Security and risk management: a fundamental business issue: all organizations must focus on the management issues of security, including organizational structures, skill sets, processes, and methodologies for managing security and risk management.

According to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. a report by The Computer Security Institute, 251 of the organizations polled lost $202 million in 2003 due to computer crime. While this loss rate is down from 2002, it is still significant, and many of the companies said they were not able to quantify their losses. International finance and operations executive Oscar Kolodzinski states, "most incidents of cybercrime cybercrime
also known as computer crime

Any use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. go unreported because the individuals and businesses affected want to avoid the negative publicity." Therefore, experts believe the real loss is probably greater than stated, and it includes only the losses that are recognized (whether reported or not).

According to Lawrence Gordon Lawrence Gordon:

Lawrence Gordon (producer)
Lawrence Gordon (Saw character)

and Martin Loeb's article "The Economics of Information Security Investment" there is a void in the research on creating a framework for an economic model that establishes the appropriate investment in security programs. Gordon and Loeb say that most proposed methodologies favor too much spending on certain countermeasures That form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. See also electronic warfare. . In "The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officer," Andre Liebenberg and Robert Hoyt note that there is also a dearth of research on enterprise risk management and cite several reasons for an integrated risk management program. If they were aware of it, this information would probably alarm chief executive officers (CEOs) and other leaders enough for them to order further studies.

Security and Risk Management

The American Dictionary of the English Language English language, member of the West Germanic group of the Germanic subfamily of the Indo-European family of languages (see Germanic languages). Spoken by about 470 million people throughout the world, English is the official language of about 45 nations. formally defines "risk" as "the possibility of suffering harm or loss; danger." "Management" is defined as "the practice of managing, handling, or controlling something." The definition of "security" is "freedom from risk or danger." With these terms formally defined, the blended definition roughly describes risk management and security as the practice of controlling and mitigating the amount of loss an organization will have to endure because of any adverse action or situation, whether intentionally or unintentionally initiated. This interrelationship in·ter·re·late
tr. & intr.v. in·ter·re·lat·ed, in·ter·re·lat·ing, in·ter·re·lates
To place in or come into mutual relationship.

in between security and risk management should prompt a convergence that would then lead to a combined effort to address these issues in an integrated manner within an organization.

Organizations have to deal with managing risks as a regular part of conducting business. In the article "Security in Enterprise Systems," published in The ISSA (Information Systems Security Association, Bellingham, WA, www.issa.org) A membership organization that promotes effective management practices for computer security. Founded in 1982, ISSA has chapters in more than 20 countries and hosts an annual conference. Journal, P. Tippet tip·pet
n.
1. A covering for the shoulders, as of fur, with long ends that hang in front.

2. A long stole worn by members of the Anglican clergy.

3. A long hanging part, as of a sleeve, hood, or cape. says risk can be defined as "annualized annualized

Of or relating to a variable that has been mathematically converted to a yearly rate. Inflation and interest rates are generally annualized since it is on this basis that these two variables are ordinarily stated and compared. loss expectancy." Liebenberg and Hoyt note that certain industries have created well-established risk management specialties to address specific types of risk. For instance, a bank may address credit risk with one group of experts, interest rate risk with another, and information risks with yet another group. Ultimately, the organization may have several disparate sub-groups (e.g., facilities, information technology, compliance, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. ), each managing risk by leveraging its own subject-matter experts (e.g., in this scenario - and in any similar situation--the organization will only be as strong as its weakest link).

A painful reality for most organizations is that staff are often more responsible than intruders for data and information loss. According to Ivan Arce and Elais Levy, the workstation offers the most opportunity for exposure in the information technology (IT) area. If an organization has placed updated antivirus and encryption software Encryption software is software whose main task is encryption and decryption of data, usually in the form of files on hard drives and removable media, email messages, or in the form of packets sent over computer networks. on the workstation, then it has implemented a single dimensional level of effort, note S. Liu, J. Ormaner, and J. Sullivan in "A Practical Approach to Enterprise IT Security." If the single-dimension solution were to significantly improve the security of a single component (in this case, the desktop), then something else may become the new weakest link. Therefore, the weakest link may continually shift from the technology area to the physical area, to the human resources area, to the policy area, and so on. Arce and Levy also emphasize the temporal aspect of vulnerabilities. In particular, they suggest that the weakest link can shift from the desktop operating systems The control program in a user's machine (desktop or laptop). Also called a "client operating system," Windows is the overwhelming majority while the Macintosh comes second. There are also several versions of Linux for the desktop. Contrast with network operating system. to the individuals operating them. Determining the appropriate countermeasures and monetary investment that should be calculated at the highest level in the organization to ensure an effective overall security program is important. Without a high-level view, an organization may over-invest in areas that are not the weakest links.

The Chief Risk/Security Officer

This need for a centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es

v.tr.
1. To draw into or toward a center; consolidate.

2. view of security has led to a worldwide rise in interest in the position of chief risk officer (CRO). In his Financial Director article, Elspeth Wales Wales, Welsh Cymru, western peninsula and political division (principality) of Great Britain (1991 pop. 2,798,200), 8,016 sq mi (20,761 sq km), west of England; politically united with England since 1536. The capital is Cardiff. states that there are now more than 200 companies with a board-level CRO, primarily in the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. sector, with the primary responsibility of integrating credit, market, operational, and economic risk within the organization. This new CRO position, also referred to as chief security officer (CSO (Chief Security Officer) The person in charge of all staff members who are responsible for promulgating, enforcing and administering security policies for all systems within an enterprise or division. ), is still developing as the need to address the entire organization, or enterprise, gains attention. For instance, Liebenberg and Hoyt cite an organization's ability to improve both strategic and operational decision-making (especially in highly leveraged organizations), which leads to improved earnings, decreased costs, and lowered stock volatility, through the implementation of a formal enterprise risk management position. The CSO may report to the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. , the chief financial officer" (CFO See Chief Financial Officer. ), the chief legal executive, the chief operating officer Chief Operating Officer (COO)

The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. (COO), or any other executive-level officer. This placement varies by industry and by importance of security within a specific organization.

James Lam lists the following responsibilities for CROs:

* Provide overall leadership

* Establish an integrated framework

* Develop policies

* Implement metrics

* Allocate capital to business activities

* Develop training programs

* Develop support systems for the program

These responsibilities can fall directly on one security officer individual hi the security department.

Finally, the appointment of a high-level risk manager shows some shift from the normal defensive risk position to a more offensive and strategic position.

Discussion of security falls into two categories: high level awareness and low-level technology solutions. The former category relates to the general understanding of security, executive-level strategy, regulations, and corresponding policies on security; the latter refers to tactical single-point technology solutions such as antivirus software See antivirus program.

(tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. and firewalls. Building a bridge between the two extremes is a challenge for CSOs. In an IT Pro article, "Post 9-11 Security: Few Changes, Business as Usual Rules," L. Paulson says this dilemma is further exacerbated because many middle managers have no incentive to raise awareness as they fear that this might put their jobs at risk.

Paulson also points out that part of the communication challenge is related to the ironic state of affairs in that an effective security program is transparent to the organization. Ideally, a good security program protects corporate assets without hindering productivity or placing too much burden on employees or customers. The responsibility of communicating these ideals to the organization's top executives falls on the organization's senior security officer.

Communication skills are important for security officers because many security practitioners and researchers believe that an effective security program must start at the top of the organization. In the article "Five Dimensions of Information Security Awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. " Mikko Siponen states that awareness is the first dimension to be addressed, and soliciting senior-level commitment from management and gaining clarity on the requirements and components is critical to success.

In their book, Principles and Practices of Information Security, Linda Volonino and Stephen Robinson This article is about the NASA astronaut. For the Welsh former professional boxer, see Steve Robinson.

For other persons of the same name, see Robinson.
Stephen Kern Robinson is a NASA astronaut. He was born October 26 1955, in Sacramento, California. echo Siponen's assertion that getting management's attention and commitment to embrace organizational risk management is the first step in addressing the security issue. In this scenario, Paulson says an organization could embrace security as a core value much like customer service rather than merely as an adjunct support activity. With the support and commitment of senior management, the organization would be adequately prepared to build an organizational structure

This article has no lead section.

To comply with Wikipedia's lead section guidelines, one should be written. to facilitate the design and implementation of a robust security program. Top management may realize a strategic-level commitment to customers' information.

In his 2003 CSO magazine article, Thornton May states that CSOs need to learn how to market their product in the same way that chief information officers (CIOs) sell technology-related projects. CIOs educate and align themselves with the business executives in a way that makes every technology project a business project. Using this thinking, May explains that security officers need to do the same. May says it is ironic that security officers cannot sell security-related projects at a time when security has garnered a significant amount of general awareness that has been further bolstered by the news media. In fact, the disconnect disconnect - SCSI reconnect may be similar to the situation faced by IT leaders seven years ago concerning the Y2K See Y2K problem and Y2K compliant.

Y2K - Year 2000 issue, which was initially viewed as a technical issue, not a business issue, and this led to ambiguous ownership and sponsorship of the problem. The Y2K effort improved measurably once the emphasis shifted to business. The CSO needs the skills to lead the transition from security projects to business projects. Given the importance of organizational knowledge for market leverage and competition, top mangers should see the need to protect "leaky leak·y
adj. leak·i·er, leak·i·est
Permitting leaks or leakage: a leaky roof; a leaky defense system.

Adj. 1. " knowledge sources.

According to S. Hazari's article "Reengineering an Information Security Course for Business Management Focus," educators are beginning to change security courses to expand this new holistic view of security to include topics such as encryption, physical security, risk analysis, and human compliance. In this scenario, Hazari notes that a security manager must be knowledgeable in a wide array of skills, which include technology, policy and legal matters, and softer skills such as communication and management. CSOs lacking business acumen will run the risk of being viewed as narrow, single contributors, which may ultimately limit the security program to a technical problem.

The evolution of a security manager beyond a single specific skill has similarities to other disciplines (technology and finance), which now commonly have a chief position within an organization. For instance, Carol Brown's article "The Successful CIO CIO: see American Federation of Labor and Congress of Industrial Organizations.

(Chief Information Officer) The executive officer in charge of information processing in an organization. : Integrating Organizational and Individual Perspectives" asserts that the gradual shift from data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a manager (with a purely technical skill set) to CIO, which calls for forging partnerships across the organization and more of a governing role than a dictating role. In his Research Technology Management article "The Chief Technology Officer: Strategic Responsibilities and Relationships," Roger Smith echoes this need for skills in business strategies for emerging CTOs as a leading success indicator.

Finally, the CFO role has gone "beyond bean counting;' according to P. Favaro's Strategy and Leadership article. Favaro states that the role of the leader in finance has expanded from keeping tabs on the money to becoming a strategic member of the executive team and a visionary capable of communicating and providing a framework for financial governance within the organization.

These examples may serve as good indicators of what the CRO's role will evolve into over the next few years.

Security Standards and Methodologies

Even with the role of a CSO established, it is still challenging to integrate security within the organization's processes. For instance, in his Darwin Magazine article "Calculating an ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). for Data Security," Larry Ponemon says the interrelationships between the people, the IT infrastructure, and the business processes create the greatest challenge to understanding risk valuation. This is an extremely difficult task given the limited research on security issues within processes and work systems.

Fortunately, there are predefined methodologies for addressing the management of security. One comprehensive standard is ISO (1) See ISO speed.

(2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799, which offers a template for guiding an organization to a successful security program. In his article "ISO 17799: A Standard for Information Security Management," M. Hoffman writes, "improving information security is at the forefront of every IT decision-maker's mind. But tackling this task without a sound framework can be overwhelming. It doesn't have to be with ISO 17799."

In "The Unlikely Heroes of Cyber Security," ISO 17799 is praised because it helps security experts make professional, consistent assessments of organizations for insurance purposes. According to the article, "Some insurance providers regard ISO 17799 as the most important tool organizations have for meeting cyber insurance coverage requirements" and in almost all cases insurance companies require organizations to follow the ISO 17799 guidelines. It is hard to imagine that a resource as important as information--with massive amounts of it coursing through, into, and out of the organization--could be treated in what is often a cavalier approach with regard to the cyber placement issues focused on hard equipment.

Hoffman asserts that ISO 17799 calls for the following 10 security controls:

* Information security policy--helps management define what security means to the organization

* System access control--detects and prevents unauthorized access to information, computer areas, and mobile users

* System development and maintenance--ensures that controls are in place for every stage in the life cycle of an application

* Personnel security--emphasizes reducing exposure to human error as well as fraud, theft, and misuse of company property

* Physical and environmental security--addresses physical access to certain areas and items such as workstations

* Security organization--addresses the roles and responsibilities for key security personnel and any ongoing committees required to maintain the organization's security program

* Asset classification and control--ensures that the organization has the tools and practices to protect its assets

* Communications and operations management--focuses on the organization's operational procedures The detailed methods by which headquarters and units carry out their operational tasks. , change control, incident management, segregation of duties, capacity planning Determining the required future configuration of hardware and software for a network, datacenter or Web site. There are numerous capacity planning tools on the market used to monitor and analyze the performance of the current hardware and software. , etc.

* Business continuity management--includes building a business continuity plan, testing the plan, and building processes to ensure that it is maintained

* Compliance ensures that the organization meets its regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. , does not violate any laws, and follows its internal policies

This established standard is invaluable to a CSO because it frames the security program in a universal manner. The CSO will probably need to customize the framework to match the individual needs of the organization, but the basic structure can remain the same. The CSO is the primary architect, and a well-designed security program will significantly improve the likelihood of a successful implementation effort, much the same way good technical architectures will provide foundation for successful application systems.

Organizational Synergy

Integrating security into the organization and hiring the best people is the most important part of building a security program, notes Mathew Schwartz in his article "Put a Good Security Staff in its Place." Schwartz says the CSO must present a cohesive view of the security program to the executives and must develop a security program that does not encourage organizational fiefdoms. Therefore, the CSO must prevent building organizational silos within the security department while implementing a security program. For instance, the security department would develop work requests for the various departments (e.g., IT, facilities) that are required to satisfy the security issue. In this way, the security department will focus on its expertise and source the other work to the appropriate areas.

Ponemon suggests five steps to prioritize pri·or·i·tize
v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem

v.tr.
To arrange or deal with in order of importance.

v.intr. security spending:

* Assessing vulnerabilities to the infrastructure

* Understanding the risks of regulatory non-compliance

* Understanding employee-related risks

* Determining the cost of business interruption

* Measuring compliance to the security program

Many of the steps require quantifying risk and valuating corporate assets, including intellectual property. The CSO may need to leverage the existing knowledge and structures within the finance department rather than build a new finance area in the security department, suggest D. Geer, K. Hoo, and A. Jaquith in their article "Information Security: Why the Future Belongs to the Quants (QUANTitative analystS) Financial analysts who use the computer and complex algorithms to develop derivatives and other intricate financial instruments. ."

The risk manager, with the help of other subject matter experts, will then need to quantify the threats and vulnerabilities. In their article "IT Security Is IT Risk Management," B. Blakley, D. Geer, and E. McDermott note that this process includes technology, processes, and physical mechanisms, and it should reduce the probability, as well as seek to minimize the magnitude of any adverse event. Research and experience also point to internal sources as a high-risk area (including mistakes and ignorance) and should not be ignored during this step, according to M. Whitman's article "Enemy at the Gate: Threats to Information Security." The CSO will need to establish roles and responsibilities as well as the terms of engagement among the security department and the other departments to manage these aspects of security effectively.

In addition to defining the security culture and facilitating the quantified risk formula, the CSO is charged with building the security policies. These policies should align with the organizational culture

This article or section is written like an .
Please help [ rewrite this article] from a neutral point of view.
Mark blatant advertising for , using . , which should be improved by the CSO's direct access to the CEO, assert T. Begley and D. Boyd in "Moving Corporate Culture Beyond the Executive Suite." Also, the policy must be legally sound and immaculately consistent in its writing and enforcement, according to F. Nah, K. Siau, and L. Teng's "Acceptable Internet Use Policy." This effort will require interaction with the legal department. Once completed and approved, the security program should be disseminated throughout the organization as an awareness phase, which outlines employees' responsibilities and mechanisms for reporting violations, note S. Liu, J. Ormaner, and J. Sullivan in their article "A Practical Approach to Enterprise IT Security." Heightened communication may leverage an existing corporate mechanism, such as human resources or corporate communications Corporate communications is the process of facilitating information and knowledge exchanges with internal and key external groups and individuals that have a direct relationship with an enterprise. .

With this framework set, security-related matters should continue to follow the normal path that the organization uses for implementing initiatives. For instance, in "How to Improve Your IT Security Policy: A Six Sigma Not to be confused with Sigma 6.
Six Sigma is a set of practices originally developed by Motorola to systematically improve processes by eliminating defects.^[1] A defect is defined as nonconformity of a product or service to its specifications. Approach;' Karen Avery and Gary Lynch Gary G. Lynch, an attorney, is the Chief Legal Officer for the New York investment bank Morgan Stanley.

Lynch graduated from Syracuse University in 1972. He received his J.D. degree from Duke University School of Law in 1975. suggest bringing security into the organization's continuous improvement program to ensure the security program is assignable, executable, enforceable, and measurable. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently , organizations should not treat security as an adjunct activity, but rather as an integrated part of their normal business. In this manner, an organization could add security into the project management methodology as a mandatory step rather than an afterthought af·ter·thought
n.
An idea, response, or explanation that occurs to one after an event or decision.

afterthought
Noun

1. at the end of a project. A continuous improvement methodology could be employed after the initial implementation to ensure the program stays current.

The Software Engineering Institute (SEI) recommends the following ongoing steps: identify, analyze, plan, track, and control, with communication as the common thread. In this case, according to J. Lanz, security could be analyzed along with availability, integrity, and maintainability. Similarly, the return on investment (ROI) phase of a project would be handled using the normal people and processes.

Calculating ROI on security projects is a subject unto itself, but the process of calculating ROI for the organization should be consistent with other efforts. Risk and security could also be introduced into the system development methodology to ensure risk is addressed during every phase of the effort, contends S. Maguire in "Identifying Risks During Information System Development: Managing the Process." Appropriate technology choices should follow the risk analysis and the policy, which should follow the appointment of a senior-level security officer.

The specific methods and technologies used are not the most important factors in successful risk management. Rather, success is driven by business needs, and successful implementation should leverage the existing processes and expertise within the organizational structure to ensure a consistent, sustainable, and enterprise-wide solution. Things that also must be addressed include details of the policy, the asset valuation (acknowledging the difficulty with intangible items), IT production procedures, and the technology applied to mitigate the threats and vulnerabilities.

It may be time to stop treating security and risk management as separate activities that cannot be integrated into any current organizational structures. Research shows that the best solution calls for a primary sponsor and owner (CRO or CSO) to lead the organization with business savvy and general governance while blending with the culture and operating environment In computing, an operating environment is the environment in which users run programs, whether in a command line interface, such as in MS-DOS or the Unix shell, or in a graphical user interface, such as in the Macintosh operating system. . This structure and integrated implementation methodology would lead to a process-oriented solution versus a silo-based, task-oriented approach. The latter relies on the individual efforts of a few security professionals and creates duplication and possible gaps in the overall organizational work system. By integrating security and risk management into the organization and its ongoing processes, these important functions will become a way of doing business.

References

Arce, Ivan and Elais Levy. "The Weakest Link Revisited." IEEE Computer Society (body) IEEE Computer Society - The society of the IEEE which publishes the journal "Computer".

http://computer.org/. . March/April 2003.

Avery, Karen and Gary Lynch. "How to Improve Your IT Security Policy: A Six Sigma Approach." CXO CXO Chief Executive Officer (corporate title)
CXO Chandra X-ray Observatory
CXO Chief Experience Officer (corporate title)
CXO Conroe, TX (Airport Identifier) Media Inc. 2002. Available at www.cioinsight.com/article2/0,3959, 1217371,00.asp (accessed 29 April 2004).

Begley, T. and D. Boyd. "Moving Corporate Culture Beyond the Executive Suite." Corporate Governance Corporate Governance

The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. . 2002.

Blakley, B., D. Geer, and E. McDermott. "IT Security is IT Risk Management." NSPW'01. September 2002.

Brown, Carol. "The Successful CIO: Integrating Organizational and Individual Perspectives." Association for Computing Machinery See ACM.

Association for Computing Machinery - Association for Computing . 1993.

"Cyber Attacks Continue, but Financial Losses Are Down." Computer Security Institute. 2003. Available at www.gocsi.com/awareness/fbi.jhtml (accessed 29 April 2004).

Favaro, P. "Beyond Bean Counting: the CFO's Expanding Role." Strategy and Leadership. September/October 2001.

Geer, D., K. Hoo, and A. Jaquith. "Information Security: Why the Future Belongs to the Quants." IEEE (Institute of Electrical and Electronics Engineers, New York, www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. Security and Privacy. July/August 2003.

Gordon, Lawrence, and Martin Loeb. "The Economics of Information Security Investment?' ACM (Association for Computing Machinery, New York, www.acm.org) A membership organization founded in 1947 dedicated to advancing the arts and sciences of information processing. In addition to awards and publications, ACM also maintains special interest groups (SIGs) in the computer field. Transactions on Information and Systems Security. November 2002.

Groves, Shanna. "The Unlikely Heroes of Cyber Security." The Information Management Journal 37. May/June 2003.

Hazari, S. "Reengineering an Information Security Course for Business Management Focus." Journal of Information Systems Educator 13. 2002.

Hoffman, M. "ISO 17799: A Standard for Information Security Management." The Info-Tech Research Group Info-Tech Research Group (Info-Tech) is an information technology research, analysis and consulting firm. Info-Tech provides businesses with independent expertise in strategy, planning, implementation, optimization, management, staffing and education. . 2003.

Kolodzinski, Oscar. "Cyber-Insurance Issues: Managing Risk by Tying Network Security to Business Goals." The CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. Journal. November 2002.

Lam, James. "Enterprise-wide Risk Management and the Role of the Chief Risk Officer." ERisk. 2000. Available at www.erisk.com/Learning/Research/011_lamriskoff.pdf (accessed 28 April 2004).

Lanz, J. "Worst Information Technology Practices in Small to Mid-Size Organizations." The CPA Journal. April 2002.

Liebenberg, Andre and Robert Hoyt. "The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officer." Risk Management and Insurance Review 6. Spring 2003.

Liu, S., Ormaner, J., & Sullivan, J. "A Practical Approach to Enterprise IT Security." IT Pro. September/October 2001.

May, Thornton. "Why Security Needs to Blow Its Own Horn." CSO. June 2003. Available at www.csoonline.com/read/060103/horn.html (accessed 28 April 2004).

Maguire, S. "Identifying Risks During Information System Development: Managing the Process." Information Management and Computer Security. 2002.

Nah, F., K. Siau, and L. Teng. "Acceptable Internet Use Policy." Communication of the ACM 45. January 2002.

Paulson, L. "Post 9-11 Security: Few Changes, Business as Usual Rules." IT Pro. July/August 2002.

Ponemon, Larry. "Calculating an ROI for Data Security." Darwin Magazine. 2003. Available at www.darwinmag.com/Read/090103/secureroi.html (accessed 28 April 2004).

Robinson, Stephen and Linda Volonino. Principles and Practices of Information Security. Upper Saddle River Saddle River may refer to:

Saddle River, New Jersey, a borough in Bergen County, New Jersey
Saddle River (New Jersey), a tributary of the Passaic River in New Jersey

, N.J.: Pearson Prentice Hall Prentice Hall is a leading educational publisher. It is an imprint of Pearson Education, Inc., based in Upper Saddle River, New Jersey, USA. Prentice Hall publishes print and digital content for the 6-12 and higher education market. History
In 1913, law professor Dr. , 2004.

Schwartz, Mathew. "Put a Good Security Staff in its Place?' 101 Communications LLC (Logical Link Control) See "LANs" under data link protocol.

LLC - Logical Link Control 2002. Available at www.esj.com/Columns/article.asp?EditorialsID=62 (accessed 28 April 2004).

Siponen, Mikko. "Five Dimensions of Information Security Awareness." Computers and Society. June 2001.

Smith, Roger. "The Chief Technology Officer: Strategic Responsibilities and Relationships." Research Technology Management 46. July/August 2003.

Tippet, P. "Security in Enterprise Systems." The ISSA Journal. August 2003.

Wales, Elspeth. "Rise of the Chief Risk Officer." Financial Director. 2002. Available at http://financialdirector.co.uk/Features/1128771 (accessed 28 April 2004).

Whitman, M. "Enemy at the Gate: Threats to Information Security." Communications of the ACM (publication) Communications of the ACM - (CACM) A monthly publication by the Association for Computing Machinery sent to all members. CACM is an influential publication that keeps computer science professionals up to date on developments. 48 (August 2003).

At the Core

This article

* clarifies the challenge of managing risk in organizations

* provides an organizational framework for successfully managing risk

* describes the evolving role of a chief security officer

* recommends an integrated approach to security using existing methodologies

Arthur C. McAdams, Adjunct Professor at Fairfield University Publications and Media

1073 North Benson - A Publication for Fairfield University Alumni
Campus Currents - The Official News Publication of Fairfield University
Fairfield Now - The Magazine of Fairfield University,

in Fairfield, Connecticut Fairfield is a town located in Fairfield County, Connecticut, United States. It is situated along the Gold Coast of Connecticut. Fairfield is a town of many neighborhoods, two of which -- Southport and Greenfield Hill -- are notably affluent. , is a strategic architect, general manager, educator, and author with experience working in large corporations, small businesses, and academia. He also worked as the Chief Information Officer for Strategic Security Computing in Bridgeport, Connecticut “Bridgeport” redirects here. For other uses, see Bridgeport (disambiguation).
Bridgeport is the most populous city in the U.S. state of Connecticut, and the fifth-largest city in New England. . He may be contacted at amcadams@stagweb.fairfield.edu.

COPYRIGHT 2004 Association of Records Managers & Administrators (ARMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Author:	McAdams, Arthur C.
Publication:	Information Management Journal
Geographic Code:	1USA
Date:	Jul 1, 2004
Words:	3884
Previous Article:	ARMA 2004 Long Beach.(Association of Records Managers & Administrators )
Next Article:	Using ISO 15489 as an audit tool: ISO 15489, the first international standard devoted to records management, provides a comprehensive and practical...
Topics:	Business enterprises Management Business performance management Methods Risk management Methods

Related Articles
Statement by Richard Spillenkothen. (Federal Reserve System Banking Supervision and Regulation Director Richard Spillenkothen)(Statements to the...
Human resources risk management and EAP services: EAPS can be valuable partners in helping control and monitor organizational efforts to reduce human...
The treasurer and FX risk management: as owner of the process to effectively manage FX risk, the treasurer must build an interdisciplinary approach...
EAPs as risk managers: to regain their identity and value as risk managers, EAPs must distill information about organizational problems into broad...
Managing information around the world.(A Message from the Editors)
A best practice perspective on managing poor performers.(Best Practices)(Core Technology)
Two approaches to managing information risks: when managing information risks, is it better to use an event-based or a records and information...
Controlling your documents: Consider the merits of starting out with straightforward document management as a way to socialize good document...
Enterprise risk management: opportunity for the treasurer.(treasury)
Best practices: organizational structure that supports compliance; Traditional organizational structure is crumbling under the weight of...