We are a Certified Information Security Manager (CISM) and can perform the following tasks:
Information Security Governance
Establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
- Create an information security system strategy aligned with business goals and objectives.
- Line up information security strategy with corporate governance.
- Create business cases justifying investment in information security.
- Classify current and potential legal and regulatory requirements affecting information security.
- Detect drivers affecting the organization (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.
- Acquire in senior management commitment to information and security.
- Specify roles and responsibilities for information security throughout the organization.
- Institute internal and external reporting and communication channels that support information security.
Information Risk Management
Identify and manage information security risks to achieve business objectives.
- Create a process for information asset classification and ownership.
- Devise a systematic and structured information risk assessment process.
- Confirm that business impact assessments are conducted periodically.
- Warrant that threat and vulnerability evaluations are performed on an ongoing basis.
- Classify and intermittently evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
- Assimilate risk, threat and vulnerability identification and management into the life cycle process (e.g., development, procurement, and employment life cycles)
- State significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.
Information Security Program Development
Create and maintain a program to implement the information security strategy.
- Create and maintain plans to implement the information security strategy.
- Indicate the activities to be performed within the information security program.
- Confirm alignment between the information security program and other assurance functions (e.g., physical, HR, quality, IT).
- Classify internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
- Certify the development of information security architectures (e.g., people, processes, technology)
- Communicate, maintain and form information security policies that support the security strategy.
- Create and develop a program for information security awareness, training, and education.
- Certify the development, communication, and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
- Combine information security requirements into the organization's processes (e.g., change control, mergers and acquisitions) and lifecycle activities (e.g., development, employment, procurement).
- Create a process to integrate information security control into contracts (e.g., with joint ventures, outsourced providers, business partners, customer third parties).
- Form metrics to evaluate the effectiveness of the information security program.
Information Security Program Management
Oversee and direct information security activities to execute the information security program.
- Handle internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
- Confirm that processes and procedures are performed in compliance with the organization's information security policies and standards.
- Safeguard that the information security controls agreed to in contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) are performed.
- Certify that information security is an integral part of the systems development process.
- Ensure that information security is maintained throughout the organization's processes (e.g., change control, mergers, and acquisitions) and life cycle activities (e.g, development, employment, procurement).
- Present information security and guidance (e.g., risk analysis, control selection) to the organization.
- Present information security awareness, training and education to stakeholders (e.g., business, process owners, users, information technology).
- Monitor, measure, analyze and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
- Confirm that noncompliance issues and other variances are resolved in a timely matter.
Incident Management and Response
Plan, develop and manage a capability to detect, respond to, and recover from information security incidents.
- Create and implement processes for detecting, identifying, analyzing, and responding to information security incidents.
- Form escalation and communication processes and lines of authority.
- Create plans to respond to and document information security incidents.
- Ascertain the capability to investigate information security incidents (e.g., forensics, evidence collection, and preservation, log analysis, interviewing).
- Create a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
- Combine information security incident response plans with the organization's Disaster Recovery (DR) and Business Continuity Plan (BCP).
- Coordinate, train, and equip teams to respond to information security incidents.
- Periodically analyze and refine information security incidents response plans.
- Administer the response to information security incidents.
- Conduct reviews to identify causes of information security incidents, create corrective actions, and reassess risk.