What are the CISO’s most useful instruments ?

So you want to conduct a symphony of information security within your organization?

Well, what are the instruments you will use in your orchestra? I suggest you might want to look for or plan the creation of the following:

  1. Organization chart
  2. Business case template and submission procedures
  3. Enterprise security architecture ( well at least the “zone model” with zones mapped to examples in the existing environment )
  4. Enterprise security plan and perhaps security plans of significant business units
  5. Data classification scheme
  6. Registers
    1. audit issue register (lead violin, sometimes a bit too screechy)
    2. enterprise risk register
    3. significant business unit risk registers
    4. compliance requirement register ( the timpani )
  7. ISMS
    1. Mapping of compliance requirements to your Information Security Management System (ISMS)
    2. Document map of ISMS with status of documents within it (approved, under review, drafted, not started)
  8. Control testing Management reports and database
  9. Management reporting template
  10. Lists
    1. of business units by criticality
    2. of business processes by criticality within business units
    3. of business applications by criticality with function descriptions
    4. of security projects with budget and status
    5. of business projects by criticality to business success
  11. Current security budget

Be the first to comment

Leave a Reply

Your email address will not be published.