The role of the Information Security Officer (ISO) varies based on the size and complexity of an organization. It may be a full or part-time position held by an employee having only ISO responsibilities or by an employee having other roles within the organization. A primary role of the ISO is to work with management to strengthen its information security program and to protect the organization’s information assets.
The ISO contributes in the following ways:
- Defines and creates an Information security program,
- Develops and implements information security policies, processes, and procedures that support the information security program,
- Performs independent reviews and audits of security activities and reports,
- And, identifies and communicates information security risks and mitigation strategies to the Board of Directors or senior management.
Independent reviews are a critical responsibility of the ISO to help ensure the adequacy and effectiveness of the organization’s efforts to manage information security. Typical activities and reports that are reviewed by the ISO include, but are not limited to, the following:
Access
- Reviews access to critical or sensitive files or databases:
- Identifies critical and sensitive information and all methods to access and change that information.
- Reviews high level privileges:
- Investigates administrative access levels and log and monitor that access.
- Reviews user account access changes:
- Reviews added, modified, and removed users and access levels.
Policy Management
- Reviews and oversees the Vendor Management Program,
- Performs annual vendor reviews,
- Reviews security policy changes:
- Reviews changes to Active Directory, password requirements, lockout parameters, and screen saver settings.
Physical and Environmental Security
- Reviews infrastructure and equipment:
- Verifies that uninterruptible power supplies (UPS) and generators are regularly tested, fire extinguishers and fire suppression systems are maintained, and alarm and environmental monitoring systems are regularly tested.
Event Logs
- Reviews system event logs:
- Reviews system events such as shutting down the system or starting/stopping a service, firewall and intrusion detection system (IDS)/intrusion prevention system (IPS) activity, antivirus reports, and successful or failed backups.
- Reviews successful and failed authentication attempts:
- Reviews remote access logs and all logins to network and critical applications to identify suspicious activity.
Security Procedures
- Reviews Disaster Recovery (DR) and Incident Response (IR) Plans:
- Reviews and updates the DR and IR plan, educate the organization’s employees on the DR plan and IR procedures, test the DR plan annually.
Independent reviews help the ISO to identify security risks and to communicate mitigation strategies to management. Understanding the role of the ISO within an organization and assigning appropriate responsibilities can be critical to the development, oversight, and management of information security within the organization.
Tom Loring is a Manager of Macpage’s Information Assurance Services team, advising clients nationwide in the areas of IT and operational internal controls. Tom regularly performs SOC 1 and SOC 2 examinations, IT General Control Reviews, Information Risk Assessments, Cybersecurity Controls Reviews, and consulting for clients in a wide-variety of industries; including financial institutions, third-party data processors, statement printers, date centers and more. You can email Tom at tjl@macpage.com.