The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and how you would reply to them^[4]:

• Do you understand the company where you have InfoSec responsibility—its history; what products and services it produces; its environment, culture, competition, and business plans; the impact of the InfoSec program on profits; and the like?

• Are you absolutely clear as to what management expects of you?

• Are you absolutely clear that management understands your InfoSec program?

• Is management clear as to what you expect from them, such as support?

• Do you have good communication channels with management?

• Are there managers who are against your InfoSec program, and if so, do you avoid them or try to understand their position and work with them?

• If not work with them, why not?

• Do you understand your business management responsibilities?

• Are you trying to make the InfoSec program a value-added function?

• If so, are you succeeding, and how do you know?

• Does management also think the InfoSec program is a value-added program, and if so, how do you know?

^[4]Obviously, if you answer No to any of these questions, you have some additional work to do.