Terms of Ref for CISO's role/function, reporting/jurisdiction

sunhux used Ask the Experts™
Our local CyberSecurity Agency has come out with a directive:
•      Review internal structure to ensure C-Suite has oversight of cybersecurity risks as part of enterprise risk management
•      Ensure security team has direct line to C-Suite

EE expert has provided the CISO handbook below but I'll need more "Terms of Ref" that will cover a
CISO's  "Scope of Work (& what is out of scope)", "Authority", need for "impartiality/independence":
currently all risks-related roles come under CFO but CFO's kpi is on cost control and one
link says this is inappropriate as CISO may need to spend on compliances, manpower,
tools, services etc

Extract from EE:
"In most cases, the agency’s internal policies delegate management of the agency’s information to the Chief Information Officer (CIO). Under FISMA, the CIO may then delegate  tasks related to information security to the senior agency information security officer (often referred to as CISO).
There are more information on reporting requirements specific to agency responsibility and how these key stakeholders are involved.

Above link gives various suggestions but will need something authoritative like
ISO standard or to further support what CyberSecurity Agency has provided above.

Deloitte & one ErnstY papers statistics show most sites still adopt the model of
CISO going under CIO:
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018
Suggest you can look at the compliance R&R for CISO, it should not be new especially if this is from a public sector perspective. It has compliance implication. But specifically you should be asking also why would the advisory be saying security to report to the C-Suite - primarily it is for transparent and timely update of cybersecurity related matter that may have impact to the organisation.

CISO role serves as single pt of contact and would be member of the steering committee chaired (typically) by the CIO. There can be more but the upwards reporting will be more for CIO onwards. I see the gap is who is going to provide CISO the information - security team? And if so, how would the team be reporting to CISO and would there be a second line of single pt of contact for large organisation that take charge of the security team? These are worthy roles to establish - and only if we know the objective and outcome then the TOR will make more practical sense - and in fact, such reporting structure to CISO is just to say if there are amyu security matter there is one who has full oversight and is responsible.

But on a generic sense for CISO (or the equivalent role in bigger organisation for the security divisions), I would take reference also to ISO27001. Ultimately, compliance and basic hygiene scorecard are areas that CISO minimally has to advise the organisation and recommend area of improvement to reduce gaps and weakness.
CISO responsibilities are quite numerous, and this person is involved in several very different areas of your company.

The larger the company, the more difficult it becomes to remember all these responsibilities, so depending on the size of your organization, you should produce one or several documents where you describe those. Some companies tend to list all the responsibilities of the CISO in a single document, which I personally don’t find very useful – this is because it is difficult to understand someone’s role without seeing the process it is part of.
I am not sure if this can help but you can take away the main job of the CISO should be
- Developing a risk-based security culture and not be compliance centric only. Strike a balance for usability and security.
- Understand the underlying principles business objective and align security budget and initiative to achieve greater security ROI
- Establish business activities to work towards the RIGHT security and develop a set of security tech stack as a common security services to address current and new risk

Security should not always be a cyber rat chase. being Proactive is key and I see this reporting is to make sure chain of communication thru CISO would glued the channels - and so the key is to educate the source (end user) to be vigilant and make the necessary reporting.
Apologies, I digress.


ok thanks.

one more question:
is it an IT Security's function to front all IT audits (incl IT Applications) besides  IT Security related ones, own all IT audit findings n coordinate with respective teams to close them?
Exec Consultant
Distinguished Expert 2018
Yes and No.

Yes, in which all IT security audit findings need to seek security team inputs and help to advice in the mitigation aspect. CISO should share plan for improvement in term of systemic issues surfaced especially repeated ones.

No, there would be an internal IT audit group to help front the checks together with the affected project team. Primarily, the IT audit team advises the project team on the relevance and appropriateness of the evidence showing.  They can also gatekeep what the checks should practically be looking out for and not beyond what is necessary. E.g. Logs is asking for applications successful and failure attempts depends whether the system has any own application running or leveraging any common service, the audit target may differs.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial