Management: Duties: What duties does the information IP Lead have?
Options:
Option 1: The security lead can specify and verify, but not manage protection activities
Option 2: The security lead can manage protection activities, but not specify or verify
Option 3: The security lead can mix combinations of management and specification and verification, but not for the same item.
Option A: The security lead chairs an executive security counsel.
Option B: The security lead has direct peer-to-peer contact with the heads of the area of the enterprise.
Option C: The security lead is a member of an executive security counsel including executives from the area.
Option S: The security lead can specify protection activities.
Option O: The security lead can operate protection activities.
Option E: The security lead can verify protection activities.
Basis:
The Information Protection Lead (IP Lead) can specify and verify, but not manage/perform protection activitiesIn many large enterprises, the IP Lead performs executive functions in specification and verification of the protection program but does not directly manage/perform any execution of protection functions. This is done by operations under the CIO.
The IP Lead can manage/perform protection activities, but not specify or verify
When the IP Lead works for the CIO, they are often put in a position of operating the protection program instead of specifying and verifying it. This generally means that the IP Lead is in too low a position for the job to get properly done, however; in smaller enterprises or immature ones, this may be the best solution to getting the most knowledge to the protection program.
The IP Lead can mix combinations of management/performance and specification and verification, but not for the same item.
In some more mature enterprises, the IP Lead manages many elements of the business functions and assurance processes and only specifies and verify the operational aspects run by the IP Lead.
The IP Lead chairs an executive security counsel.
The IP Lead should chair an executive level counsel that meets periodically, at least quarterly, and with the top executive involved in each area where the IP Lead specifies how protection will operate. This is necessary in order to make certain that coordination is properly done and that power and influence issues are addressed.
The IP Lead has direct peer-to-peer contact with the heads of the area of the enterprise.
The IP Lead should generally have peer-to-peer relationships with
those in charge of each area involved in information protection. If
this is not in place, it create failures in the protection program
that ultimately result in large-scale protection failures. This is a
heated political issue in many enterprises, as the CEO places the IP Lead
under the CIO, and the CIO prevents the IP Lead from doing their job or
communicating with other appropriate individuals required in order for
the protection program to operate properly. The CEO or COO is
responsible for such failures and they should act to mitigate the
situation if it exists.
The IP Lead is a member of an executive security counsel including executives from the area.
In cases where the IP Lead operates part of the program by managing
the direct execution of the functions, they should be a member of the
executive level counsel that makes the decisions on how to specify the
requirements and verifies proper operation. This is necessary in order
to have the information required to get the job done effectively.
The roles of the IP Lead are limited by requirements for separation of duties. In particular, any one individual who specifies, performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the IP Lead.
Specify:The IP Lead can specify protection
activities.
Specifying an activity implies the ability to bound
its scope and mandate its implementation. Generally, specifications
are not so complete or perfect that they are implementable as is
in performance.
Perform: The IP Lead can perform protection
activities.
Performing an activity implies that specific
actions are taken. They are supposed to reflect the specification, but
do not always precisely do so.
Verify: The IP Lead can verify protection
activities.
Verifying an activity implies determining whether
and to what extent, the specification was properly performed or the
performance properly varied from the specification. Hindsight is often
touted as 20/20, but then history is often rewritten by the victors.