You are the CISO of an IC design house and report to the CEO directly; confidentiality of customer privacy, and research and development data is the most concern. The use of any USB devices violates the acceptable usage policy (AUP). A customer account manager reports that many crucial customers are complaining about the efficiency of uploading files to the company’s file server. He suggests that the data can be transferred using a USB flash drive to streamline the collaboration process. As a CISO, what should you do FIRST?
A. Add an exception to the acceptable usage policy (AUP) to allow the use of USB flash drive as security is a business enabler. To help the business deliver value is the ultimate responsibility of a CISO.
B. Reject the suggestion because it violates the acceptable usage policy (AUP), and the use of USB flash drive is highly risky.
C. Side with the account manager and submit a proposal in favor of the suggestion to the CEO.
D. Prepare a business case and submit it to the CEO for final approval.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Prepare a business case and submit it to the CEO for final approval.
Decisions shouldn’t be biased, and shouldn’t be made without the risk or any other assessment. In other words, managers should conduct a risk assessment or appropriate analysis and evaluation to make informed decisions. Doing so demonstrates their due diligence as well.
Policies are documented management intent; they are relatively stable compared with standards or procedures. However, exceptions to policies are not uncommon to cope with the business. They are subject to change with the external context (e.g., threats, and opportunities). As security is a business enabler, the security policy should adapt to the business context and be aligned with business goals, strategy, and objectives.
Any action or initiative should be justified. Alternatives with cost/benefit analysis documented in a business case are the most persuasive. The suggested security controls with cost/benefit consideration are the result of risk assessment. Doing nothing (an implicit rejection in nature) is one of the alternatives in the business case.
The position and authority of the security function (the role and responsibility of a CISO) depend on the organizational structure and security requirements, that determine the CISO’s reporting line, power, and job description.
The board of directors and the senior management (especially CEO and CFO) are usually held accountable for the business and legal results. Since customer privacy is related to legal compliance, submitting a business case for the CEO’s final approval is a good practice.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.