The Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) both have significant roles in translating the organization’s overall strategic plans into information security strategic objectives (Whitman & Mattord, 2013). Additionally, they may work together in the development of the tactical and operational information security plans. However, in most circumstances, the CISO would report directly to the CIO, and as a result, their position objectives may be different.
Generally speaking, the CIO is responsible for the strategic efforts of the organization, as well as the development and integration of the IT and Information Security departmental strategic objectives, which is based on the organizational strategies (Whitman
…show more content…
One way to accomplish this task is through the application of information security policy. Furthermore, organizational leadership must define three types of security policies to include general or enterprise information security policies that sets the strategic direction and scope for all security efforts within the organization, issue-specific policy which includes certain guidelines needed to instruct employees on the appropriate use of their technologies, as well as systems-specific security policy that establishes the standards to be used when configuring systems. The fundamental purpose of a security policy is to protect people and information, set the rules for expected behavior by all users, administrators, management, and security personnel, authorize security personnel to monitor, probe, and investigate, define and authorize the consequences of policy violation, help to minimize risk, and help to track compliance with security regulations and legislation (SANS Institute, 2007). Some examples of the security policies an organization would consider developing would be information classification policy, password policy, authentication policy, access control policy, incident response policy, Web security policy, e-mail security policy, and …show more content…
Additionally, information security policies will help to minimize risk and ensure that security incidents are responded to adequately. Moreover, Information security policy will help an organization to define the firm’s attitude towards information, declare that the company’s information is considered to be an asset and property of the organization, and that the organization’s assets should be protected from unauthorized access, modification, disclosure, dissemination, and destruction. However, it is important to understand that information security policies are not guidelines or standards, nor are they to be considered procedure and controls (Bragg, 2002). More accurately, information security policy should serve as the blueprints for an overall security program and define what is being protected in order to ensure the implementation of proper controls. Moreover, steps should be taken to ensure that information security policy never conflicts with state or federal laws, can stand up in court if ever challenged, and be properly administered through dissemination and documented acceptance. Furthermore, an information security policy is most effective when it is properly disseminated, understood, and agreed upon by all members of the