The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

The role of the ISSO in managing an InfoSec program is somewhat different from the role of the ISSO as a manager of the company.

All company managers have some role to play that applies regardless of the manager's area of responsibility. This also applies to the ISSOs in management positions. The following items should be considered for implementation by the ISSO as a manager within the company:

• Comply with all company policies and procedures, including the intent of those policies and procedures.

• Take no action that will give the appearance of violating applicable company policies, procedures, or ethical standards.

• Implement applicable management control systems within the InfoSec organization to ensure the efficient use of resources and effective operations.

• Identify business practices, ethics, and security violations/infractions; conduct inquiries; assess potential damage; direct and take corrective action.

• Communicate with other departments to provide and receive information and guidance for mutual benefit.

• Plan, organize, direct, coordinate, control, report, assess, and refine business activities to achieve quality, cost, schedule, and performance objectives, while retaining responsibility for the results.

• Exercise due diligence to prevent fraud, waste, or abuse.

• Establish and maintain a self-audit process to identify problem areas and take corrective action to eliminate deficiencies.

These items, if made part of the ISSO's philosophy and goals, not only will benefit the company, but will assist the ISSO in professionally meeting the InfoSec duties and responsibilities as a valued member of the company's management team. Remember that the InfoSec program is a company program. That means you need help from everyone in the company to ensure its success.