BANGALORE, INDIA: Yes. Why not? Who else is responsible when there is a breach in security? Who else can be held accountable when valuable information assets are leaked. Yes, the organization has a Chief Information Security Officer, but the ultimate responsibility is of the CIO.

Wrong. Information Systems Security is the responsibility of the management. Information Systems Security is the responsibility of the Board of Directors who are ultimately responsible to the shareholders, the employees and the regulators.

The management should demonstrate its commitment to Information Systems Security in the form of an independent department dedicated to security and ultimately responsible to the CIO and the Board. There should be an Information Systems Security committee comprising of senior officials to deliberate on security issues. The committee should meet regularly, preferably once in a month, to discuss various issues related to security, breach of security if any and submit its report to the management and the board. There should be a response team, which should plug the holes, the moment a breach or threat is detected.

Threats to information security are pervasive originating both outside and within the organization. The history of computer security is a series of emerging threats followed by responses of new safeguards, which are in turn followed by a new set of threats that circumvent those safeguards. The appropriate response to these threats is a unified approach to security management that uses the broad base of anti-virus, Host based and Network based IDS/IPS, Content Filtering software, Firewalls and UTM in conjunction with well defined security policies. Regular penetration testing and vulnerability assessment by an independent firm will lead to early detection of loopholes.

As they say, prevention is better than cure. The CIO and CISO deserve as much a peaceful sleep in the night as do the others.