When a hacker hacks into system, their goal is to stay invisible as long as possible. A good monitoring program should have tools to monitor traffic, team to do monitoring and also a team to access breaches and vulnerabilities to detect the hacker and fix any security loopholes in the system. Without a proper team to maintain BlackMart’s system and make the right assessment, BlackMart may make the wrong move when handling a situation. If a staff in BlackMart does not know what is going on in the system, he or she is not in a good position to protect data or make decisions. Hence, to have a good monitoring program, it is crucial to establish a good security management structure when implementing information security program in BlackMart.
The first step to establishing a good security management structure in BlackMart is to have a central security program office that can coordinate all activities within the system. The main three committees in this management structure are the audit committee, security committee and the risk committee. The top of the hierarchy consists of the the Board of Directors who governs the entire of BlackMart, however, most of the matters are left for the Executive Director which is led by Chief Executive Officer (CEO) to handle.
The Executive Director’s job is to approve and and mandate information security principles. The CEO is also tasked to approve budget set aside for the information security program and for other IT related stuff. Any other operation responsibilities are left for the Security Committee (SC) to handle. Thus, the SC are heavily depended upon as they are left to be responsible for the coordination throughout the entire of BlackMart.
The Security Committee led by the Chief Security Officer (CSO) is responsible for directing the management, implementation and enforcement of the entire information security program. The CSO is charged with the task of securing BlackMart’s assets, periodically reviewing the security policy statement to ensure efficiency and effectiveness of the security control infrastructure and also advising improvements and strategies to be made.
The Audit Committee is in charge of internal auditing in BlackMart. They are the ones who are looking for practical solution for the risk that BlackMart face. They access breaches and vulnerabilities and seeks for solutions to fix them. They also checked the adequacy and effectiveness of the risk management framework that the risk management developed. Not only that, they give independent views on the credibility and reliability of the framework.
The Risk Committee is all about risk management, chaired by the Risk Manager. The risk committee’s duty is to develop and implement the risk management framework. Unlike the audit committee, the risk committee look for the system’s weakness and advise on the allocation of accountability for risks, controls and tasks. The risk committee acts as an advisor on risk management matters.
There are 5 other key players for information security program to roll smoothly.
They are the System Program Manager, Information System Security Officer (ISSO), System Administrator, Designated Approving Authority (DAA) and the Data Owner.
The System Program Manager is a vital player as he or she is responsible for overall lifecycle planning of BlackMart, as well as to ensure security is funded for and implemented in the system.
The Information Systems Security Officer is responsible for the the administrative and operational aspects of security in BlackMart. Not only that, he or she would have to ensure that the systems are maintained properly, patched when needed, monitored and handled properly when issues arise.
The System Administrator is required to take care of BlackMart’s system and include hardening and patching when needed.
The Designated Approving Authority is more oftenly made up of senior executive who holds responsibilities in the funding, configuration and the operation of BlackMart. If, unfortunately, BlackMart’s system is not secured, they are the ones who will shut it down, with given authority.
Last but not least, the Data Owner helps to set requirements for the level of protection needed for the data.
All of these key players and committees are recommended for BlackMart to establish a good management structure and to attain a good monitoring program while implementing information security program, ensuring it to be more effective.