Executive Roles and Responsibilities
In any corporate setting or military installation, a need to define proper boundaries and procedures for safeguarding data can be a daunting and sometimes a seemingly impossible task. Delineating, clarifying, and communicating the responsibilities for protecting and defending information resources is the first step in creating a culture that is sensitive and responsive to information security issues.
A busy executive with a data integrity mind set has to control information coming in, through its processing phases and ending in the customers hands as a usable product. Free from any modification and as accurate as it can possibly be, If they get the information at all. (DOS in mind). Information security executive needs to ensure that the organization has procedures for account management, backup, incident handling, standardized and authorized software and hardware, disaster recovery, and a Continuity of Operations Plan, or COOP. Moreover, identifying whom is responsible for what plays an important role as well.
Account management procedures define when and how new users should be added and when other users should be removed from the system. Password control may be included here. I have been apart of the Navy active and Reserve components for 8 years, working as either a Cryptologic Technician Operator (Communication) or Assistant ISSO for Operations department. One thing that has remained in tact if not for security purposes, for resource monitoring and control, was the management of accounts. The deletion and creation of accounts had a set of people usually two assigned to just that task. Moreover, account management also is used for punishment purposes and not just the controlling of ports and times of availability. The denial of internet access or email privileges for improper usage is as important as stopping the impending hacker for penetrating your firewall.
Backup procedures define the requirements for systems/server offsite backup.
Incident handling procedures define information security incidents and cover the who, what, when, and how of handling, communicating, and reporting such events. This is one of the more important items on the lists of "things to do" that I can think of. One reason only, damage control. We live in a world of backups. We have car insurance, house insurance, health insurance, we even have death insurance for the ones we leave behind. That is so asinine that we can't stop worrying after we're dead. The point being is that bad things happen and there's no getting around it. If it's not the hackers, crackers or the or the overly inquisitive and bored employee in the IT department who wants to know how much the rest of his coworkers are getting paid, then gets irate and decides you don't certain services for a few hours. (Does not sound like much, but shutdown EBay during holiday season and watch CNN to see how many people "resigned " from there jobs.) Would...