Guide for the Role and
Responsibilities of an
Information Security Officer
Within State Government
April 2008
Table of Contents
Introduction
_________________________________________________________________ 3
The ISO in State Government
___________________________________________________ 4
Successful ISOs – Necessary Skills and Abilities
____________________________________ 7
Twelve Components of an Effect ive Information Security Program
_____________________ 9
The ISO Role and Responsibi lities in Each Component
_____________________________ 11
Risk Management
________________________________________________________________ 12
Security Policy Management
_______________________________________________________ 16
Organizing Information Security
___________________________________________________ 19
Asset Management and Protection
__________________________________________________ 22
Human Resources Security
________________________________________________________ 24
Physical and Environmental Security
________________________________________________ 27
Communications and Operations Management
________________________________________ 30
Access Control
___________________________________________________________________ 36
Information Systems Acquisition,
Development, and Maintenance
________________________ 39
Information Security Incident Management
__________________________________________ 42
Disaster Recovery Management
____________________________________________________ 46
Compliance
_____________________________________________________________________ 48
Conclusion
_________________________________________________________________ 51
Glossary
___________________________________________________________________ 52
Office of Information Security and Privacy Protection
Page 2
Guide for the Roles and Responsibil ities of an Information Security Officer With in State Government
April 2008
Introduction
Each agency must identify and implement information security policies, standards, guidelines, processes, procedures, and best practices to further strengthen its security program to protect its information assets while assuring its goal s and objectives are being met. Typically, the
Information Security Officer (ISO) manages an agency’s information security program. The information security program has five important objectives:
1. Protect the agency’s information and information processing assets.
2. Manage vulnerabilities within the information processing infrastructure.
3. Manage threats and incidents impacting the agency’s information resources.
4. Assure through policy the appropriate use of the agency’s information resources.
5. Educate employees about their information security and privacy protection responsibilities. The Guide for the Roles and Responsibilities of an Information Security Officer Within State
Government
provides a state agency and the ISO general guidance and assistance in understanding the ISO role and responsibilities in developing and maintaining an effective information security program. This Guide closely a ligns with the Office of Information Security and Privacy Protection’s (OISPP)
Information Security Program Guide for State Agencies and drills down into more detail about the important role of an agency ISO. Agency ISOs should become familiar with both of these Guides as it will assist them in implementing a strategy for an effective information security program.
The OISPP is grateful to the many agency ISOs and other security professionals who have provided their input to shape the content of this Guide.
Office of Information Security and Privacy Protection
Page 3
Guide for the Roles and Responsibil ities of an Information Security Officer With in State Government
April 2008
The ISO in State Government
All state agencies are to designate an ISO to oversee the agency’s