Our local CyberSecurity Agency has come out with a directive:
• Review internal structure to ensure C-Suite has oversight of cybersecurity risks as part of enterprise risk management
• Ensure security team has direct line to C-Suite
EE expert has provided the CISO handbook below but I'll need more "Terms of Ref" that will cover a
CISO's "Scope of Work (& what is out of scope)", "Authority", need for "impartiality/independence
currently all risks-related roles come under CFO but CFO's kpi is on cost control and one
link says this is inappropriate as CISO may need to spend on compliances, manpower,
tools, services etc
Extract from EE:
"In most cases, the agency’s internal policies delegate management of the agency’s information to the Chief Information Officer (CIO). Under FISMA, the CIO may then delegate tasks related to information security to the senior agency information security officer (often referred to as CISO).
There are more information on reporting requirements specific to agency responsibility and how these key stakeholders are involved.
Above link gives various suggestions but will need something authoritative like
ISO standard or to further support what CyberSecurity Agency has provided above.
Deloitte & one ErnstY papers statistics show most sites still adopt the model of
CISO going under CIO: