CERT RECOMMENDATION: Management of the Security Function
CERT uses the term “governing“ instead of management and I thought the list noted below provides an excellent representation of what's involved in managing the security function within an organization.
CERT: Governing for Enterprise Security
The following elements of governance with respect to their role in governing for enterprise security:
- Awareness and understanding - Governing boards and senior executives are aware of and understand the criticality of governingfor enterprise security:
- Protection of shareholder (or equivalent) value: They understand what actions are necessary to protect shareholder/stakeholder value with respect to enterprise security (such as protecting reputation and brand, and protecting customer privacy).
- Customer satisfaction: They understand what enterprise security actions are necessary to retain current customers and attract new customers (such as sustained marketplace confidence in comparison to competitors).
- Strategies and plans - Strategies and plans for enterprise security demonstrate how they support business objectives.
- Investments: Investments in enterprise security are aligned with and allocated so as to meet strategies and plans, taking risks into account (see risk management). Costs are optimized.
- Reporting: Status against plans is regularly reported, up to the Board. Performance against measures is monitored. Corrective action is taken when necessary.
- Policies - Policies, standards, guidelines, procedures, and measures for enterprise security exist and are regularly reviewed and enforced.
- Responsibilities - Responsibility and corresponding accountability and authority for enterprise security are clearly defined.
- Controls - Internal security controls are defined to effectively protect assets. Assets may include information, hardware, software, processes, services, physical facilities, knowledge, and people.
- Risk management - Risks to critical assets are identified and managed consistent with the enterprise's tolerance for risk. Asset protection investments are made commensurate with Liability risks. The enterprise understands its liability and exposure when connected to the Internet, and takes necessary due diligence actions to minimize liability risk and exposure.
- Oversight - The enterprise is regularly evaluated and audited to ensure an acceptable level of compliance to requirements, both internal and external, for example, regulations, standards, audit criteria, market sector requirements, and security requirements and objectives.
- Public disclosure - The enterprise is open to public disclosure of its security state, where such disclosure is required.