Chapter 1: Introduction

Chapter 2: Justification

Summary of Reasons to Establish Clear Roles & Responsibilities

Chapter 3: Persuasion
Memo To Management

Chapter 4: Preparation

Chapter 5: Modification

Chapter 6: Documentation

Chapter 7: Review and Approval

Chapter 8: Required Resources

Chapter 9: Time Estimates

Chapter 10: Current Documents
Information Security Department and Other Department Missions
Information Security Staff and Other Staff Job Descriptions
Information Security Department Reporting Relationships Diagram
Information Security Awareness Pamphlet
Information Security Awareness Reminder Memos
Information Security Policy Manual
Information Security Standards Document
Information Security Architecture Document
Information Security Action Plan
Information Security Forms
Systems Administration Procedures Manual
Risk Acceptance Memos
Information Systems Contingency Planning Manual
Organizational Code of Conduct
Standard Operating Procedures (SOP) Manual
Systems Development Process Manual
Application System Requirements Documents
User and Computer Operations Application Manuals
Records Management Policies and Procedures Manual
Worker Performance Reviews
Systems Usage Responsibility Agreements
Outsourcing and Consulting Agreements
Confidentiality and Non-Compete Agreements
Human Resources Manual
Physical Security Pamphlet

Chapter 11: Mission Statements
Information Security Department
Physical (Industrial) Security Department
Internal Audit Department
EDP Audit Unit
Ethics and Compliance Unit
External Auditing Firm
Records Management Department
Information Technology Department
Help Desk Unit
Network Operations Unit
Computer Operations Unit
Systems Administration Unit
Database Administration Unit
Data Administration Unit
Insurance and Risk Management Department
Contingency Planning Unit
Computer Emergency Response Team
Legal Department
Human Resources Department
Information Security Management Committee
Information Technology Steering Committee
Board of Directors - Audit Committee
Internal Control Committee
Facilities Management Outsourcing Firm

Chapter 12: Job Descriptions
Information Security Department Manager
Access Control System Administrator
Internal Information Security Consultant
Information Security Engineer
Information Security Documentation Specialist
Information Systems Contingency Planner
Local Information Security Coordinator
Chief Information Officer
Information Systems Analyst/Business Analyst
Systems Programmer
Business Applications Programmer
Computer Operations Manager
Computer Operator
Information Systems Quality Assurance Analyst
Help Desk Associate
Archives Manager/Records Manager
Telecommunications Manager
Systems Administrator/Network Administrator
Web Site Administrator/Commerce Site Administrator
Database Administrator
Data Administration Manager
Physical Security Department Manager
Physical Asset Protection Specialist
Building and Facilities Guard
Office Maintenance Worker
Internal Audit Department Manager
EDP Auditor
Internal Intellectual Property Attorney
Human Resources Department Manager
Human Resources Consultant
Receptionist
Outsourcing Contract Administrator
In-House Trainer
Insurance and Risk Management Department Manager
Insurance and Risk Management Analyst
Business Contingency Planner
Public Relations Manager
Chief Financial Officer
Purchasing Agent
Chief Executive Officer

Chapter 13: Reporting Relationships
Option 1: Information Technology
Option 2: Security
Option 3: Administrative Services
Option 4: Insurance & Risk Management
Option 5: Strategy & Planning
Option 6: Legal
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance through I.T.
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations
Summary

Chapter 14: Customization Factors
Local Laws and Regulations
Industry Category
Criticality to the Business
Line or Staff Organizational Culture
Scope of Information Security Function
Information Security Effort Sophistication
Size of Organization
Outsourcing
Intended Audience
Separation of Duties
Cross-Training and Backup
Formatting

Chapter 15: Ownership
Owners
Custodians
Users
Summary

Chapter 16: Product Vendors

Chapter 17: Outsourcing Firms

Chapter 18: Smaller Organizations

Chapter 19: Organizational Structure
A Few Critical Distinctions
Why Centralized Information Security Management Is Advisable
Resolving a Variety of Implementation Issues

Chapter 20: Common Mistakes
Management Has Not Been Sensitized to Information Security Risks
No Executive Sponsor for Information Security Has Been Arranged
Sufficient Management Approvals Were Not Obtained
Positioning of Information Security Conflicts with Organizational Objectives
Top Management Believes Its Duty Is Discharged by Appointing Someone
Accountability Does Not Match Responsibility
Staff Assumes Revenue Producing Activities Overshadow Information Security
Management Says Everybody Is Responsible
Staff Takes a Reactive Approach to Information Security
Management Relies on Voluntary Information Security Cooperation
Contribution Made by Information Security Is Not Regularly Reinforced
Management Does Not Reinforce New Roles and Responsibilities 1
Major Projects Are Initiated Before Roles and Responsibilities Are Defined
Scope of Information Security Duties Are Too Narrowly Defined
Scope of Information Security Duties Are Too Loosely Defined
Inappropriate Person Prepares Roles and Responsibilities Documents
Time Required to Get Top Management Approval Is Underestimated
Roles and Responsibilities Are Not Periodically Updated
Staff Performance Reviews Do Not Include Information Security
No Disciplinary Process Exists
No Compliance Checking Process Exists
No Clear Problem Reporting Process Exists

Appendix A: Staffing Levels
Information Security Staffing: Calculating the Standard of Due Care

Appendix B: Personal Qualifications
Excellent Communication Skills
Ability to Resolve Conflicts Between Security and Business Objectives
Ability to See the Big Picture
Basic Familiarity with Information Security Technology
Commitment to Staying on Top of the Technology
Familiarity with Information Security Management
Tolerance for Ambiguity and Uncertainty
Ability to Manage Many Important Projects Simultaneously
Ability to Work Independently
A Certain Amount of Polish

Appendix C: Performance Criteria
Information Security Department Metrics
Individual Worker Metrics

Appendix D: Professional Certifications
CISSP
CISA
CBCP
CCP
CSM
GCIA
CFE
CPP
CIA

Appendix E: Responsibility and Liability
Sample User Agreement
About the Author
Sources and References
CD-ROM Files
Feedback
Roles & Responsibilities Process Integration
Index

Appendices
1.Statistical Study On Customary Staffing Levels
2.Personality Characteristics Of An Effective Information Security Manager
3.Criteria For Evaluating The Performance Of Information Security
4.Relevant Professional Certifications And What They Mean
5.Management Responsibility And Legal Liability
6.Author's Biographical Sketch
7.Selected Sources & References
8.Suggestion Form Soliciting Input To The Next Edition Of This Book
9.Computer Files Provided And Their Contents
10.Diagram Of Roles & Responsibilities Definition Process

---