INTRODUCTION TO PART VII

MANAGEMENT'S ROLE IN SECURITY

Management responsibilities include judgements of which resources can rationally be expended in defending against which threats. Managers must understand how to cope with the lack of quantitative risk estimates while using what information is available to guide investment decisions in personnel and technology. Their decisions are affected by regulatory and legal requirements and by the practical constraints of their relationships with other leaders within their organizations. This part includes chapters and topics that bear on information assurance managers' roles:

• 62. Risk Assessment and Risk Management. Which vulnerabilities warrant repair? Which threats must be taken seriously? How much expense is justified on specific security measures?
• 63. Management Responsibilities and Liabilities. Roles, responsibilities, due diligence, staffing security functions, and the value of accreditation and education
• 64. U.S. Legal and Regulatory Security Issues. For U.S. practitioners especially, this chapter reviews the Gramm-Leach-Bliley Act and the Sarbanes-Oxley legislation
• 65. The Role of the CISO. The chief information security officer as an agent of change and as a strategist working to ensure that security fits into the strategic mission of the organization, and that it is communicated effectively to other C-level executives
• 66. Developing Security Policies. Approaches to creating a culture of security where policies grow organically from the commitment of all sectors of the organization, instead of being imposed unilaterally by security staff
• 67. Developing Classification Policies for Data. The essential role of data classification and how to implement systems that conform to regulatory and legal requirements
• 68. Outsourcing and Security. Security of outsourcing and outsourcing of security