ABSTRACT
The guidebook starts with the structure of information protection within an enterprise and gives an outline of what a comprehensive information protection program looks like. This includes how the business works, how oversight is done and by whom, how risk management operates and where it fits in, how the CISO function fits into business structures, control architecture, and how it drives technical security architecture, protection processes, and protective measures. It goes on to characterize the CISO’s position with respect to others in management, budgets, and how the protection process is funded, how the appeals and enforcement process lead to an overall control system. Finally, it reviews how long it takes to make the sorts of changes associated with the CISO function in an enterprise.
