Special FeaturesThe Corporate Information Assurance Officer (CIAO)1
Section snippets
CIAO Position
The CIAO’s position requires someone with education and experience that is so much more than that of “just a computer techie” or one that “knows physical security”. In fact, it is believed that CIAO’s duties are somewhere between 75% management and 25% of actual IA work. However, don’t be misled, the CIAO must be educated and experienced in all aspects of both professions, as well as in management. Therefore, whoever assumes that position should generally have, as a minimum, the following
CIAO Duties and Responsibilities
There has always been great debate about where in the corporation the CSO or CISSO should report. In the ”old days” when information and information systems were not as vital and vulnerable to the corporation as they are today, “stuffing” it in the human resources, finance, legal department or some other ill-fitting organization, was bad enough. However, now it is unconscionable!
The CIAO must report to the CEO or president of the corporation. Nothing lower is logical and nothing lower can get
Information Assurance Goals & Objectives
The CIAO must have goals and objectives. These must directly support the goals and objectives of the corporation. Since any IA program for a corporation is centred on providing service and support to meeting the corporation’s goals and objectives, this is quite logical.
The CIAO’s IA Goal
The CIAO’s primary goal: (1) administration and management of an innovative IA program which provides total protection to corporate information and the information of its customers and others held in trust by the corporation; (2) implementation of protective and defensive measures implemented and maintained at least impact to costs and schedules, while meeting all of the corporation’s and customers’ (internal and external) reasonable expectations.
This goal sounds very bureaucratic,
The CIAO’s IA Objective
It is assumed that the CIAO will be responsible for managing an IA organization in order to meet the needs of the corporation. The CIAO’s objectives should include the following:
- •
Enhance the quality, efficiency, and effectiveness of the IA organization.
- •
Identify potential problem areas and strive to mitigate them before the corporate management and/or customers identify them.
- •
Enhance the corporation’s ability to attract customers because of the ability to efficiently and effectively protect
Leadership Position
The CIAO must be in a leadership position. In that position, it is extremely important that the CIAO understands what a leader is, and how a leader is to act. According to the definition of leadership found in numerous dictionaries and management books, it is basically about the position or guidance of a leader, the ability to lead, the leader of a group; a person that leads; directing, commanding, or guiding head, as of a group or activity. As a leader, the corporation’s CIAO must set the
Providing IA Service and Support
As the CIAO and leader of an IA service and support organization, the CIAO must be especially tuned to the needs, wants and desires of the corporation’s customers.
To provide service and support to the corporation’s external customers, the CIAO must:
- •
identify their information protection needs;
- •
meet their reasonable expectations;
- •
show by example that the IA program can meet their protection expectations;
- •
treat customer satisfaction as priority number one;
- •
encourage feedback and listen;
- •
understand
Use Team Concepts
It is important for the CIAO to understand that the IA Program is a corporate program. To be successful, the CIAO cannot operate independently, but as a team leader, with a team of others who also have a vested interest in the protection of the company’s information and information systems.
The IA Program must be “sold” to the management and staff of the corporation. If it is presented as a law that must be followed or else, then it will be doomed to failure. The CIAO will never have enough
Vision, Mission, and Quality Statements
Many of today’s modern corporations have developed vision, mission, and quality statements using a hierarchical process. In other words, they flow up and down the management chain. The statements should link all levels in the management and organizational chain. The statements of the lower levels should be written and used to support the upper levels and vice versa.
The following examples can be used by the CIAO to develop such statements, if they are necessary.
Vision Statements
In many of today’s businesses, management develops a vision statement. The vision statement is usually a short paragraph that attempts to set the strategic goal, objective or direction of the company. It is:
- •
clear, concise and understandable by the employees;
- •
connected to ethics, values and behaviours;
- •
states where the corporation wants to be (long term);
- •
sets the tone; and
- •
sets the direction for the corporation.
An IA vision statement may be to: provide the most efficient and effective IA program
Mission Statements
Mission statements are declarations as to the purpose of a business or government agency.
An IA mission statement may be to administer an innovative IA program which minimizes security risks at least impact to cost and schedule, while meeting all of the corporation’s and customers’ IA requirements.
Quality Statements
Quality is what adds value to the corporation’s products and services. It is what the corporation’s internal and external customers should also expect from the CIAO.
An IA quality statement may be consistently to provide quality IA professional services and support that meet the customers’ requirements and reasonable expectations, in concert with good business practices and company guidelines.
Project and Risk Management Processes
Two basic processes that are an integral part of an IA program are project management and risk management concepts.
Summary
The Corporate Information Assurance Officer (CIAO), positioned at the executive level, is needed in today’s information driven and information dependent corporation. The position requires someone who has the education and experience to lead a corporation’s IA efforts. The position calls for someone who understands: systems; security; the criminal mind and methods; global business; as well as the risks to information and how to mitigate those risks cost-effectively. The CIAO must be focused on
Dr Gerald L. Kovacich, CFE, CPP, CISSP, is an author, lecturer and researcher. More of his writing and information about him can be found at his website: www.shockwavewriters.com.
References (0)
Cited by (3)
Critical success factors and requirements for achieving business benefits from Information Security
2007, Proceedings of the European and Mediterranean Conference on Information Systems, EMCIS 2007Mastering the art of corroboration: A conceptual analysis of information assurance and corporate strategy alignment
2007, Journal of Enterprise Information ManagementManagement and the management of information, knowledgebased and library services 2001
2002, Library Management
Dr Gerald L. Kovacich, CFE, CPP, CISSP, is an author, lecturer and researcher. More of his writing and information about him can be found at his website: www.shockwavewriters.com.
- 1
Portions of this article are taken from Dr. Kovacich’s co-authored book, Information Assurance: Surviving in the Information Environment, to be published by Springer-Verlag (London) in August 2001.