The Binomial Bookstore

INFORMATION SECURITY ROLES & RESPONSIBILITIES MADE EASY
VERSION 2 (INCLUDES CD-ROM)
by Charles Cresson Wood

Save money while building a leading security organization. The updated Information Security
Roles and Responsibilities Made Easy, Version 2 by Charles Cresson Wood, CISSP, CISA,
CISM, provides practical, step-by-step instructions on how to develop and document specific
information security roles and responsibilities. This valuable reference will save you time and
money by providing pre-written job descriptions, mission statements, and organization charts
that you can use and customize for your own organization.

- - - - - - - -
- -

INFORMATION SECURITY ROLES & RESPONSIBILITIES MADE EASY VERSION 2
provides:
1. Over 70 pre-written, time-saving information security documents including:
- 29 information-security-related committee, board, and department
mission
statements, with information security responsibilities reflecting the latest technical and legal
requirements.
- Over 40 information-security-related job descriptions.
- 12 separate information security organization structures with
discussions of pros
and cons of each.
- Specification and discussion of 29 critical information security
documents that every
organization should have.
- Standard practices that have been shown to be effective at over 125
organizations
around the world.

2. Justification to help increase management's awareness and funding of
information
security, including:
- How to persuade management to properly document information
security roles and
responsibilities, including an easily-customized sample management memorandum.
- Reducing the total cost of information security services by properly
documented
roles and responsibilities.
- Discussion of responsibility and liability as it relates to documented
information
security roles, including citations supporting the legal notion of the standard of due care.
- Information security staffing data and analysis to help gain
management support for
additional resources.
- Common mistakes many organizations make and how to avoid them.

3. Specific advice on how to plan, document and execute an information security
infrastructure project including:
- Information on how to properly review and update information security
roles and
responsibilities, including department interview techniques.
- How to schedule project resources and time lines for documenting
roles and
responsibilities.
- Detailed discussion of the Data Owner, Custodian and User roles.
- Actions you should take to reduce your organization's exposure to
workers in
information security related positions of trust.
- The synergy between role based access control (RBAC) and
clarification of
information security roles and responsibilities.

4. Practical advice on how to maintain security when dealing with third parties, including:
- Pros and cons of outsourcing security functions, including validation
and security
when outsourcing.
- The security roles and responsibilities of software and hardware
vendors.
- Decision-making criteria for releasing or withholding roles and
responsibilities
documentation to/from various external parties

5. Valuable staffing advice and descriptions for information security professionals including:
- Characteristics of effective information security professionals,
including discussion
about the pros and cons of hiring hackers and others who have been on the wrong side of
the law.
- Specific performance criteria for individuals and teams.
- An expanded list of new information professional certifications with
web sites,
phone numbers, and addresses for each.

INFORMATION SECURITY ROLES AND RESPONSIBILITIES VERSION 2 has been written
by security policy consultant and expert, Charles Cresson Wood CISSP, CISA, CISM, who
has had over 20 years of experience writing and implementing information security roles and
responsibility statements for companies worldwide. This book can be used effectively by
anyone that needs to develop, refine, or otherwise specify information security organizational
design documents, no matter what their prior experience in the information security field.
Providing never before available "best practices," this book will help you develop, refine, and
gain management approval of the information security function in an organization.

Information Security Roles & Responsibilities Made Easy, Version 2 - Hardcover, 278
pages. Includes CD ROM and organization-wide license to reproduce the materials
internally.

- - - - - - - -
- -

“Top management in many organizations believes that information security work is done only
by the Information Security Department. This old-fashioned view prevents organizations from
establishing the type of team that they need to come to terms with complex and pervasive
information security issues. This book recognizes the current environment where sensitive,
valuable, and critical information is distributed not only to end-users, but these days to
contractors, consultants, temporaries, outsourcing firms, business partners, and others. All
of
these participants have an important role to play in the safeguarding of such information. An
essential prerequisite to achieving a workable team for information security is the
clarification of roles and responsibilities through job descriptions, departmental mission
statements, legal contracts, and other organizational design documents.”

“The new reference book, Information Security Roles & Responsibilities Made Easy,
provides practical, step-by-step instructions on how to develop specific information security
roles and responsibilities. This book provides advice on how to get management to pay
more attention to information security and allocate realistic budgets for information security
staffing. The book will help you quantify and generate more respect for the information
security function within a company by pointing out ways that an information security team
adds value to a business.”

- - - - - - - -
- - -

“The total cost of ownership models developed by a variety of industry analysts such as
Gartner Group indicate that labor represents anywhere from two-thirds to three-quarters of
the on-going costs associated with information technology (system set-up, administration,
maintenance, etc.). Information security is just one of many subspecialties within the
information technology field, but its costs are also dominated by labor. The information
security field is still in an embryonic state, and many of the essential activities have not yet
been automated. This means that all organizations, no matter how sophisticated they happen
to be, will be critically dependent on the work of people in order to achieve a truly secure
information technology environment.”

- - - - - - - -
- - -

“Information Security Roles & Responsibilities Made Easy provides:
- everything needed to quickly compile essential information security organizational
design documents
- cut-and-paste ready-to-go words from professionally-written material, with a
license to
republish these same words within the licensed organization
- a practical step-by-step process for developing, editing, publishing, and obtaining
management approval for organizational design documents
- substantive justifications reflecting the standard of due care that can be used to
justify
increases in the information security staffing budget
- organizations with the ability to quickly develop new organizational design
infrastructures
needed to securely support a wide variety of new information technology initiatives such as
Internet commerce
- standard practices that have been shown to be effective at over 125
organizations
around the world

“Information Security Roles and Responsibilities has been written by security policy
consultant and guru, Charles Cresson Wood, CISA, CISSP, who has had over 20 years of
experience writing and implementing information security roles and responsibility statements
for companies worldwide.

“This book can be used effectively by anyone that needs to develop, refine, or otherwise
specify information security organizational design documents, no matter what their prior
experience in the information security field. Providing never before available “best practices,”
this book will help you develop, refine and gain management approval of the information
security function in an organization. It includes 40 different job descriptions, 24 organizational
mission statements, 15 alternative reporting relationships and the most comprehensive set
of already-written information security roles & responsibilities documents available
anywhere.”

- - - - - - - -
- - -

“The safest way to grow your business.

“Unlike any resource on the market, Charles Cresson Wood's new book, Information Security
Roles & Responsibilities Made Easy gives you a single source for practical step-by-step
instructions to develop, refine and gain management approval of the information security
function in your organization, including job descriptions, functions and reporting relationships.

“This unique book and companion CD-ROM:
- Delivers the most comprehensive set of already-written information security roles
&
responsibilities documents available anywhere, including 40 different job descriptions, 24
different organizational unit mission statements, and 15 different information security function
reporting relationships
- Offers key reference material needed to start and finish an information security
roles and
responsibilities reengineering project regardless of the size, location, or industry of the
organization
- Supplies exact words that you can use to begin and finish a roles and
responsibilities
project, accompanied by clear and to-the-point justifications and instructions. No academic
theory or case studies.
- Includes words that are needed to justify to management a roles and
responsibilities
project, get management approvals, and communicate the essence of the project to those
who need to know
- Helps establish a multi-organizational, multidepartmental, and multi-disciplinary
team to
effectively manage information security — including outsourcing
- Based on the author's 21+ years of information security consulting work with over
125
organizations in 20 countries around the world”

- - - - - - - -
- - -

The policy kit includes hardcopy book, CD-ROM, and an organization-wide license to
republish the materials.

- - - - - - - -
- - -

NEW IN VERSION 2

1. Updated information-security-related committee, board, and department mission
statements, including new descriptions for Disaster Recovery Team, Change Control
Committee, Privacy Oversight Committee, and a Board Of Directors Governance
Committee.

2. Over forty updated information-security-related job descriptions including brand new job
descriptions for Chief Privacy Officer (CPO), Chief Security Officer (CSO), Chief Knowledge
Officer (CKO), Ethics Officer and Data Librarian.

3. Expanded job descriptions and mission statements reflecting the latest business and
technological developments (such as digital rights management systems and wireless
networks) and legislative and regulatory requirements such as those of the Sarbanes Oxley
Act.

4. Additional management justifications for compiling, documenting and updating roles and
responsibilities, including ways in which this effort minimizes the cost of providing adequate
information security services.

5. A significantly expanded discussion of the pros and cons of outsourcing the information
security function, including outsourcing-firm due-diligence, secure outsourcing procedures,
and possible conflicts of interest when retaining a third party.

6. Actions you should take to reduce your organization's exposure to workers in information
security related positions of trust.

7. Added citations supporting the legal notion of the standard of due care as it relates to
management responsibility, including discussion of the Hooper Doctrine, to help justify an
investment in information security organizational infrastructure.

8. An expanded discussion of the personality characteristics needed for work in information
security, including discussion about the pros and cons of hiring hackers and others who have
been on the wrong side of the law

9. New decision-making criteria for releasing or withholding roles and responsibilities
documentation to/from various external parties.

10. Updated information security professional certifications with web sites, phone numbers,
and addresses so the reader can easily get more information about them.

11. A new appendix which explores the synergy between role based access control (RBAC)
and clarification of information security roles and responsibilities.

12. Additional cross-references and hot-links so that you can quickly locate the material you
need.

- - - - - - - -
- - -

TABLE OF CONTENTS

Chapter 1: What This Book And CD-ROM Can Do For You

Chapter 2: Reasons To Establish Clear Roles & Responsibilities

Chapter 3: Persuading Management To Document Roles and Responsibilities
Memo To Management

Chapter 4: Before You Document Roles & Responsibilities

Chapter 5: Updating Roles & Responsibilities

Chapter 6: Who Should Write Roles & Responsibilities Documents

Chapter 7: Review & Approval Of Roles &Responsibilities

Chapter 8: Resources Required To Document Roles & Responsibilities

Chapter 9: Time Estimates To Document Roles & Responsibilities

Chapter 10: Key Information Security Documents
Information Security Department and Other Department Missions
Information Security Staff and Other Staff Job Descriptions
Information Security Department Reporting Relationships Diagram
Information Security Awareness Pamphlet
Information Security Awareness Reminder Memos
Information Security Policy Manual
Information Security Standards Document
Information Security Architecture Document
Information Security Action Plan
Information Security Forms
Systems Administration Procedures Manual
Risk Acceptance Memos
Information Systems Contingency Planning Manual
Organizational Code of Conduct
Standard Operating Procedures (SOP) Manual
Systems Development Process Manual
Application System Requirements Documents
User and Computer Operations Application Manuals
Records Management Policies and Procedures Manual
Worker Performance Reviews
Systems Usage Responsibility Agreements
Outsourcing and Consulting Agreements
Confidentiality and Non-Compete Agreements
Human Resources Manual
Physical Security Pamphlet

Chapter 11: Organizational Mission Statements
Information Security Department
Physical (Industrial) Security Department
Internal Audit Department
EDP Audit Unit
Ethics and Compliance Unit
External Auditing Firm
Records Management Department
Information Technology Department
Help Desk Unit
Network Operations Unit
Computer Operations Unit
Systems Administration Unit
Database Administration Unit
Data Administration Unit
Insurance and Risk Management Department
Contingency Planning Unit
Computer Emergency Response Team
Legal Department
Human Resources Department
Information Security Management Committee
Information Technology Steering Committee
Board of Directors - Audit Committee
Internal Control Committee
Facilities Management Outsourcing Firm

Chapter 12: Job Descriptions For Specific Team Players
Information Security Department Manager
Access Control System Administrator
Internal Information Security Consultant
Information Security Engineer
Information Security Documentation Specialist
Information Systems Contingency Planner
Local Information Security Coordinator
Chief Information Officer
Information Systems Analyst/Business Analyst
Systems Programmer
Business Applications Programmer
Computer Operations Manager
Computer Operator
Information Systems Quality Assurance Analyst
Help Desk Associate
Archives Manager/Records Manager
Telecommunications Manager
Systems Administrator/Network Administrator
Web Site Administrator/Commerce Site Administrator
Database Administrator
Data Administration Manager
Physical Security Department Manager
Physical Asset Protection Specialist
Building and Facilities Guard
Office Maintenance Worker
Internal Audit Department Manager
EDP Auditor
Internal Intellectual Property Attorney
Human Resources Department Manager
Human Resources Consultant
Receptionist
Outsourcing Contract Administrator
In-House Trainer
Insurance and Risk Management Department Manager
Insurance and Risk Management Analyst
Business Contingency Planner
Public Relations Manager
Chief Financial Officer
Purchasing Agent
Chief Executive Officer

Chapter 13: Information Security Reporting Relationships
Option 1: Information Technology
Option 2: Security
Option 3: Administrative Services
Option 4: Insurance & Risk Management
Option 5: Strategy & Planning
Option 6: Legal
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance through I.T.
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations
Summary

Chapter 14: Template Customization Factors
Local Laws and Regulations
Industry Category
Criticality to the Business
Line or Staff Organizational Culture
Scope of Information Security Function
Information Security Effort Sophistication
Size of Organization
Outsourcing
Intended Audience
Separation of Duties
Cross-Training and Backup
Formatting

Chapter 15: Owner, Custodian, And User Roles
Owners
Custodians
Users
Summary

Chapter 16: Roles & Responsibilities Of Product Vendors

Chapter 17: Roles & Responsibilities Of Outsourcing Firms

Chapter 18: Adjustments For Smaller Organizations

Chapter 19: A Centralized Organizational Structure
A Few Critical Distinctions
Information Security Activities That Should Be Centralized
Why Centralized Information Security Management Is Advisable
Drawbacks Of Centralized Information Security Management
Resolving A Variety Of Implementation Issues

Chapter 20: Workers In Information Security Related Positions Of Trust
Nature Of The Problem
Suggested Strategies

Chapter 21: Common Mistakes You Should Avoid
Management Has Not Been Sensitized to Information Security Risks
No Executive Sponsor for Information Security Has Been Arranged
Sufficient Management Approvals Were Not Obtained
Positioning of Information Security Conflicts with Organizational Objectives
Top Management Believes Its Duty Is Discharged by Appointing Someone
Accountability Does Not Match Responsibility
Staff Assumes Revenue Producing Activities Overshadow Information Security
Management Says Everybody Is Responsible
Staff Takes a Reactive Approach to Information Security
Management Relies on Voluntary Information Security Cooperation
Contribution Made by Information Security Is Not Regularly Reinforced
Management Does Not Reinforce New Roles and Responsibilities
Major Projects Are Initiated Before Roles and Responsibilities Are Defined
Scope of Information Security Duties Are Too Narrowly Defined
Scope of Information Security Duties Are Too Loosely Defined
Inappropriate Person Prepares Roles and Responsibilities Documents
Time Required to Get Top Management Approval Is Underestimated
Roles and Responsibilities Are Not Periodically Updated
Staff Performance Reviews Do Not Include Information Security
No Disciplinary Process Exists
No Compliance Checking Process Exists
No Clear Problem Reporting Process Exists

Appendix A: Staffing Levels
Information Security Staffing: Calculating the Standard of Due Care

Appendix B: Personal Qualifications
Excellent Communication Skills
Ability to Resolve Conflicts Between Security and Business Objectives
Ability to See the Big Picture
Basic Familiarity with Information Security Technology
Commitment to Staying on Top of the Technology
Familiarity with Information Security Management
Tolerance for Ambiguity and Uncertainty
Ability to Manage Many Important Projects Simultaneously
Ability to Work Independently
A Certain Amount of Polish

Appendix C: Performance Criteria
Information Security Department Metrics
Individual Worker Metrics

Appendix D: Professional Certifications

Appendix E: Responsibility and Liability

Appendix F: Sample User Responsibility Agreement

Appendix G: Disclosing Roles and Responsibilities

Appendix H: Role Based Access Control

Additional Information
About the Author
Sources and References
CD-ROM Files
Feedback
Roles & Responsibilities Process Integration Steps
Index
- - - - - - - -
- - -

BOOK REVIEW

“The many aspects of setting up a security function program in an organization can be hard
to understand, let alone perform. Charles Cresson Wood's latest book, published by
Information Shield, aims to help organizations through the issues. Though written largely with
a North American audience in mind, the book includes many standard practices, which have
been effective worldwide.

“Information Security Roles and Responsibilities Made Easy is best described as a
reference manual, although it is also more than that, as explained below. It is aimed at large
organizations that can afford to implement a fully scaled security function. The author,
however, recognizes that smaller organizations often have to operate with restricted budgets
and resources that are not required on a full-time basis. There is a chapter that deals
specifically with options available to smaller organizations.

“The book provides, in an easy-to-digest format, what is required to develop information
security job descriptions, mission statements and reporting relationships. The author
recognizes that IT security is not merely the responsibility of the IT security department, but
of
the whole enterprise.

“The earlier sections of the book deal with information security roles and responsibilities
within an organization. The author describes, at some length, the steps required. The book
gives good examples of various security based memos and manuals such as risk
acceptance memos and the information security policy manual that should be found in a
large organization.

“The middle section of the book deals with what the author calls mission statements. These
are designed to be partial mission statements dealing with the wide-ranging information
security responsibilities of various departments. The examples given are informative and
cover a wide range of departments, from internal audit to facilities management and
outsourcing. Information security staff responsibilities and duties are extensively detailed.
The author also touches on information security-related responsibilities and roles for the likes
of the chief financial officer and the purchasing agent, in line with the premise that the whole
organization must be involved in security.

“A further chapter is devoted to information security reporting lines and responsibilities,
including the relative merits of centralized and decentralized structures. Here the author
discusses various possible reporting lines for information security in organizational chart
format and goes on to discuss the pros and cons of each. Examples of these include
reporting via the technology department to the strategy and planning department.

“A crucial feature of this publication is not merely the information and guidance contained in
the 255 pages of the hardcover book. Included in the price is an organization-wide license to
republish materials. The accompanying CD-ROM contains what Information Shield
describes as "cut-and-paste ready-to-go words" - in other words, do-it-yourself security
documents, which the licensed organization may utilize quickly and easily to set up their own
documentation.

“In conclusion, although this book may not portray anything radically new, it brings the
various
information on IS under one roof. With the inclusion of the CD-ROM and publication license it
is more than just a source of good reference material, it is an excellent resource designed to
be easily adapted to an organization's needs.” - - - by John Machin, SC Magazine.

- - - - - - - -
- - -

ABOUT THE AUTHOR

CHARLES CRESSON WOOD, CISA, CISSP is an author and independent information
security consultant based in Sausalito California. In the information security field on a
full-time
basis since 1979, he has worked as an information security management consultant at SRI
International (formerly Stanford Research Institute) as well as lead network security
consultant
at Bank of America. He has done information security work with over 120 organizations,
many of them Fortune 500 companies, including a large number of financial institutions and
high-tech companies. His consulting work has taken him to over twenty different countries
around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed,
flexibility and security) in customized and practical compromises that are acceptable to all
parties involved. Acknowledging that information security is multi-disciplinary,
multi-departmental, and often multi-organizational, he is additionally noted for his ability to
synthesize a large number of complex considerations and then to document these in security
architectures, system security requirements, risk assessments, project plans, policy
statements, and other clear and action-oriented documents.

He has published over 225 technical articles and five books in the information security field.
In addition to TV and radio appearances, he has been quoted as an expert in publications
such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum,
Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street
Journal, and Time. He has also presented cutting-edge information security ideas at over
100 technical and professional conferences around the globe.

Mr. Wood is Senior North American Editor for the journals "Computers & Security" and
"Computer Fraud & Security Bulletin", as well as a monthly columnist for "Computer Security
Alert". He holds an MBA in financial information systems, an MSE in computer science, and
a BSE in accounting from the Wharton School of Business at the University of Pennsylvania.
He has passed the Certified Public Accountant (CPA) examination and is both a Certified
Information Systems Auditor (CISA) and a Certified Information Systems Security
Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from
the Computer Security Institute for "sincere dedication to the computer security profession."

- - - - - - - -
-
2006, 278 pages plus CD-ROM.
Includes and organization-wide license to reproduce the materials (for one
organization)
Order #DR571
- - - - - - - -
-

The Binomial Bookstore

Business Policies

Rothstein Associates Inc.