Information Security Manager
From IT frameworks
Contents |
Job Description for the position of Information Security Manager
Information Security Management is a discipline in IT service management.
The role of Information Security Manager is to ensure the goals of the Information Security Management process are achieved. The main goal is to align IT security with business security, and ensure that information security is effectively managed in all service and IT Service Management activities.
Information Security Management ensures that the Confidentiality, Integrity and Availability (CIA) of an organization's assets, information, data and IT services is maintained.
The job
The Information Security Manager is a position within the scope of Information Security Management ITILv3 process.
This document provides a good description of the position but is not complete for every organization. Adjust as necessary.
Position
- Immediate seniors are the Service Design Manager.
- Immediate juniors are the Service Design Management staff triggering the Information Security Management process.
- "Users" are all users of internal and external IT services.
- "Customers" are users of IT services internally in the organization and external paying customers that use the companies IT Services.
- "Suppliers" are parties defined by Service Design Supplier Management key process for each IT Service.
Production
Key Performance Indicators (KPIs)
- Show me: The current group rights per service on offer to customers
- Show me: An IT Security Policy newer than 3 months old
- Show me: Confidentiality, Integrity & Availability headings in all present SLAs
- Show me: Security policies for all SLAs
- Number of bypasses of the process
- Number of security breaches
- Number of incidents against the service
- CIA levels compared to SLA agreements
- Number of presently unmanaged security breaches
- Number of outdated Information Security Plans
- Percentage of staff familiar with the Information Security Plans at present
- Number of external partners and suppliers with information access without contractual agreements and responsibilities
Responsibilities
Information Security Manager is responsible for:
- Tasks
- Developing and maintaining the Information Security Policy
- Developing and maintaining a supporting set of specific policies, ensuring appropriate authorization, commitment and endorsement from senior IT and business management
- Communicating and publicizing the Information Security Policy to all appropriate parties
- Identifying and classifying IT and information assets and the level of control and protection required
- Assisting with Business Impact Analyses
- Performing security risk analysis and risk management in conjunction with Availability and IT Service Continuity Management.
- Designing security controls and developing security plans
- Monitoring and managing all security breaches and handling security incidents, taking remedial action to prevent recurrence wherever possible
- Promoting education and awareness of security
- Performing security tests
- Ensuring that the Confidentiality, Integrity and Availability of the services are maintained at the levels agreed in the SLAs and conform to all relevant statutory requirements
- Ensuring that all access to services by external partners and suppliers is subject to contractual agreements and responsibilities
- Act as a focal point for all security issues
- Personnel
- Leading and supporting the Information Security Management team.
- Motivate the employees you are responsible for. Help them thrive in a challenging work environment.
- Understanding the full scope of the Information Security Management process.
- Ensuring that all your co-workers in projects understand and follow all procedures they are involved with.
- Ensuring any disagreements with employees have the opportunity to become RfCs.
- Reporting
- To Process Manager (To ensure optimal process interaction)
- To Service Design Manager (To ensure Information Security issues are managed in relation to the Information Security Management process description)
- To Service Owner (To improve all Information Security Management decisions)
- To Service Design Management (For Information Security issues needing escalation)
- To ITSG (To ensure all IT goals are aligned to business goals)
Authority
- Service Design design time scales (Information Security response and resolution targets within SLA).
- Service Design designs Information Security Models with pre-defined activities. Any changes to these activities must be transitioned.
- An escalation plan to the Service Design Manager must exist.
Resources
Internal resources
- The Information Security Manager has internal resources available as defined by the organization for process owners.
External resources
- The Information Security Manager has external resources as appropriate to ensure the fulfilment of the objectives of the Information Security Management process.
Qualifications
It is expected that the Information Security Manager has the competence required to competently manage the Information Security Management ITILv3 process.
It is expected that he/she constantly acquires knowledge necessary to continually manage the Information Security Management ITILv3 process better so that expectations are continually met.
Advancement
As Information Security Manager you have the possibility to apply for positions as Service Design Manager and other key positions in the Design life cycle phase. You are also encouraged to apply for other positions in Application and Technical Management.
