The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and how you would reply to them:

• If you could define your title and your reporting level within a corporation, what would it be and why?

• Do you believe that all assets protection functions should be under one leader within a corporation?

• If so, what would that person's title be?

• If not, why not?

• As an ISSO, do you know what is expected of you?

• Do you have a strategic, tactical, and annual InfoSec (CIAPP) plan that supports the corporate plans?

• Do you have vision, mission, and quality statements?

• If so, are they something that you actually use in planning or just in meeting management requirements?

• If you are not using them, why not?

• Do you use formal project management processes and techniques?

• If so, how and when?

• Do you use formal risk management processes and techniques?

• If so, when and how?

• If you could change your ISSO duties and responsibilities, how would you change them and why?