The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and, as an ISSO, how you would reply to them:

• Do you have a process in place to conduct a formal year-end analysis of your CIAPP and InfoSec functions?

• If not, why not?

• If so, does it include cost-benefit analyses?

• Do you provide a "state-of-InfoSec" report of the corporate information environment at year's end?

• If so, is it briefed to executive management?

• Are "subreports" provided to each department head addressing specifically the status of the protection of their information environment?

• Do you involve your InfoSec staff in the year-end reviews, analyses, and planning?

• Do you reward your InfoSec staff for a job well done at year's end—by more than words?

• How would you go about conducting and improving on the process described in this chapter?