Gloriane R. Mangindin

Final Document 1. Responsibilities of Key Leaders Points to keep in mind when writing your answers Analyze the role of the key leaders within the organization specific to how their responsibilities are connected to the security of the organization’s information. What is the relationship between these roles? Protecting the confidential data of a company or organization plays an important role in the overall business process. Disruption of such data can be expensive, can damage the business function and worst, it can destroy many people’s lives. Cybersecurity is not just about data privacy but most importantly, it’s about people. Information security reduces the risks and vulnerabilities of the system from data breaches and gives a high level of defense against cyber-attacks. By providing strong protection of sensitive information, the continuity of the business operation can be secured. As technological advances continue to grow, information can be easily exposed due to the increasing number of security threats that are spreading in the digital world. The attackers are using the advantage of technology by innovating their methods and techniques, so the complexity of the information security increases as well. This makes the roles of every key leader in the organization very critical. 1. Chief Executive officer (CEO) - The CEO is the head of the organization who is responsible for managing and maintaining the overall performance of the organization which includes information security. CEO ensures that the business has continuous monitoring of the information system. A well-documented emergency response strategy and disaster recovery plan should be established and regularly monitored by the CEO. He or she cooperates particularly with CISO to implement investigations and decision-making processes when security issues occur. 2. Chief Information Security Officer (CISO) - The CISO, being one of the C-level executives in the organization, is responsible for carrying out strategies, long-term sustainable plans and effective programs to improve information security. The strategies should be relevant and dynamically adaptable as the new threats continue to arise and evolve. The CISO guides and leads his or her subordinates in implementing the policies and procedures. He or she ensures the proper establishment of adequate standards for reducing the risk. The responsibilities also include the preparation of incident plans for cybersecurity disaster response. CISO is in a crucial position in monitoring probable risks, identifying security issues and taking actions to remove threats in the system. 3. Chief Data Officer (CDO) - The CDO is responsible for data protection and privacy. He or she works with the CISO and CIO to protect data from breaches by providing business requirements and implementing data strategies. The CDO identifies data risk and creates analysis that includes data threats and vulnerabilities and implements a plan of appropriate protection. The data must be assessed whether it is essential or should be removed to avoid the potential risk of a data breach. When a data incident occurred, the CDO should investigate what went wrong in the data and how serious was the impact of the incident. He or she should analyze the damage which includes the evaluation of the existing procedures and processes. 4. Chief Information Officer (CIO) - the CIO is the head of the IT department in the organization. Information should be harmonized with the organization’s overall strategy including the information assurance plan. CIO has a wide range and deep understanding of the technicalities of cybersecurity. The CIO should be able to identify business practice vulnerabilities and what area in the operation is prone to intrusion or threat. The stability of information security within the organization lies in the efficiency of every key leader in accomplishing their responsibilities. The main goal is not just to protect but to prevent as well. Their roles as one organization include the following: 1. Share insights and expertise with other stakeholders as they collaborate in establishing and implementing procedures. 2. Create a strong and effective information assurance plan. 3. Regularly monitor the daily activities within the organization in relation to their information system. 4. Create a well-defined plan and preventive measures. 5. Respond to cybersecurity disaster when an incident occurs. 6. Identify the motive behind the attack. 7. Manage and maintain the business continuity. 2. Key Ethical and Legal Considerations Points to keep in mind when writing your answers Evaluate key ethical and legal considerations related to information assurance that must be taken into account by the key leaders within the organization. What are the ramifications of key leaders not properly accounting for ethical and legal considerations? Cybersecurity professionals are the protectors of the organization’s records and accounts who handle confidential information of their clients such as their private lives, sensitive transactions, and even their financial records. Since Cybersecurity is critical, ethics and legal issues must be clearly defined. Ethical Consideration 1. Confidentiality - All staff should never disclose or share data without authority. Information and transaction details must be handled strictly confidential. 2. Integrity - Employees should be honest and trustworthy. Lack of integrity can make the organization more prone to data breaches as it would be easy to tamper, steal or destroy data when the attack is executed by an insider. 3. Transparency - Customers or end-users should be notified without any delays when a data breach occurs. 4. Security - More than anyone else in the company, cybersecurity professionals are the first responsible for keeping the data and communications fully protected. 5. Professionalism - Professional etiquette must be observed in the organization. Legal Consideration 1. There must be an agreement between the management and the employees in any legal procedures. 2. Employees’ activities with their computers or storage devices must be consistently monitored however, they must be aware of this legal right and policy. 3. Key leaders should work as a team to take legal actions in case of a security incident. 4. Key leaders should cooperate dynamically in the legal process and investigations directed by law authorities after a breach. Ethical training must be conducted as well and the organization should be transparent about its terms and conditions or any other legal matters. People are considered the weakest link in cybersecurity. Most of the breaches are the results of human error or insiders. This is due to a failure to properly establish and implement ethical and legal considerations. This may also increase the risk of security threats and can have a great impact on their customers’ trust. If the organization is frequently experiencing security incidents because of negligence, it may lose lots of its clients due to trust issues. When that happens, it will severely damage its reputation as well. Customers will also observe how the key leaders respond and make solutions so it is a must to have a strong disaster recovery plan. The organization’s intellectual property would be compromised and may result in loss of business opportunities. It would be costly as well to resolve cybersecurity breaches and may lead to a temporary or permanent closure. 3. Key Components of Information Assurance Points to keep in mind when writing your answers What are the key components of information assurance as they relate to individual roles and responsibilities within the information assurance plan? For example, examine the current policies as they relate to confidentiality, integrity, and availability of information. 1. Planning - A consistent policy and incident preparation must be created with the cooperation and affirmation of all individuals involved in the information assurance plan. 2. Management – The purpose of information assurance plan is to protect the integrity of the data. Key leaders should be able to identify potential risks and manage them by ensuring that only the authorized person can access, use or modify the data to prevent it from being disrupted or tampered with. Software tools such as anti-virus software may be used also to prevent viruses or malware from entering the system that can damage the data. 3. Communication - keeping confidentiality is a serious matter during data exchange or electronic communication since a middleman attacker may intervene. Cryptography is essential to keep the data protected. The access must be available as well only to those who are allowed and authorized to view or use the data. 4. Monitoring - All the activities in relation to data management must be strictly monitored to make sure that they all follow the standards and policies. Key personnel must take an action immediately for any violation to prevent further damage. Monitoring also includes ensuring the authenticity of all access in the system and user identification or verification is needed.