Your organization set up a new position, CISO, which reports to the CIO, to be in charge of cybersecurity. As the CISO, you aim to support the business effectively. Which of the following is the most critical task for you?
A. Integrate security into IT processes
B. Implement comprehensive network access control
C. Sponsor and direct the business continuity program
D. Develop an information security management system
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Develop an information security management system.
Developing an information security management system (ISMS) is the most appropriate and critical among the four options. The ISMS starts with management commitment and policies that drive information security to meet the stakeholders’ (or interested parties) protection needs and security requirements. It covers network access control, IT processes, and the Information security aspects of business continuity.
- Implementing comprehensive network access control is necessary but not sufficient and not a priority.
- Integrating security into IT processes is necessary but not sufficient. No matter which role a CISO is reporting to, he or she should ensure security function supports the business and security is integrated into “ALL” organizational processes, not only IT processes.
- Unless a CISO understands the business very well and is fully empowered and delegated, it’s not a good idea for him or her to sponsor and direct the business continuity program. Business continuity is about the continual delivery of products and services that involves organizational processes, not only IT, security, or assurance processes. The CEO, COO, or a committee is more appropriate. The CISSP exam outline and ISO 27001 don’t even deal with all the business continuity requirements, as the following screenshot shows.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.