You are recruited to fill the newly created position of CISO which was unofficially assumed by the CIO to govern the information security affairs. You are hired to report to the CEO directly, as the peer officer with CIO, and responsible for formulating and executing information security strategies. Which of the following best justifies this arrangement?
A. Separation of duties
B. Avoidance of Conflict of Interest
C. Strategic and business alignment
B. Legal or regulatory requirements
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Avoidance of Conflict of Interest.
Separation of Duties
- Separation of duties policy creates a checks-and-balances system where two or more users verify each other’s actions and must work in concert to accomplish necessary work tasks.
- e.g. One person sells tickets and another person collects the tickets in a movie theater to prevent fraud.
Segregation of Duties
- When duties are properly segregated, no single employee will have the ability to commit fraud or make a mistake and have the ability to cover it up.
- e.g. Auditing people do not have other operational duties related to what they are auditing.
Separation of Privilege
- Separation of privilege applies the principle of least privilege to applications and processes.
- e.g. user/sudo and user/service accounts.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide9. Wiley.
Conflict of Interest
In addition, some CIOs and CISOs feel that there is a natural conflict of interest between their two disciplines: While CIOs typically accelerate growth and adoption of digital technologies to streamline operations and drive revenue, CISOs tap the brakes in the name of security and privacy controls.
Some people feel that having the CISO report to the CIO is an inherent conflict of interest because the CIO is trying to reduce costs, while the CISO is trying to improve security.
First, the CISO’s role demands a separation of duties, without which the CIO can get caught in a conflict of interest.
Strategic and business alignment
It’s not uncommon for enterprises to have the CIO assume the CISO role. If the CIO assumes the CISO role, does he need to formulate InfoSec strategy? If so, does the strategy need to be aligned with upper-level or business strategy?
It’s no doubt that the CIO still has to do so (strategic and business alignment) even if he or she assumes the conflicting role as the CISO.
Legal or regulatory requirements
A segregation of duties policy is highly relevant for any company that must abide by the Sarbanes-Oxley Act of 2002 (SOX) because SOX specifically requires it. However, it is also possible to apply segregation of duties policies in any IT environment.
SOX applies to all public companies that have registered equity or debt securities with the Securities and Exchange Commission (SEC). The U.S. government passed it in response to several high-profile financial scandals that resulted in the loss of billions of shareholder dollars.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Kindle Locations 17781-17787). Wiley. Kindle Edition.
- The CISO reports to the CEO directly for the purpose of avoidance of Conflict of Interest as it’s not a checks-and-balances system and it’s not required to separate the duties for the CISO and CIO to collaborate to complete a task.
- “Separation of duties” is the means, while the “Avoidance of Conflict of Interest” is the end.
- Given this situation of the CISO assumes the CISO role, the InfoSec strategy still has to be aligned with the upper-level strategy and business.
- Not all companies are subject to the laws or regulations in terms of the reporting line of the CISO.