Introduction
The International Standard Organization (ISO-27002, 2005), affirms and concurs that in majority of world business enterprises, information security plays a vital role in their overall daily progress. This is because of its ability to defend the enterprise important information from interruption, disclosure, modification and unauthorized access. It also includes physical protection from theft of IT hardware essentials, fire and other catastrophes such as floods. This has helped to keep company instable state through maintenance of its internal structures.
Harris (2003) in his Researchshows that online business trend have relatively increased over recent years, this has necessitate many business to carry out sensitive credit card transactions and identifications to their customers. In United States of America, such information has been publicly accepted for verification and protection for security purpose. In 1995, Europe developed a data protective act that provides a solid framework on private and commercial business transactions. Additionally they have chatter with comprehensive principles for fundamental security rights (Gary, 2008).
Typically due to the critical need of information security to an organization, the issue needs to be fully visible to all stakeholders in management,Inorder to provide relevant stable strides in security department. This requires the upholding of the key principle of confidentiality, integrity and availability (CID tried).Breaches to such important issues have resulted in incidences such as data leaks, accounting scandals and finally elimination of several organizations(Bowen, et al, 2007).
Apart from the general managementprocess, the Chief Information Security Officer is mandated to champion security’s function in every organization. This is through relevant leadership development of stable relationships that can convince the key organization drivers to contribute effectively on organization security levels. This calls for a strong framework of atlas to carry out the following duties (ISO-27002 (2005).
First, The CISO as an individual is required to access, define, and understand both current and future security role in an enterprise. That is, the current level capability of security of the drivers in an organization and the relevant miles the security department needs to achieved in the future. Second, the CISO has the mandate to analyze the various relevant data collected and identify the loop holes in their context to the industry regulations. They should use the enterprise benchmark to check whether the current project is in alignment and provide legal advice to the organization on areas of investment. Finally the CISO should act as strategist, who analyses and translate information into actionable strategy for the benefit of the organization
The critical competencies elements identifiedby EBK and the International Standard Organization (ISO-27002, 2005) that CISO can perform are multiple. They should use their strategic voice to influencethe entire organization to security maturity and response, second they should orient the security department on the various proactive occurrences rather than waiting after the crisis, and lastly they should integrate security systematic approach to protect the entire organization, this will produce a tremendous improvement in the success of the organization.
EBK recommends that organization security is not a lone range, but a responsibility that should be defined and propelled by all the stakeholders in an organization. The CIO has also become a very pivotal individual in this exercise as he/she is directly policy compliance to the CISO or Chief Executive Officer Strategies(Bowen, et al, 2007).
CIO managesthe enterpriseby ensuringthesecurity department is promptly staffed and its continuity is guaranteed.Throughthese management operations, they are supposed to delegate the duties to their respective juniors on their relevant key positions and roles to undertake (Bowen, et al, 2007).Secondly, CIO is a designer on the organization ventures; they are suppose to develop relevant skilled personnel, check on the operating systems, network the whole facility to relevant destinations and address the various security controls. Moreover, as a designer they should have relevant knowledge on testing protocols and security monitoring procedures.Finally, the CIO is supposed to be an implementer whooverlooksthe general infrastructure oforganization functions and competencies to develop a reasonable matrix framework(Bowen, et al, 2007).
Gary 2008, In his studiesindicate that, in management CIO is a vital position that requires wide knowledge of the anticipating technological trends, therefore these individuals are expected to have a wider base in computer science, software engineering and general administration principles. This will enable them to navigate and employ trends such as Enterprise Resource Planning (ERP) and Public Key Infrastructure (PKI) to fully monitor the security levels in the organization.
In the year 2008, a survey conducted by CIO technicians in U.K revealed that threatening security concerns that were being highlighted by the education, training and general public awareness resulted into prompt enterprise alignment, strict security compliance and generally better managementof limited resources in most of the organizations (Harris, 2003).
As high incidences of security threats continue to make global headlines, organization managers can no longer ignore to put necessary measures regarding digital forensic investigations. Digital forensics professionals represent some of the highly specialized security roles in an organizationEBK indicates that this will help to eradicate scenarios such as systems malware, internal security violations, e-discovery and leakage investigations.
Information and system security relies on a wide spectrum of skills, knowledge and performance, therefore the skilled forensic investigation is very pivotal to define functional parts, evaluate and implement the enterprise position on security status and provide the necessary recommendations to an organization(ISO-27002, 2005). This will crucially help to close the loopholes an organization may be facing in their daily efforts to cube the security threats(Harris, 2003).
The digital forensic as a vital part in audit and investigations in majority of organizations, security personnel have navigated a greater significant efforts in interpreting most of the data signals. This has been possible by the use of resources such as Intrusion detection systems (IDS), SecurityManagement Systems (SMS) and Resource Planning Systems (RPS). This has prolifically helped to cube the number of online threats to these organizations (Bowen, 2007)
In conclusion, though many enterprises are still in crisis mode, some have made reasonable reactive stance measures as provided by the paper to fully cube and reduce the future incidences of security threats.
References
Bowen, P., Chew, E., Hash, J., National Institute of, S., & Technology. (2007).
Information Security Guide for Government Executives: US Dept. of Commerce,
Technology Administration, National Institute of Standards and Technology. PP. 45-60.
Gary, R, Lomprey, (2008). Critical Elements of an Information Security Management Strategy.Report.University of Oregon.Ppp. 5-84.
Harris, S. (2003) Certified Information Systems Security Professional (CISSP) All-In-
One Exam Guide 2nd ed. Emeryville, CA: McGraw-Hill / Osborne.ocument. Reference number ISO/IEC 27002:2005(E).pp.20-56.
ISO-27002 (2005) Information technology Security techniques: Code of practice for
Information Security management.International Standards Organization (ISO). Pp. 24-33