ABSTRACT
This chapter shows that reporting models provide the thought processes for developing the structure to support the strategy. There are functions the Chief Information Security Officer (CISO) needs to ensure that are performed somewhere within the organization, and while they may not initially report to the CISO, the CISO can build the team with a vision to grow the team to add these functions. The purpose of the risk assessment is to determine what the adequate level of controls needs to be. The six security functions that support the assessing risk and determining needs activity in the model are risk assessment and analysis, systems security plan development, internal and external penetration testing, privacy, cyber insurance, and third-party vendor risk management. The goal of security architecture is to define a set of compatible products and processes to support the security controls that are necessary to mitigate the risks discovered in the risk assessment.
