Page 83 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 83

expensive but is most often less costly than the absence of that
               security. Thus, security becomes an essential element of reliable and

               long-term business operation. In most organizations, money and
               resources, such as people, technology, and space, are limited. Due to
               resource limitations like these, the maximum benefit needs to be
               obtained from any endeavor.

               One of the most effective ways to tackle security management
               planning is to use a top-down approach. Upper, or senior,

               management is responsible for initiating and defining policies for the
               organization. Security policies provide direction for all levels of the
               organization’s hierarchy. It is the responsibility of middle
               management to flesh out the security policy into standards, baselines,
               guidelines, and procedures. The operational managers or security
               professionals must then implement the configurations prescribed in
               the security management documentation. Finally, the end users must
               comply with all the security policies of the organization.




                             The opposite of the top-down approach is the bottom-up


                  approach. In a bottom-up approach environment, the IT staff
                  makes security decisions directly without input from senior
                  management. The bottom-up approach is rarely used in
                  organizations and is considered problematic in the IT industry.



               Security management is a responsibility of upper management, not of
               the IT staff, and is considered an issue of business operations rather
               than IT administration. The team or department responsible for
               security within an organization should be autonomous. The

               information security (InfoSec) team should be led by a designated
               chief information security officer (CISO) who must report directly to
               senior management. Placing the autonomy of the CISO and the CISO’s
               team outside the typical hierarchical structure in an organization can
               improve security management across the entire organization. It also
               helps to avoid cross-department and internal political issues. The term
               chief security officer (CSO) is sometimes used as an alternative to

               CISO, but in many organizations the CSO position is a subposition
   78   79   80   81   82   83   84   85   86   87   88