Information security officer (aka Information system security officer, ISSO) is an important role in the risk management process. In fact, they are often the foot soldiers “charging the hill” during the entire risk management framework process.. (or sometimes, “ice skating uphill”).
The information system security role begins at the Initial phase of the System Development Lifecycle (SDLC). According to the NIST SP 800-37, “The information system security officer is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner”. In the legacy DIACAP days this role was called Information Assurance Officer (IAO). The ISSO is created and managed by the Information System Security Manager (ISSM).
The information security officer is often expected to do multiple security disciplines not limited to: technical, administrative or even physical security.
From a technical perspective, the ISSO can be tasked with doing continuous monitoring of threats, data loss prevention, detecting and resolving vulnerabilities using tools like security information and event managers (SIEM), vulnerability scanners, and anti-virus servers. They may assist the system administrators in implementing required security patches. They may have to review code for security flaws, help with initial security architectures, conduct incident handling or any number of technical security tasks.
The administrative “to do list” of an information security officer might include creating, editing or reviewing security policies. They may write standards, guideline and best practices related to the security features of systems. Paperwork and policy in security requires a LOT of meetings and coordination with other parts of an organization. The ISSO must be very good at dealing with technical subject matter experts and managers at every level since they are often the one in the middle of everything.
Information security officer’s are sometimes in-charge of making sure the physical security surrounding the information system is commensurate with the level of the information that needs to be protected. That means that if the information on the asset is classified it may have to have MORE physical security than a system that has data processed on a web server for the public. To do this, the ISSO will have to work with facility managers, security guard services and even building developers (in some cases). They may also have to do crypto security.
The overall job of the ISSO is to maintain the security posture and security baseline of the system. For this reason they often wear many hats.