Fri Apr 8 06:51:39 PDT 2016

Management: Duties: What duties does the information IP Lead have?


Options:

Option 1: The security lead can specify and verify, but not manage protection activities
Option 2: The security lead can manage protection activities, but not specify or verify
Option 3: The security lead can mix combinations of management and specification and verification, but not for the same item.


Option A: The security lead chairs an executive security counsel.
Option B: The security lead has direct peer-to-peer contact with the heads of the area of the enterprise.
Option C: The security lead is a member of an executive security counsel including executives from the area.
Option S: The security lead can specify protection activities.
Option O: The security lead can operate protection activities.
Option E: The security lead can verify protection activities.

Decision:

IF the enterprise is small AND maturity level is Initial or less, THEN The security lead can manage/perform protection activities, but not specify or verify,
OTHERWISE IF maturity level is Repeatable or lower, THEN The security lead can specify and verify, but not manage/perform protection activities,
OTHERWISE IF maturity level is Managed or greater, THEN The security lead can specify and verify, but not manage/perform protection activities, OR The security lead can mix combinations of management/performance and specification and verification, but not for the same item.
OTHERWISE the Defined maturity level documentation should specify the roles of the security lead in this regard.


IF the security lead specifies activities, THEN the security lead should chair an executive security counsel in that area AND the security lead should have direct peer-to-peer contact with the heads of the area of the enterprise.
OTHERWISE IF the security lead manages/performs activities, THEN the security lead should be a member of an executive security counsel including executives from the area AND the security lead should have direct peer-to-peer contact with the heads of the area of the enterprise.
OTHERWISE the security lead should have direct peer-to-peer contact with the heads of the area of the enterprise.

The following assignment sets are typical of options 1, 2, or 3, with contact identified for options 1, 2, and 3 in that order only:

TypeItemSpecifyManage/PerformVerifyContact
BusinessPolicy1231AB, BC, BC
BusinessControl Standards1231AB, BC, BC
BusinessProcedures13213AB, BC, BC
BusinessHR13213AB, BC, BC
BusinessLegal13213AB, BC, AB
BusinessRisk Management1231AB, BC, AB
OperationsTesting13213AB, BC, AB
OperationsChange Control13213AB, BC, AB
OperationsPhysical technical safeguards13213AB, BC, AB
OperationsLogical technical safeguards13213AB, BC, AB
OperationsIncident handling13213AB, BC, AB
AssuranceAudit1231AB, BC, BC
AssuranceKnowledge1231AB, BC, AB
AssuranceAwareness1231AB, BC, AB
AssuranceDocumentation1231AB, BC, AB
Duties and structures for the protection lead

Fill in the following table detailing alternatives for Specifying (S), Performing (P), and Verifying (V) systems for Low, Medium, and High risk systems following the rules here:

IF Risk is Low,
THEN The security lead can specify, perform, and verify the same element. (SPV)
IF Risk is Medium,
THEN The security lead can specify and verify OR perform the same element, but not both. (SV) OR (P)
IF Risk is High, THEN

    No individual may do more than one of specify, perform, or verify the same element. (S) OR (P) OR (V)
    AND No individual may do any of S, P, or V for more than one of Business, Assurance, or Operations aspects.
TypeItemLowMediumHigh
BusinessPolicy...
BusinessControl Standards...
BusinessProcedures...
BusinessHR...
BusinessLegal...
BusinessRisk Management...
OperationsTesting...
OperationsChange Control...
OperationsPhysical technical safeguards...
OperationsLogical technical safeguards...
OperationsIncident handling...
AssuranceAudit...
AssuranceKnowledge...
AssuranceAwareness...
AssuranceDocumentation...
Duties of the protection lead

Basis:

The Information Protection Lead (IP Lead) can specify and verify, but not manage/perform protection activities

In many large enterprises, the IP Lead performs executive functions in specification and verification of the protection program but does not directly manage/perform any execution of protection functions. This is done by operations under the CIO.

The IP Lead can manage/perform protection activities, but not specify or verify

When the IP Lead works for the CIO, they are often put in a position of operating the protection program instead of specifying and verifying it. This generally means that the IP Lead is in too low a position for the job to get properly done, however; in smaller enterprises or immature ones, this may be the best solution to getting the most knowledge to the protection program.

The IP Lead can mix combinations of management/performance and specification and verification, but not for the same item.

In some more mature enterprises, the IP Lead manages many elements of the business functions and assurance processes and only specifies and verify the operational aspects run by the IP Lead.


The IP Lead chairs an executive security counsel.
The IP Lead should chair an executive level counsel that meets periodically, at least quarterly, and with the top executive involved in each area where the IP Lead specifies how protection will operate. This is necessary in order to make certain that coordination is properly done and that power and influence issues are addressed.

The IP Lead has direct peer-to-peer contact with the heads of the area of the enterprise.
The IP Lead should generally have peer-to-peer relationships with those in charge of each area involved in information protection. If this is not in place, it create failures in the protection program that ultimately result in large-scale protection failures. This is a heated political issue in many enterprises, as the CEO places the IP Lead under the CIO, and the CIO prevents the IP Lead from doing their job or communicating with other appropriate individuals required in order for the protection program to operate properly. The CEO or COO is responsible for such failures and they should act to mitigate the situation if it exists.

The IP Lead is a member of an executive security counsel including executives from the area.
In cases where the IP Lead operates part of the program by managing the direct execution of the functions, they should be a member of the executive level counsel that makes the decisions on how to specify the requirements and verifies proper operation. This is necessary in order to have the information required to get the job done effectively.


The roles of the IP Lead are limited by requirements for separation of duties. In particular, any one individual who specifies, performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the IP Lead.

Specify:The IP Lead can specify protection activities.
Specifying an activity implies the ability to bound its scope and mandate its implementation. Generally, specifications are not so complete or perfect that they are implementable as is in performance.

Perform: The IP Lead can perform protection activities.
Performing an activity implies that specific actions are taken. They are supposed to reflect the specification, but do not always precisely do so.

Verify: The IP Lead can verify protection activities.
Verifying an activity implies determining whether and to what extent, the specification was properly performed or the performance properly varied from the specification. Hindsight is often touted as 20/20, but then history is often rewritten by the victors.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved