Information Security Management SIG (former CISO)

A Chief Security Officer is usually a senior level executive within an organisation responsible for information security. This may include systems, network and data security; incident response and handling; regulatory compliance; risk management; and disaster recovery. They are commonplace in medium-to-large commercial companies, and are increasingly employed in government and other types of organisation. However, the concept is relatively unknown within the research and education community, and very few NRENs appear to have a designated CSO.

CISOs have become increasingly important as organisations become almost totally reliant on IT information systems. Whilst not all NRENs operate truly mission critical systems, incidents can still cause a great deal of disruption and damage, and resolving them can cost significant amounts of effort and money. In addition, there can be a significant loss of reputation that can ultimately affect the continued existence of an NREN, and even expose them to legal liabilities.

What is the role of a Chief Security Officer?

It was generally agreed that a CISO needed to advise management on security matters, and in crisis situations, even have the ability to execute emergency powers. As a result, such roles ideally needed to be part of the management team, or at least have a very close working relationship with it. A pre-requisite for assessing and mitigating risks was to compile and maintain an inventory of assets, to understand operational requirements, and to define the role and extent of the CISO responsibilities. For example, system and network security would traditionally be expected to fall under the remit of a CISO, but their role should also encompass physical access to buildings and data storage. In addition, security awareness training, a public relations policy for dealing with the press, and even a social media policy for employees may be required in the modern environment.

It should be clear that the primary responsibility of a CISO should be to assess and document potential risks to IT services develop a policy for minimising these risks, and then to have a disaster recovery plan in the event that the worst happens. Other responsibilities might be to ensure compliance with regulatory and other legal requirements, and to implement processes that might lead to external certification in due course (which typically takes 3 to 5 years). In some circumstances, a CISO might even take a role in advising law makers in the development of appropriate legislation. It is extremely important to establish and maintain communication channels between key members of staff. It is also important these channels are regularly tested, and possibly even periodic drills held to ensure that everyone in the process understands what is required from them.

What is a Special Interest Group?

The Special Interest Group (SIG) is a new instrument of TERENA. It is more like a longer-term working party opposed to task forces with fixed mandate. SIG has the features as follows:

  • There is no work items defined, therefore no deliverables, no milestones, and no work item leaders assigned. There is only a Charter that defines the major objectives and planned roadmap.
  • There is no single chairman (or co-chairs) but a so called Steering Committee that equally shares the responsibility among its members (the minimum of 3-5 persons).
  • There is no expiration date defined. The TERENA Technical Committee decides on the termination of a SIG based on the measures and conditions explicitly defined in the Charter.
  • The support of a TERENA personnel is on on-demand basis.

More about the CISO group can be found on the TERENA Wiki.

Running period: September 2014 - N / A

News & Features