Special Features

The Corporate Information Assurance Officer (CIAO)¹

CIAO Position

The CIAO’s position requires someone with education and experience that is so much more than that of “just a computer techie” or one that “knows physical security”. In fact, it is believed that CIAO’s duties are somewhere between 75% management and 25% of actual IA work. However, don’t be misled, the CIAO must be educated and experienced in all aspects of both professions, as well as in management. Therefore, whoever assumes that position should generally have, as a minimum, the following

CIAO Duties and Responsibilities

There has always been great debate about where in the corporation the CSO or CISSO should report. In the ”old days” when information and information systems were not as vital and vulnerable to the corporation as they are today, “stuffing” it in the human resources, finance, legal department or some other ill-fitting organization, was bad enough. However, now it is unconscionable!

The CIAO must report to the CEO or president of the corporation. Nothing lower is logical and nothing lower can get

Information Assurance Goals & Objectives

The CIAO must have goals and objectives. These must directly support the goals and objectives of the corporation. Since any IA program for a corporation is centred on providing service and support to meeting the corporation’s goals and objectives, this is quite logical.

The CIAO’s IA Goal

The CIAO’s primary goal: (1) administration and management of an innovative IA program which provides total protection to corporate information and the information of its customers and others held in trust by the corporation; (2) implementation of protective and defensive measures implemented and maintained at least impact to costs and schedules, while meeting all of the corporation’s and customers’ (internal and external) reasonable expectations.

This goal sounds very bureaucratic,

The CIAO’s IA Objective

It is assumed that the CIAO will be responsible for managing an IA organization in order to meet the needs of the corporation. The CIAO’s objectives should include the following:

• •

  Enhance the quality, efficiency, and effectiveness of the IA organization.

• •

  Identify potential problem areas and strive to mitigate them before the corporate management and/or customers identify them.

• •

  Enhance the corporation’s ability to attract customers because of the ability to efficiently and effectively protect

Leadership Position

The CIAO must be in a leadership position. In that position, it is extremely important that the CIAO understands what a leader is, and how a leader is to act. According to the definition of leadership found in numerous dictionaries and management books, it is basically about the position or guidance of a leader, the ability to lead, the leader of a group; a person that leads; directing, commanding, or guiding head, as of a group or activity. As a leader, the corporation’s CIAO must set the

Providing IA Service and Support

As the CIAO and leader of an IA service and support organization, the CIAO must be especially tuned to the needs, wants and desires of the corporation’s customers.

To provide service and support to the corporation’s external customers, the CIAO must:

• •

  identify their information protection needs;

• •

  meet their reasonable expectations;

• •

  show by example that the IA program can meet their protection expectations;

• •

  treat customer satisfaction as priority number one;

• •

  encourage feedback and listen;

• •

  understand

Use Team Concepts

It is important for the CIAO to understand that the IA Program is a corporate program. To be successful, the CIAO cannot operate independently, but as a team leader, with a team of others who also have a vested interest in the protection of the company’s information and information systems.

The IA Program must be “sold” to the management and staff of the corporation. If it is presented as a law that must be followed or else, then it will be doomed to failure. The CIAO will never have enough

Vision, Mission, and Quality Statements

Many of today’s modern corporations have developed vision, mission, and quality statements using a hierarchical process. In other words, they flow up and down the management chain. The statements should link all levels in the management and organizational chain. The statements of the lower levels should be written and used to support the upper levels and vice versa.

The following examples can be used by the CIAO to develop such statements, if they are necessary.

Vision Statements

In many of today’s businesses, management develops a vision statement. The vision statement is usually a short paragraph that attempts to set the strategic goal, objective or direction of the company. It is:

• •

  clear, concise and understandable by the employees;

• •

  connected to ethics, values and behaviours;

• •

  states where the corporation wants to be (long term);

• •

  sets the tone; and

• •

  sets the direction for the corporation.

An IA vision statement may be to: provide the most efficient and effective IA program

Mission Statements

Mission statements are declarations as to the purpose of a business or government agency.

An IA mission statement may be to administer an innovative IA program which minimizes security risks at least impact to cost and schedule, while meeting all of the corporation’s and customers’ IA requirements.

Quality Statements

Quality is what adds value to the corporation’s products and services. It is what the corporation’s internal and external customers should also expect from the CIAO.

An IA quality statement may be consistently to provide quality IA professional services and support that meet the customers’ requirements and reasonable expectations, in concert with good business practices and company guidelines.

Project and Risk Management Processes

Two basic processes that are an integral part of an IA program are project management and risk management concepts.

Summary

The Corporate Information Assurance Officer (CIAO), positioned at the executive level, is needed in today’s information driven and information dependent corporation. The position requires someone who has the education and experience to lead a corporation’s IA efforts. The position calls for someone who understands: systems; security; the criminal mind and methods; global business; as well as the risks to information and how to mitigate those risks cost-effectively. The CIAO must be focused on