CHAPTER 63

MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Carl Hallberg, M. E. Kabay, Bridgitt Robertson, and Arthur E. Hutt

63.1 INTRODUCTION

63.1.1 Role of Management

63.1.2 CISO

63.1.3 Information Security Integrating into Strategic Vision

63.1.4 Net Present Value of Information Security

63.1.5 Case Study: Veterans Affairs

63.2 RESPONSIBILITIES

63.2.1 Policy Management

63.2.2 Motivation

63.2.3 Supervision

63.2.4 Judgment and Adaptation

63.2.5 Management Failures

63.2.6 Risk Management

63.3 LIABILITIES

63.3.1 Stakeholders

63.3.2 Due Diligence of Care

63.3.3 Downstream Liability

63.3.4 Audits

63.4 COMPUTER MANAGEMENT FUNCTIONS

63.4.1 Planning for Computer Security

63.4.2 Organizing

63.4.3 Integrating

63.4.4 Controlling

63.5 SECURITY ADMINISTRATION

63.5.1 Staffing the Security Function

63.5.2 Authority and Responsibility

63.5.3 Professional Accreditation and Education

63.6 CONCLUDING REMARKS

63.7 FURTHER READING

63.8 NOTES

63.1 INTRODUCTION.

This chapter reviews the critical roles of management in establishing, implementing, and maintaining information security policies in the modern enterprise. It also reviews some of the risks to management personnel in failing to ensure adequate standards of information security.¹

63.1.1 Role of Management.

Organizations are unequally affected by the risk of loss. In certain government computer installations, matters of national security are at stake, and the measures required to protect such facilities are elaborate and costly. At the other end ...