The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and how you would reply to them:

• Do you believe that the basic requirements—drivers—discussed in this chapter are valid?

• Can you think of others that you would use as an ISSO?

• After the requirements are identified, in what order would you prioritize policies, procedures, plans, processes, functions, and processes?

• Why did you decide to prioritize each in the order noted?

• Do you have a process in place for valuing company information?

• If not, how do you know what to protect in a cost-effective manner?

• If you have such a process in place, is it current?

• Is it working?

• How do you know it is working cost-effectively?

• What are the functions that you as an ISSO believe are required to be a part of your InfoSec organization?

• Which ones are optional, and why?

• Which ones would never be authorized by management to be part of your InfoSec responsibilities?

• Do you use a formal, documented risk management philosophy?

• If not, how do you cost-effectively make InfoSec decisions?

• If so, is that philosophy shared with the employees so they can understand why certain InfoSec decisions are made?

• Are you an integral part of the company's CEP-DR processes?

• If not, should you be?

• If so, are you involved in testing the CEP-DR plans?

• After an emergency or disaster, are you involved in verifying and validating that all the security hardware, software, and firmware are operating in accordance with the CIAPP and security specifications?

• If not, how do you know they were even turned back on by IT personnel after the systems went offline and were brought back online again?