Information Security Roles and Responsibilities Made Easy

Book Review
by John Machin, SC Magazine

The many aspects of setting up a security function program in an organization can be hard to understand, let alone perform. Charles Cresson Wood’s latest book, published by Information Shield, aims to help organizations through the issues. Though written largely with a North American audience in mind, the book includes many standard practices, which have been effective worldwide.

Information Security Roles and Responsibilities Made Easy is best described as a reference manual, although it is also more than that, as explained below. It is aimed at large organizations that can afford to implement a fully scaled security function. The author, however, recognizes that smaller organizations often have to operate with restricted budgets and resources that are not required on a full-time basis. There is a chapter that deals specifically with options available to smaller organizations.

The book provides, in an easy-to-digest format, what is required to develop information security job descriptions, mission statements and reporting relationships. The author recognizes that IT security is not merely the responsibility of the IT security department, but of the whole enterprise.

The earlier sections of the book deal with information security roles and responsibilities within an organization. The author describes, at some length, the steps required. The book gives good examples of various security based memos and manuals such as risk acceptance memos and the information security policy manual that should be found in a large organization.

The middle section of the book deals with what the author calls mission statements. These are designed to be partial mission statements dealing with the wide-ranging information security responsibilities of various departments. The examples given are informative and cover a wide range of departments, from internal audit to facilities management and outsourcing. Information security staff responsibilities and duties are extensively detailed. The author also touches on information security-related responsibilities and roles for the likes of the chief financial officer and the purchasing agent, in line with the premise that the whole organization must be involved in security.

A further chapter is devoted to information security reporting lines and responsibilities, including the relative merits of centralized and decentralized structures. Here the author discusses various possible reporting lines for information security in organizational chart format and goes on to discuss the pros and cons of each. Examples of these include reporting via the technology department to the strategy and planning department.

A crucial feature of this publication is not merely the information and guidance contained in the 255 pages of the hardcover book. Included in the price is an organization-wide license to republish materials. The accompanying CD-ROM contains what Information Shield describes as “cut-and-paste ready-to-go words” – in other words, do-it-yourself security documents, which the licensed organization may utilize quickly and easily to set up their own documentation.

In conclusion, although this book may not portray anything radically new, it brings the various information on IS under one roof. With the inclusion of the CD-ROM and publication license it is more than just a source of good reference material, it is an excellent resource designed to be easily adapted to an organization’s needs.