under the CISO that focuses on physical security. Another potential
               term for the CISO is information security officer (ISO), but this also

               can be used as a subposition under the CISO.

               Elements of security management planning include defining security
               roles; prescribing how security will be managed, who will be
               responsible for security, and how security will be tested for
               effectiveness; developing security policies; performing risk analysis;
               and requiring security education for employees. These efforts are

               guided through the development of management plans.
               The best security plan is useless without one key factor: approval by

               senior management. Without senior management’s approval of and
               commitment to the security policy, the policy will not succeed. It is the
               responsibility of the policy development team to educate senior
               management sufficiently so it understands the risks, liabilities, and
               exposures that remain even after security measures prescribed in the

               policy are deployed. Developing and implementing a security policy is
               evidence of due care and due diligence on the part of senior
               management. If a company does not practice due care and due
               diligence, managers can be held liable for negligence and held
               accountable for both asset and financial losses.

               A security management planning team should develop three types of
               plans, as shown in Figure 1.3.
























               FIGURE 1.3 Strategic, tactical, and operational plan timeline
               comparison