Organizing/Categorizing functions related to Information Security in the enterprise

Mesfer Dahash
Mesfer Dahash used Ask the Experts™
Hi ..

how can I categorize ?
how can I organize ?
how can I grouping the information security functions/tasks or responsibilities ?

At the moment in my organization, there is three department relevant to information security, belong to IT sector :
1- Security Operation technical Systems (firewall, AntiVirus, Mail security, PenTest, Patch Management)
2- Business Continuity ( IT services continuity, BCM, BIA, ISO22301)
3- IT Governance ( ITIL ,Polices and Procedures, ISO27001,Auditing )

Top management direct me to create new department outside IT sector which reports to CEO directly, the name will be Cyber Security, aimed to be independent in-order to ensure what related to information security matters are fine and works properly and adequately.
What are the roles (functions) should be handled by this new department, the Cyber Security ?
In other word, what are the tasks that have to be moved form three sections (up) to the new department ?  

Typically, What are all Information security functions (areas)  that any Enterprise has to ensure are covered and in place ? so I can organize and match every function to the relevant section of the four:
1- Cyber Security section (outside IT sector)
2- IT Governance section (inside IT sector)
3- IT security Operation (inside IT sector)
4- Business Cont-unity section (inside IT sector)

Hope my issue is clear :)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

An organization's cybersecurity team has an individual (e.g., a CSO) who has overall responsibility for implementing an organization's cybersecurity program, and who is the team's coordination point.  

This person is responsible for ensuring compliance with security policies and communicating cybersecurity program results to senior management. In other words, CSO or CISO will be responsible to report to CIO or CEO. Typically, it is to CIO though this person would have reach to CEO too.

(A) Strategic Approach

There should also be a cybersecurity advisory group, composed of senior executives, that is responsible for advising the CSO about the organization's risk tolerance and ensuring that key cybersecurity program objectives are met.

At a minimum, the following four separate functions should report to the CSO:

1. Infrastructure security: Responsible for ensuring the security of the organization's technical infrastructure (e.g., servers, networks).

This person or team may or may not directly control the staff that performs the work (e.g., firewall administrators may report to a network team), but, regardless of who performs the work, infrastructure security should coordinate all the appropriate staff to ensure the work is done correctly and promptly.

2. Data security: Responsible for ensuring the security of the organization's data and applications.

As with infrastructure security, this person or team may or may not control the staff that performs the work; data security needs to coordinate all the appropriate staff. In particular, this person or team must work closely with application developers to ensure new applications are secure before they are put into production.

3. Security testing: Responsible for regularly testing an organization's security controls (e.g., penetration tests, vulnerability assessments).

This person or team is responsible for working with the appropriate staff to mitigate all the discovered significant vulnerabilities.

4. Security architecture: Responsible for verifying that the appropriate security controls are in place to protect an organization's sensitive data and information systems.

From a big picture perspective, this person or team focuses on ensuring that all the security controls are complementary.

(B) Tactical Approach

Your organization's cybersecurity team should be based on the following continuous improvement principles:

1. Plan and organize: Perform a risk assessment, develop security architectures and obtain management approval.

2. Implement: Develop and implement security policies, standards and procedures. Implement cybersecurity programs (e.g., change control, identity management) to comply with security policies. Implement auditing and monitoring for each program. Establish goals and metrics for each program.

3. Operate and maintain: Follow cybersecurity program procedures and tasks. Perform internal and external audits. As appropriate, manage program service-level agreements.

4. Monitor and evaluate: Review logs and audit results and metrics for each program. Assess the accomplishment of program goals.

(C) Operational Approach

You can also consider operationalising a framework that proposes structuring a cybersecurity team around four key functions.

1. Protect, shield, defend and prevent: Proactively protect, shield and defend an organization from cyber threats and prevent cybersecurity incidents.

2. Monitor, detect and hunt: Monitor ongoing operations and actively hunt for and detect adversaries.

3. Respond, recover and sustain: Minimize the impact of cybersecurity incidents and return assets to normal operations as quickly as possible.

4. Govern, manage, comply, educate and manage risk: Provide oversight, management, performance measurement and improvement for all the cybersecurity activities. Ensure compliance with all the external and internal requirements and appropriately mitigate risk.


Thanks for reply.
That's was helpful.

>>> how can I categorize ?
how can I organize ?
how can I grouping the information security functions/tasks or responsibilities ?<<<<

To ensure your security requirements are comprehensive, follow a structured process to identify them, You could use the SQUARE method (developed by SEI, Carnegie Mellon University) outlines steps to elicit and prioritize security requirements in the early stages of a project.
1. Agree on definitions.
2. Identify security goals.
3. Develop artifacts to support security requirements definitions.
4. Assess risks.
5. Select elicitation technique(s).
6. Elicit security requirements.
7. Categorize requirements.
8. Prioritize requirements.
9. Inspect requirements.

Check also some of international standards or frameworks, such as ISO, IEC, ITU, NIST, ISA, SEI, SABSA, etc.; they can be used to define the baseline, goals, and methods used to secure business.


• NIST 800-30 Risk Management/Assessments
• NIST 800-34 Contingency Planning
• NIST 800-37 Risk Management Framework
• NIST 800-40 Creating a Patch and Vulnerability Management Program
• NIST 800-47 Security Guide for Interconnecting IT Systems
• NIST 800-48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
• NIST 800-50 Building an IT Security Awareness and Training Program
• NIST 800-53 Security and Privacy Controls for Federal Information Systems
• NIST 800-60 Guide for Mapping Types of Information and Information
• NIST 800-61 Computer Security Incident Handling
• NIST 800-63 Electronic Authentication
• NIST 800-64 Security Considerations in SDLC
• NIST 800-86 Guide to Integrating Forensic Techniques into IR
• NIST 800-82 Guide to Industrial Control Systems (ICS) Security
• NIST 800-83 Guide to Malware Incident Prevention and Handling
• NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response
• NIST 800-88 Media Sanitization
• NIST 800-115 IS Security Testing and Assessment
• NIST 800-119 Guidelines for Secure Deployment of IPv6
• NIST 800-122 Protect PII
• NIST 800-137 Information Security Continuous Monitoring (ISCM)
• NIST 800-145 Cloud computing

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial