
	Home > Ask the Security Experts > Security Management Questions & Answers > Who is responsible for handling security program development in an IT infrastructure?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Who is responsible for handling security program development in an IT infrastructure?

EXPERT RESPONSE FROM: Mike Rothman

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 12 September 2007
I have recently been appointed to the position of ISO. Our compliance officer is currently overseeing and developing the information security program, but has no real technical background. Should program development take place within my department, or can this be a delegated duty that is monitored by my team?

EXPERT RESPONSE
It's not clear whether you report to the IT group or directly to the compliance officer, and the answer to your question will vary depending on where you are in the organizational hierarchy.

In general, the security officer's main job is to develop and run the security program. A lot of the blocking and tackling is increasingly being integrated into the operational groups (networks, data center, desktop, applications) and it's the job of the CSO to evangelize the entirety of the program and persuade each of the operational managers to work together and deploy a layered security environment.

Now if you work for the compliance officer, then you are basically in charge of implementing the security program, and that's fine. But you should have a hand in developing the program as well because it's really hard to implement something you don't help build.

To be clear, I do not recommend delegating the development of the program. It's a bit wacky to think someone other than the security officer's team is better positioned to understand what needs to be protected and how it should be taken care of, and then to define program success and manage milestones.

For more information:

Learn why it's important to keep enterprise networking and security roles separate.

In this tip, Khaild Kark explains how to develop controls for people, processes and technology.

Sound Off! -

Be the first to post a message to Sound Off!

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	Is it against HIPAA regulations to permanently store sensitive information?
	Two-tier distributed systems vs. three-tier distributed systems
	How to prevent software piracy
	How do ISO 17799 and SAS 70 differ?
	Has FFIEC made any VoIP-specific mandates?
	What is the best way to administer exams to students via computer?
	Should computer exams be transmitted as PDF files or Word files?
	Is it against HIPAA regulations to display client names?
	Getting started on a career in penetration testing
	Are there security management products that can track compliance objectives?

Information Security Jobs

CISOs adapt as compliance requires strategic thinking

CISOs Must Innovate to Enable Business

RSA 2008: Financial industry security challenges

The road from network administrator to information security professional

Getting started on a career in penetration testing

What Web security initiatives can be taken on a college campus?

Getting your career in infrastructure security started

Security career retrospection

Rethinking certifications

Strategies for landing a security management position

Creating and Managing Information Security Policies

Security Awareness Training Essential Part of Infosec Program

How to lock down instant messaging in the enterprise

Worst practices: Bad security incidents to avoid

Thompson calls for marriage of data and security management

Companies Collecting Too Much Customer Data Increase Exposure

Interview: Arizona CISO David VanderNaalt

Incident response success in five quick steps

Social networking Web site threats manageable with good enterprise policy

IT GRC: Combining disciplines for better enterprise security

Security management in 2008: What's in store

Creating and Managing Information Security Policies Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

CSO (SearchSecurity.com)

security clearance (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy