.syngress.com The Security Organization • Chapter 1 ■ The security team will find it hard to look into the IT director’s business... manual Where to Put the Security Team Figure 1.1 shows a typical firm with a number of potential positions for the security function We will analyze the pros and cons of each position to answer the age-old question, where should information security sit? www.syngress.com The Security Organization • Chapter 1 Figure 1.1 An Information Security Organization’s Hierarchy of Personnel Where Should Security Sit?... many subareas is still difficult, but it is essential to success Unlike so many functions of IT, security is an area that requires practitioners to operate across the whole organization A chief information security officer (CISO) or a security manager is likely to be asked advice on many aspects of security in situations where there is no alternative but to give some sort of counsel Sometimes your best shot... still trying to work things out xxv Chapter 1 The Security Organization The purpose of this chapter is to: ■ Review typical positions of the information security function and the benefits of each ■ Define the role of the security function ■ Discuss the qualities of a good CISO 1 2 Chapter 1 • The Security Organization Anecdote To be a chief information security officer (CISO), you must demonstrate certain... 23 Operations: Standards and Procedures 24 Back to Security 25 The Security Strategy and the Security Planning Process 25 Security Organization 28 Security Tools 29 Security Policy Revisited 30 Policy Statements 32 What Do I Need to Set a Policy... incidents, evidence gathering, preservation, and representation are paramount Because of the specialist skills required to do these things, often the team relies on external agencies to perform the bulk of these investigations However, expert knowledge is still required, to ensure that you know when to call your supplier of computer forensic skills and to ensure that evidence is preserved until that point www.syngress.com . at 411_HTC_Man_Sec_FM.qxd 6/21/06 5:56 PM Page i Mark Osborne Paul M. Summitt Technical Editor Managing Information Security How to Cheat at 411_HTC_Man_Sec_FM.qxd 6/21/06 5:56 PM Page iii Syngress Publishing,. 02370 How to Cheat at Managing Information Security Copyright © 2006 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication. servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine