CISO Leadership Overview
Cyber Security Mind Map Examples:
A CISO (Chief Information Security Officer) has a complex role within a company. They have a wide array of tasks to perform, that involves many differing parts, which the average individual is not always aware of.
CISO Mind Map is an overview of responsibilities and ever expanding role of the CISO. This Security Leadership poster made by SANS shows exactly the matters a CISO needs to mind when creating a world class IT Security team. It also highlights the essential features necessary of a Security Operations Centre (SOC).
To make this chart more practical, I put them into the tables and will update it with some technologies and thoughts applied in my daily work. This update will last a long term. It will be put into navigation bar for easy access.
Security Operations
Legal and Regulatory
Governance
Identify and Access Management
Leadership Skills
Note: ISO = Information Security Office
Another CISO Mind Map example:
Note: The original image concept was created by Rafeeq Rehman and later redesigned by Momentum Partners.
===================================================================
What is the job of Chief Information Security Officer (CISO) in ISO 27001?
- 网络安全绪论
- 扫描与防御技术
- 口令破解及防御技术
- 拒绝服务供给与防御技术
- Web及防御技术
- 计算机病毒
- 网络安全发展与未来
- 企业安全工作要点思维导图
 |
| SANS Cisco Mind Map |
A CISO (Chief Information Security Officer) has a complex role within a company. They have a wide array of tasks to perform, that involves many differing parts, which the average individual is not always aware of.
CISO Mind Map is an overview of responsibilities and ever expanding role of the CISO. This Security Leadership poster made by SANS shows exactly the matters a CISO needs to mind when creating a world class IT Security team. It also highlights the essential features necessary of a Security Operations Centre (SOC).
To make this chart more practical, I put them into the tables and will update it with some technologies and thoughts applied in my daily work. This update will last a long term. It will be put into navigation bar for easy access.
Security Operations
Prevention
|
Detection
|
Response
|
|
|
|
Legal and Regulatory
| Compliance | Privacy | Audit | Investigation |
|
|
|
|
| Intellectual Property | Contract Review | Customer Requirments | Lawsuit Risk & Acts |
|
|
|
|
Risk Management
| Risk Framework | Risk Assessment Methodology | Business Impact Analysis |
|
|
|
| Risk Assessment Process | Risk Analysis and Quantification | Security Awareness |
|
||
| Vulnerability Management | Vendor Risk Management | Physical Security |
|
|
|
| Disaster Recovery (DR) | Business Continuity Planning | Risk Treatment |
|
||
| Policies and Procedures | ||
| ||
Business Enablement
| Product Security | Cloud Computing | Mobile |
|
|
|
| Emerging Technologies | Mergers and Acquisitions | |
|
|
Governance
| Strategy | Business Alignment | Risk Management |
| ||
| Program Frameworks | Control Frameworks | Program Structure |
|
| |
| Program Management | Communications Plan | Roles and Responsibilities |
| Workforce Planning | Resource Managemnet | Data Classification |
| ||
| Security Policy | Create a Security Culture | Security Training |
|
| |
| Metrics and Reporting | IT Portfolio Management | Change Management |
|
| |
| Board Communications | ||
|
Identify and Access Management
Provisioning/
Deprovisioning
|
Single Sign On
(SSO)
|
Federated Single Sing on (FSSO)
|
Multi-Factor Authentication
|
Role-Based Access Control (RBAC)
| Identity Store (LDAP, ActiveDirectory) |
Leadership Skills
| Business Strategy | Industry Knowledge | Business Acumen |
| Communication Skills | Presentation Skills | Strategic Planning |
| Technical Leadership | Security Consulting | Stakeholder Management |
|
| |
| Negotiations | Mission and Vision | Values and Culture |
| Roadmap Development | Business Case Development | Project Management |
|
| |
| Employee Development | Financial Planning | Budgeting |
| Innovation | Marketing | Leading Change |
| Customer Relationships | Team Building | Mentoring |
|
Note: ISO = Information Security Office
Another CISO Mind Map example:
===================================================================
What is the job of Chief Information Security Officer (CISO) in ISO 27001?
Compliance:
- Develop the list of interested parties related to information security (see also How to identify interested parties according to ISO 27001 and ISO 22301)
- Develop the list of requirements from interested parties
- Remain in continuous contact with authorities and special interest groups
- Coordinate all efforts related to personal data protection
Documentation:
- Propose the draft of main information security documents – e.g., Information security policy, Classification policy, Access control policy, Acceptable use of assets, Risk assessment and risk treatment methodology, Statement of Applicability, Risk treatment plan, etc.
- Be responsible for reviewing and updating main documents
- Risk management:
- Teach employees how to perform risk assessment
- Coordinate the whole process of risk assessment (see also: ISO 27001 risk assessment & treatment – 6 basic steps)
- Propose the selection of safeguards
- Propose the deadlines for safeguards implementation
Human resources management:
- Perform background verification checks of job candidates
- Prepare the training and awareness plan for information security (see also How to perform training & awareness for ISO 27001 and ISO 22301)
- Perform continuous activities related to awareness raising
- Performing induction training on security topics for new employees
- Propose disciplinary actions against employees who performed the security breach
Relationship with top management:
- Communicate the benefits of information security (see also Four key benefits of ISO 27001 implementation)
- Propose information security objectives (see also ISO 27001 control objectives – Why are they important?)
- Report on the results of measuring
- Propose security improvements and corrective actions
- Propose budget and other required resources for protecting the information
- Report important requirements of interested parties
- Notify top management about the main risks
- Report about the implementation of safeguards
- Advise top executives on all security matters
Improvements:
- Ensure that all corrective actions are performed
- Verify if the corrective actions have eliminated the cause of nonconformities
Asset management:
- Maintain an inventory of all important information assets
- Delete the records that are not needed any more
- Dispose of media and equipment no longer in use, in a secure way
Third parties:
- Perform risk assessment for activities to be outsourced
- Perform background check for candidates for outsourcing partners
- Define security clauses that must be part of an agreement
Communication:
- Define which type of communication channels are acceptable and which are not
- Prepare communication equipment to be used in case of an emergency / disaster
Incident management:
- Receive information about security incidents
- Coordinate response to security incidents
- Prepare evidence for legal action following an incident
- Analyze incidents in order to prevent their recurrence
Business continuity:
- Coordinate the business impact analysis process and the creation of response plans
- Coordinate exercising and testing
- Perform post-incident review of the recovery plans
Technical:
- Approve appropriate methods for the protection of mobile devices, computer networks and other communication channels
- Propose authentication methods, password policy, encryption methods, etc.
- Propose rules for secure teleworking
- Define required security features of Internet services
- Define principles for secure development of information systems
- Review logs of user activities in order to recognize suspicious behavior
No comments