Information Security Strategy The world of information technology (IT) has evolved tremendously in the last few decades. Today, IT systems permeate virtually every aspect of work in the organizational setting – from strategic planning functions to administrative and operational functions such as human resource management, payroll management, project management, procurement, customer relationship management, and financial management. These systems have enabled organizations undertake a wide variety of tasks with far greater ease, effectiveness, and efficiency than ever witnessed. Nonetheless, with more dependence on IT systems, organizations increasingly face a significant problem – information security (Andress, 2011). Against the backdrop of growing incidents of hacking and other cyber crimes, protecting information has become a top priority for organizations – small and large – in diverse sectors and industries (Vacca, 2013). Indeed, information security has been identified as a key ingredient of organizational success in the 21st century. Recent incidents of cyber crime – e.g. the Equifax data breach (July 2017), the WannaCry ransomware (May 2017), the JPMorgan Chase Bank hacking incident (2014), the eBay data breach (2014), and the Sony PlayStation Network hacking incident (2011) – are perfect reminders of the severe consequences information security failures can have on organizations.

It is imperative for an organization to have a robust information security strategy. Any prudent organization cannot afford to be casual when it comes to information security. This is particularly because cyber criminals are employing more and more cunning ways to gain unauthorized access to data (Whitman & Mattord, 2017). This means that organizations must also use more ingenious information security techniques. An information security strategy acknowledges information security as a priority for the organization, clearly identifies roles and responsibilities for information security, and outlines competence areas and resources relating to information security. This paper presents an information security strategy for the organization. Attention is specifically paid to the role of the chief information security officer (CISO), the role of the chief information officer (CIO), and how the digital forensics function complements the overall security efforts of the organization. Also, the paper evaluates the operational duties of digital forensic personnel and highlights the technical resources available to digital forensics personnel for performing forensic audits and investigations.

Role of the Chief Information Security Officer

With information security increasingly becoming a priority for the organization, having a CISO is imperative. U.S. Department of Homeland Security’s (DHS) Information Technology (IT) Security Essential Body of Knowledge (EBK) defines a CISO as an officer in charge of an organization’s information and physical security strategy (DHS, 2008). The officer is specifically involved in developing and enforcing the organization’s information security policies and procedures, information security awareness programs, disaster recovery and business continuity plans, as well as the relevant government laws and regulations.

The CISO position is essentially an executive position (Conklin & McLeod, 2009). The CISO serves as the head of all information security operations in the organization. One of the important functions performed by the CISO entails developing the organization’s information security plan. An information...

The CISO can execute this function, for instance, when the organization is contemplating to enhance information security in the wake of a significant security breach. When such a breach occurs, it is the role of the CISO to recommend specific ways on how the organization can prevent a similar breach in the future.
Part of ensuring information is secure involves acquiring information security products. It is the duty of the CISO to recommend to the organization the most suitable security products for the organization and the most suitable vendor for providing the products (Andress, 2011). This role would be particularly crucial when the organization is, for instance, installing a new information security system. It is not just enough to have an information security plan and to acquire the required information security products: all employees within the organization must also have comprehensive information security awareness (DHS, 2008). Ensuring this awareness falls under the umbrella of the CISO. The CISO is responsible for developing an information security awareness program for the organization as well as designing and implementing training initiatives to equip employees with the organization’s information security plan and their roles in promoting information security.

Fulfilling these roles requires the CISO to have a number of competencies. Some of the areas the CSIO should be competent in include data security, system and application security, security risk management, digital forensics, incident management, business continuity, IT security training, physical and environmental security, regulatory compliance, and procurement (DHS, 2008). These competencies place the CISO in a better position to fulfill the information security needs of the organization.

Role of the Chief Information Officer

It may appear as if the CISO and the CIO are one and the same thing or perform similar duties. While their duties generally revolve around information security, the CIO is a more senior role. The CIO is a member of the organization’s topmost executive team and serves as the most senior IT officer in the organization. Ordinarily, the CIO is accountable to the chief executive officer (CEO). The overarching role of the CIO encompasses developing the organization’s overall IT strategy (DHS, 2008). This relates to not just information security, but also IT policies and information systems (Conklin & McLeod, 2009). For example, if the organization desires to automate its processes, it is the job of the CIO to develop a viable IT strategy for the organization and to oversee the implementation of the strategy.

The CIO is also involved in evaluating the organization’s IT strategy (DHS, 2008). At its core, a strategy is meant to achieve certain goals and objectives. For instance, the organization may adopt an IT system with the aim of reducing administrative or operational costs. In this regard, the CIO is involved in monitoring the relevant metrics to ascertain whether the specified objectives were achieved or not. Based on the evaluation, the CIO can then make recommendations to the management. Another important role of the CIO relates to the acquisition of IT infrastructure and personnel. The CIO is responsible for ensuring the organization has the necessary IT infrastructure to support its computing and data processing needs. Also, as the leader of the IT team, the CIO should ensure the…