Monday, December 2, 2019


Chief Information Security Officer as a Service


Whether you are a company seeking to augment your current Information Security function, or you are looking to build an Information Security organization from scratch, the Contract Chief Information Security Officer (CISO) is an option that provides the necessary expertise and structure.  Designed to supplement current information security activities, provide security leadership, and implement architectural structure, the CISO arrives with a full set of tools to perform the task, without the commitment of creating a full-time position.  In fact, the position of CISO can be satisfied by a part-time contract subject matter expert, backed by a team of specialists, to provide a comprehensive security program.

Compliance

One of the immediate needs of any organization is to validate their compliance with identified rules, regulations and practices mandated by their specific industry or regulatory organization.  The contract CISO can provide policy and standards services that are customized to the requirements of the organization.  Ranging from acceptable use to information classification, every organization needs to have its information security policy in place. 

Business Continuity

Years in business teaches us that the unexpected is going to happen.  The contract CISO can Initiate, Coordinate, Document and Test the whole scope of Business Continuity from Continuity of Operations to Disaster Recovery.  These essential processes are often overlooked, but left unconsidered, they can have a devastating impact on your organization.  The service provides subject matter experts at every phase of the Business continuity process to enable smooth, documented, and practiced transition in difficult situations.

Security Education

Most people will do the right thing, once they know what the right thing is.  The Contract CISO can provide information security education services, by live or online instruction.  Both general security training, and industry specific education is available through the CISO team.   Annual security training, event specific training, and specialized information handling training is available.

Security Analysis

In information technology, what you don’t know can hurt you!  The contract CISO can design, implement and analyze vulnerability testing, as well as regular scanning and monitoring.  This can be carried forward into risk analysis, penetration testing, phishing scans, and other tests; both internal and external.  The CISO can then make use of this information to recommend infrastructure, process, training, or policy changes.

Audit Response

Depending on industry and regulatory environment, audit findings are an inevitable part of doing business.  The CISO can craft responses to auditors, establish plans of action and milestones (POAM,) and develop mitigation plans to satisfy findings.  Audit pre-work is used to prevent “finding surprises” and minimize the impacts of findings on the organization.

Business Processes and Architecture

Information that is well managed is easier to secure.  The extensive experience of the contract CISO and the team of experts can provide assistance in Change and Problem Management, Design Review and, Software Standards.  Other business functions can be included with appropriate expertise availability.  Processes for equipment issuance and inventory, software control, and privilege management are within scope of service.  These can be applied in both the tactical and in the strategic planning phases.

Executive Training

In time, many organizations will benefit from their own CISO and local Information Security Officers.  The contract CISO team will train permanent staff to satisfy the requirements of the organization for Information Security.

General “Traditional” Information Security

The team approach to the contract CISO provides opportunities for the evaluation, implementation and operation of tradition security controls, including:
·         Firewalls
·         Host security software
·         Identity Management
·         Network segmentation
·         Anti-virus
·         Defense in Depth implementations
·         IDS/IPS
This is just a brief list of the tools that can be brought to bear by the CISO.

Process of Acquisition

Every organization has unique needs, but common practices include the establishment of a policy base, training and analysis.  The presence of an experienced and certified CISO helps to speed and improve the implementation of a security program.  To this end, the CISO service can be purchased by the hour (minimum 40 hours,) or for up to 5 years.  Work can be performed on-site, or remotely, depending on the organizations needs and culture.
This purchasing model enables a business to purchase as much or as little CISO time as they need, from as little as 4 hours a week, to full time.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)