Fill in from the following table or the table resulting from "CISO Duties" identified earlier.
|Type||Item||Power and Influence||Direct control||Right to Inspection||Analysis Capacity|
|Operations||Physical technical safeguards||.|
|Operations||Logical technical safeguards||.|
This generally means the ability to create and operate the group processes that generate policies and control standards in any appropriate arena.
The CISO should have the right to inspect protection process and procedure.
This implies the uninhibited, and unfettered access to information, including the people and systems containing that information, to the extent necessary to gather but not alter content and metadata. Generally, this must be able to happen without the knowledge or consent of anyone operating the systems that control that content in order to perform investigative process and stop subversion of measurement processes.
The CISO should have the capacity to meaningfully analyze feedback to determine actions to induce.
Adequate analytical capability includes both personal skills and knowledge in context of the enterprise and the availability of adequate resources in the form of external expertise, computational resources, and tools.
The CISO should have direct management control over protection functions.
While it is often inadvisable for the CISO to have direct control over operations, direct control of other aspects is common. This implies that the CISO has staff that works for them and over which they have hiring and termination responsibilities as well as all other related management control and power.
There is usually an individual in charge of the overall information protection program, and we will call that individual the Chief Information Security Officer (CISO). In order for the protection program to be effective, the CISO has to have (1) the power and influence within the enterprise to effectively control the protection program and process, (2) the information and access to find out what is going on within the enterprise, and (3) the knowledge and skills necessary to understand and apply the actuators effectively to get the process and program to meet the duties to protect. Many enterprises have high cost plus loss because top management fails to: (1) understand the role of the CISO, (2) place the CISO properly in governance, (3) provide adequate power and influence for the CISO, or (4) grant the CISO adequate access to information.