Management: Duties: What duties does the information protection lead have?
Option 1: The security lead can specify and verify, but not manage protection activities
Option A: The security lead chairs an executive security counsel.
Option B: The security lead has direct peer-to-peer contact with the heads of the area of the enterprise.
Option C: The security lead is a member of an executive security counsel including executives from the area.
Option S: The security lead can specify protection activities.
Option O: The security lead can operate protection activities.
Option E: The security lead can verify protection activities.
Basis:The Information Protection Lead (IP Lead) can specify and verify, but not manage/perform protection activities
In many large enterprises, the IP Lead performs executive functions in specification and verification of the protection program but does not directly manage/perform any execution of protection functions. This is done by operations under the CIO.
The IP Lead can manage/perform protection activities, but not specify or verify
When the IP Lead works for the CIO, they are often put in a position of operating the protection program instead of specifying and verifying it. This generally means that the IP Lead is in too low a position for the job to get properly done, however; in smaller enterprises or immature ones, this may be the best solution to getting the most knowledge to the protection program.
The IP Lead can mix combinations of management/performance and specification and verification, but not for the same item.
In some more mature enterprises, the IP Lead manages many elements of the business functions and assurance processes and only specifies and verify the operational aspects run by the IP Lead.
The IP Lead chairs an executive security counsel.
The IP Lead should chair an executive level counsel that meets periodically, at least quarterly, and with the top executive involved in each area where the IP Lead specifies how protection will operate. This is necessary in order to make certain that coordination is properly done and that power and influence issues are addressed.
The IP Lead has direct peer-to-peer contact with the heads of the area of the enterprise.
The IP Lead is a member of an executive security counsel including executives from the area.
The roles of the IP Lead are limited by requirements for separation of duties. In particular, any one individual who specifies, performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the IP Lead.
Specify:The IP Lead can specify protection
Perform: The IP Lead can perform protection
Verify: The IP Lead can verify protection