Saturday, 17 October 2020

CISO and DPO – Is this a Dual Role of a Security Officer?

CISO and DPO, EC-Council Study Material, EC-Council Exam Prep

In the previous hierarchy of an organization, the CISO is often held responsible for integrating privacy requirements into security program controls. With the EU’s General Data Privacy Regulation (GDPR), a new role was introduced – Data privacy officer (DPO). This role is closely associated with the General Counsel or legal department and is integral to its data privacy program oversight. At the end of the day, both CISO and DPO aim to ensure the safety of all data and other company assets and their customers/clients.

What Is Data Privacy?

Data privacy is a branch of data security that deals with the proper handling of data, including consent, notice, and regulatory obligations. Furthermore, practical data privacy deals with how data is legally collected or stored, how data is shared with third parties, and its regulatory restrictions.

Why Is Data Privacy Required?

The most valuable and risky asset of any business is the organization’s personally identifiable information and confidential data. Nowadays, an organization’s cybersecurity management needs to stay updated to data-protection laws and increasing security breaches.

This is why most information security officers, IT departments, cybersecurity management, boards of directors are more focused on securing data.

Who Is a CISO?

The Chief Information Security Officer is a high-ranking executive responsible for the optimum security of an organization’s business information and data. The CISO also helps oversee the incident response team, supervise security technologies, administrate the creation and application of policies and procedures, and launch the standards and controls.

This indicates that a CISO is at the peak of the IT profession.


What Is the Role of a CISO?


A good CISO needs to be able to make and implement risk-based business decisions. A CISO must also communicate the risk-based decisions to the board in an easy way that they can understand. Some of the responsibility of a CISO in an organization are as follows:

◉ Information privacy
◉ Cybersecurity
◉ Information security and information assurance
◉ eDiscovery, IT investigations, and digital forensics
◉ Computer Emergency Response Team (CERT)
◉ Information Security Operations Center (ISOC)
◉ Computer Security Incident Response Team (CSIRT)
◉ identity and access management
◉ Governance risk and compliance (such as FISMA, PCI DSS, HIPAA, SOX, and GLBA), etc.

Who Is a DPO?


Data protection officer (DPO) is known as the enterprise security leadership role required by the General Data Protection Regulation (GDPR). The role of a DPO is to oversee a company’s data protection strategy and its implementation to make sure they comply with GDPR requirements.

The Role of a DPO


A DPO’s role varies based on the needs and specific circumstances of a business, industry, and environment. Some of the requirements of a data protection officer are stated below.

CISO and DPO, EC-Council Study Material, EC-Council Exam Prep

◉ Background and expertise in data compliance, legal, audit, or IT security
◉ Familiarity with computer security systems
◉ Experience in cooperation with supervisory authorities of any kind
◉ Experience in managing data breaches
◉ Experience in operational application of privacy law
◉ Must understand the GDPR requirements
◉ Know the DPO requirements in a particular region.
◉ Know about data protection legislation, especially the GDPR and national laws, etc.

Can a CISO be a DPO?


While the roles vastly overlap, it is not recommended that a CISO plays a dual role as a DPO. This is because such a move can create internal problems. It will empower the CISO to decide on the investments needed to tackle any digital security issues. Simultaneously, the money will be taken from the IT and Finance budgets without any hindrance.

Since the CISO role is defining the overall corporate Digital security policy and safeguarding the company, the DPO will audit such corporate guidelines to ensure it complies with GDPR and the ePrivacy Regulation to ensure data subjects’ data protection.

Source: eccouncil.org

Related Posts

0 comments:

Post a Comment