The Chief Information Security Officer CISO

Information Technology Security Roles
Abstract
The roles that information security personnel play is vital within an organization. We have analyzed three key roles namely CISO, CIO, and Digital forensics. These are key roles in an organization that wants to secure its information systems and data. Each role has been analyzed and the different function performed within each role presented. This gives a clear picture of what each role performs and what is required of each role. Cybersecurity has been the main focus when analyzing these three roles. The information technology security roles will optimize and secure the organization's data assets by performing various functions that have been shown in the paper. Digital forensics has been presented and we have shown how it can be used to complement the security efforts of the organization. We have also presented how digital evidence personnel can guarantee the integrity of the evidence collected. Finally, we have listed some of the tools that digital forensics personnel can use in the performance of their duties.
The Chief Information Security Officer (CISO)
The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the organization's vision, strategy, and program in order to ensure that the information assets and technologies are adequately protected. The CISO is responsible for ensuring that the organization complies and is in compliance with internal and external policies (Goodyear, Goerdel, Portillo, & Williams, 2010). This is because the CISO is charged with analyzing how information security affects legal requirements of the organization. For example, The CISO is required to ensure that the organization is in compliance with PCI or HIPPA laws. They are also required to write and adjust the organization policies based on the new compliance requirements and rules. The CISO is charged with anticipating new threats and they actively work to prevent any new threats from occurring in the organization. Therefore, the CISO does not wait for a security incident or data breach to take place for them to act. In order to anticipate new threats, the CISO will run vulnerability scans, web application security assessments, and penetration tests. This is aimed at checking the security of the organization's systems and ensuring they is little chance of the systems being penetrated or attacked. In carrying out this role, they are checking to see that the hardware and software configurations of the organization and those of their vendors are in compliance with regulatory and organization standards. A CISO is also the link between different departments within the organization, and all their third parties as far as cybersecurity is concerned. The CISO not only manages the information security team, but they have to manage different teams within the organization in regards to the security of information (Conklin & McLeod, 2009). For this reason, the CISO should have good relationships and visibility all the time in regards to the vendors or the department they are working with. In order to reduce the operational risks that the organization might be faced with if a security attack was to take place, the CISO must closely work with other executives in different departments to ensure that the security systems are working smoothly.
The competencies that a CISO could perform are security risk management, data security, and systems and application security. Security risk management is the continuous process of analyzing organization systems in order to identify security risks and implement strategies that will address the identified risks. Security risks are determined by considering the likelihood of known threats exploiting vulnerabilities within the organization systems and the impact that these vulnerabilities would have on the organization's valuable assets. Once the risks and vulnerabilities have been identified it is vital to implement strategies that would seal the vulnerabilities and ensure that the risk is mitigated against before it happens (Goodyear et al., 2010). Data security refers to protecting digital data from any destructive forces and from unwanted actions like cyber attack, or a data breach. Data security is a vital aspect of information technology for any organization, and it is used to ensure that there is no unauthorized access to computers, websites, and databases of the organization. Preventing data from corruption is also an aspect of data security. Some of the data security technologies that can be employed include backups, encryption, data masking and data erasure. Data security is mostly ensured by requiring authentication of the users accessing and using the data. Systems and application security refers to the use of hardware, software, and procedural methods in order to protect the organization's application from external threats. This will entail ensuring that applications and systems have security measures built into them in order to minimize the risk of unauthorized code or access to the systems. The CISO is required to work closely with the vendors to check on the systems and applications they are applying in order to ensure that they are in compliance with the organization's security policies. Some of the countermeasures that can be used in an organization to protect systems and applications is the use of firewalls, anti-virus programs, biometric authentication systems, and spyware detection and removal programs.
The Chief Information Officer (CIO)
The Chief Information Officer (CIO) is responsible for planning and implementing the information technology strategy that is aimed at meeting the organization's business needs. He/she is also responsible for the management and strategic use of information, information technology, and information systems. The CIO will work with other members of the executive team in order to identify how information technology can assist the organization to achieve its business and financial goals (Lee & Shin, 2015). For example, using technology the organization can streamline its business processes, improve quality of customer service, and increase employee productivity. The CIO will be charged with developing a strategy aimed at achieving business goals and they will recommend investments that can deliver measurable results like a 3 percent reduction in order-processing costs or 4 percent improvement in productivity of the employees. Another function of the CIO is resource utilization. The CIO is responsible for ensuring that available network infrastructure and information technology support the organization's computing, communication, and data processing needs. If it is established that the organization needs greater capacity, it is the CIOs responsibility to make decisions on the solutions that the organization needs in order to meet the additional needs at the lowest cost possible. The CIO is also required to analyze the need for additional capacity against the risk of having resources that would be underutilized most of the times (National Cyber Security Division, 2007).
The CIO should be able to recognize and respond to the changing requirements and demand for IT security within an organization. This will be done by evaluating new and emerging IT security technologies with an aim of identifying the technologies that would be best suited to the organization. For example, there is an increased need for collaboration and this has resulted in the deployment of wireless networking infrastructure in most organizations. The CIO will be required to analyze the impact that this new requirement would have on the organization's IT security and develop the necessary policies to ensure that there is no likelihood of a data breach or any other security risk. IT policy implementation is another function of the CIO (Lee & Shin, 2015). Once policies have been developed and approved there is need to ensure that they have been properly and fully implemented in order to ensure that the organization is operating in compliance with the necessary laws and corporate policies. It is the responsibility of the CIO to evaluate how the organization is complying with the policies and establish if the policies are effective to the organization. For example, a policy that requires the employees of the organization to not use their personal devices to access organization systems and applications would be aimed at protecting the organization from external attacks emanating from these devices. It is the work of the CIO to evaluate how effective this policy is and if there is need to offer additional security in order to cover the employee devices.
Developing a formal security awareness, training, and educational program will provide the CIO with these two security assurances: compliance with published policies and securing the organization's information systems. Compliance with published policies ensures that the organization is complying with its own information security and privacy policies, which ensures that the policies are enforced within the organization. Therefore, educating the employees on the information security and privacy roles especially how they support the published policies, procedures, and standards will give the employees a better understanding of what is required. The awareness and training activities should include a review of the organization's policies and address any issues that might be raised by the employees or identified by the organization. Training should be ongoing to ensure that the employees are always aware of new changes and that they understand the policies fully. If the employees do not understand how to handle information by following the laid-out policies then the organization is likely to suffer or have its information mishandled. This might lead to unauthorized individuals gaining access to the information resulting in a data breach for the organization.
Any security strategy will only be effective if the employees are properly trained on the strategy. In order to secure the organization's information systems, the CIO should ensure that the employees receive proper information security awareness training. The goal of the training would not merely be to educate the employees on the potential security threats that they might face and how to prevent the security threats. The main goal should be to change the organizational culture in order to focus on the importance of security. Once employees are able to understand how vital security is to themselves and to the organization they are highly likely to take it seriously and the organization becomes much safer. Another goal of the training would be to get buy-in from the employee, which would serve as an additional layer of defense. With buy-in from the employees, the CIO can shift focus to ensuring that the employees have the necessary information they need in order to secure the organization's information systems (National Cyber Security Division, 2007). The program should also cover the different security threats and types like malware, trojans, viruses, phishing, and social engineering. This will inform the employees on what they are likely to be faced with and how they can handle the different security threats.
The Digital Forensics Professional
Digital forensics is the collection, processing, analysis, preservation, and presentation of computer-related evidence. The evidence might include but is not limited to data retrieval, password cracking, and locating hidden information. Digital forensics is the use of information systems knowledge together with legal knowledge to analyze the digital evidence acquired, processed, and stored in a legally acceptable manner (Garfinkel, 2010). It is mainly used for investigations after an incident has taken place or when there is suspicion of an incident that involved the breach of organization policies. The digital forensics tools can also be used to recover lost files, which would ensure that organization does not suffer huge losses due to corrupted hard disks. Digital forensics complements the overall security functions of the organization in that it allows the organization to strengthen its security functions by having a method of uncovering what made it possible for an incident to occur. With this knowledge, an organization can implement better security policies and strategies that are aimed at sealing the loophole or vulnerability. Digital forensics also allows the organization to use the evidence collected in order to defend the organization against an employee who might have committed fraud or gathered information from the organization illegally. This would ensure that the organization is able to maintain its reputation to the outside world showing that it is able to protect its information. It is vital that organizations ensure that the employees are not misusing the information or information systems. Using digital forensics, the organization can carry out investigations for monitoring the activities of the employees in order to ensure they do not misuse the organization’s information systems. Carrying out digital forensics on a regular basis will allow the organization to uncover if there have been external attempts to access the systems and if the attempts were successful and how much information was accessed. This would complement the security aspect of preventing unauthorized access to the organization's information systems and allow the organization to seal the vulnerabilities as soon as they are uncovered (Garfinkel, 2010).
Operational Duties of Digital Forensic Personnel
The digital forensics personnel should be well trained on how to handle, collect, and preserve digital evidence. The personnel is charged with ensuring that the evidence they collect is well preserved because the digital evidence is extremely volatile and it is easily lost or distorted, Therefore, they should always come prepared to handle and preserve the data in a manner that will ensure that it does not get distorted or destroyed. Before any digital evidence collection can begin the personnel needs to ensure that they have the legal authority to conduct the forensic examination. The personnel should work closely with the organization' counsel to ensure that they are performing their duties within the required bounds. This will ensure that the evidence collected is legal and can be used in a court of law. This will also ensure that the forensic investigation has integrity and the evidence can be relied upon. As earlier noted digital data can be altered easily and there are environmental conditions that can affect the integrity of the data on storage mediums. Therefore, the forensic personnel must ensure that the data is not unintentionally altered during and after the acquisition process (Garfinkel, 2010). Organizations should ensure that they store and handle data in a manner that prevents the accidental destruction or alteration by human activity or environmental conditions. The forensic personnel is also required to document all they are doing and the results of the forensic audit. This will ensure that what has been done is documented and a report presented detailing the findings of the digital investigation.
Technical Resources Available to The Digital Forensics Professional
· Open Computer Forensics Architecture (OCFA)
· Computer Aided Investigative Environment (CAINE)
· Registry Recon


References
Conklin, W. A., & McLeod, A. (2009). Introducing the information technology security essential body of knowledge framework. Journal of Information Privacy and Security, 5(2), 27-41.
Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. digital investigation, 7, S64-S73.
Goodyear, M., Goerdel, H. T., Portillo, S., & Williams, L. (2010). Cybersecurity management in the states: The emerging role of chief information security officers.
Lee, Y., & Shin, Y. (2015). A design on information security occupational classification for future convergence environment. Journal of Society for e-Business Studies, 20(1).
National Cyber Security Division. (2007). Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development United States Department of Homeland Security, Washington, D.C.