The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and how you would reply to them:

• Where do you think the ISSO position and InfoSec organization should report at IWC or within your company?

• Why?

• Have you read your company's business plans?

• Have you integrated your InfoSec organization plans to support the successful accomplishment of the company goals?

• If not, why not?

• If so, how do you measure your success in that support?

• Do you have a CIAPP?

• Is the CIAPP current?

• Do you have a process in place to keep it current?

• Do you have a process in place to ensure it is working at least cost and impact to the company's business?

• In support of the IWC vision, mission, and quality statements, what would you write as the IWC ISSO to support them or those of your company?

• Are the statements realistic?

• Are the statements known by your staff?

• Are the statements useful, or do they exist only because management said to write them?

• Are the statements one of the basic foundation pillars of the CIAPP?

• If not, why not?