Tasks | Type | Deliverables | Resource | |
---|---|---|---|---|
1. | Initial assessment of Cyber Security Posture and potential threats | Mandatory | Perform Surveys and Interviews to:
|
CISSP certified CISO |
2. | Provide prioritised list of recommended improvements (Policies, Training, Projects, Insurance) including cost/benefit of top 3 recommendations | Mandatory | Prioritise recommended actions Undertake cost/benefit analysis of top three recommendations Produce and present report outlining all recommended action including documentation of cost/benefit. |
CISSP certified CISO |
3. | Handle security questionnaires from partners, suppliers and customers | Optional | Based on findings from Initial Assessment develop generic template for response to partner/customer/supplier Security Questionnaires. Deliver ongoing responses as and when required. | CISSP certified CISO |
4. | Define KPI for ongoing Security Operational Monitoring based on available data from existing systems | Optional (Mandatory for 5.) | Based on findings from Initial assessment, perform further detailed analysis of reporting from existing defensive systems and deliver recommendation for how Key Performance Indicators for InfoSec defences can be implemented | CISSP certified CISO |
5. | Implement KPI Monitoring from existing data sources | Optional (Mandatory for 8.) | Oversee implementation of reporting regime as designed in 4. | CISSP certified CISO |
6. | Oversee Vulnerability Testing | Optional (Recommended for 8.) | Initially review current arrangements or recommend new Vulnerability testing scheme. Thereafter oversee that findings from regular testing is followed through. | EC-Council CEH Analyst |
7. | Evaluate/approve new developments/projects from a Security standpoint | Optional (Recommended for 8.) | Review new systems and system changes from a Cyber Security viewpoint, testing done, supplier credentials etc. | CISSP certified CISO |
8. | Provide monthly InfoSec reports for senior mgmt. based on KPIs (5.), Vulnerability Testing (6.), new/changed systems (7.) and progress on recommended improvements (2.) – run quarterly Infosec board meetings to discuss quarterly progress. | Optional | Monthly reports, Quaterly minuted meetings. | CISSP certified CISO |
9. | Create and own InfoSec strategy | Optional | Based on business strategy, work closely with senior management and provide 3 year plan for InfoSec evolution closely aligned with IT/Technology strategic plan | CISSP certified CISO |
10. | Develop and maintain incident management plan | Optional | Working closely with IT/Technology departments, HR and Senior Management to develop a plan for how the business can best cope with various forms of Cyber Incidents. | CISSP certified CISO |
11. | Perform Incident Management Test/Rehearsal / Red Team Attack | Optional | Optional addition to 10, plan and coordinate a rehearsal of a Business Disruptive Cyber Incident / execute Red Team Attack. | CISSP certified CISO |
12. | Support during incidents | Optional | Optional addition to 10., to support the business in real-time during an incident, either in a leadership of supporting role. | CISSP certified CISO and EC-Council CEH Analyst |