Page 58 - CISSO_Prep_ Guide
P. 58
Local Managers
Security is everyone's business, but a critical factor in creating a
culture of information protection and the enforcement of
security principles is the role of the regional managers. Local
managers have the day to day interaction with their staff. They
are in the best position to notice any security issues and remind
everyone of the requirement to follow security procedures.
Following security procedures must be seen as an absolute,
mandatory requirement - not merely a suggestion or optional
activity. Local managers are the people in the best position to
enforce this. However, most local managers only see themselves
as business representatives and focus on their functional role in
business activities. They frequently see security as the
responsibility of another department and perceive the security
group as "friendly enemies" that are more interested in stupid
rules and procedures than in supporting their department's
requirements. This is an attitude that needs to change. Local
managers are accountable when there is a security violation
where a user in their department is allowed to ignore security
procedures. In the end, it is the local manager that is one of the
most important members of the security team and therefore
needs to understand the role and reasons for security in their
area of responsibility. More and more organizations are moving
in the direction of continuous auditing and control self-
assessment. These approaches require the local manager to be
more involved in designing, monitoring, and reporting on
security controls and measuring the effectiveness of those
controls. The security team also needs to work with the local
managers to ensure that the security procedures and policies are
reasonable, up to date, and relevant.
