Name : Philemon Mapfumo

Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5]

Students ID :W1125681 March 22, 2010

Module : IT Security Awareness

Module Code: 2ITS7H5

Module Leader: Gavin Butler

Course : MSc. IT Security

1
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

D'Ausecours
Memorandum

To: Matt Le Blanc, Managing Director

From: Philemon Mapfumo, IT Security Manager

Date: March 22, 2010

Subject: Responsibilities of a Data Security Officer

Introduction
This is a memorandum is for the attention of the managing director Mr Matt Le Blanc of
D’Ausecours, discussing the duties and responsibilities of a Data Security Officer, the number
required for the organisation, how there will be adapted into the organisation, the financial costs,
benefits of employing a data security officers and the implications of the merger of between Delta
base and D’Ausecours organisations.

Duties and Responsibilities

The role of a data security officer should not be confined to the protection of information assets but
must include the business physical assets as well (Kovacich, 2003).The main responsibilities of a data
security officer are:

 Creating business relation ships within the organisations

2
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

 The ability to easily adapt to change and to communicate to people effectively.

 The capability of running a team and being performance oriented
 Educating users in security awareness (Forcht, 1994)
 Safeguarding of the both the physical and logical domains and applying appropriate access
controls
 Responsible for acquiring and managing funding for security resources. (Kovacich, 2003).
 Installing sound security practises.
 Frequently executing security audits and the risk assessments (Infosec, 1996).
 Making sure that all users and all members of IT support have gone through the appropriate
security clearance.

The security officer must display security awareness regardless of whether its in the physical or
logical domain (Forcht, 1994).The responsibilities are varied and can include planning, organising,
implementing and having a understanding of the customer and the supplier (Kovacich, 2003).
However it is not the responsibility of the security officer to perform security functions, but to make
certain that security efforts are coordinated, by ensuring that, policies, procedures and standards are
updated and adhered to (Killmeyer , 2006). The benefits of the security officer to an organisation
would be to, support organisational requirements, to increase value of the business assets and to
reduce the risks to the current network infrastructure (Kovacich, 2003). The data security officer must
also ensure that the organisation adheres to legal and regulatory requirements like the Data Protection
Act of 1998, which ensures ensure that organisations collect and process customer details legitimately
without unnecessarily disclosing personal details. Which could result in legal action, and loss of
business if violated (ICO, 2009). The data security officer must also ensure that organisation complies
with Computer Misuse Act of 1990 (OPSI, 2009). It is comprised of the following 3 computer
offences:

 “Unauthorised use of a computer resource e.g. data or program”

 “Unauthorised access to a computer system with the intent to commit crimes”
 “Unauthorised modification of computer material”

If any of the offences are committed. The organisation should be able to apply the Act regardless of
whether the offence was committed internally within the organisation or externally. Even though, the
investigation is the responsibility of law enforcement. Evidence needs to be collected appropriately
for a prosecution to be achieved. The security office must ensure that the organisation adheres to the

3
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

ISO 27005 standard which provides a guidelines on how to manage IT Security risk assessment in an
IT environment, no particular risk analysis method is suggested but it strongly recommends that a
systematic and thorough risk analysis is conducted (Infosec, 1996).

Data security officer numbers and financial calculations

The number of security officers required is dependant on the type of organisation and its size
according to Charles Cresson Wood (Forcht, 1994). Data security officers must consists of 1% -5%
of the data management department and should consist of 0.05% to 0.28 % of the entire staff level of
the organisation. The suggestion by Mr Wood is good but, the role of a data security officer as
previously mentioned means that he coordinates security efforts without performing security
functions himself. Therefore the organisation would require four security officers two at each site,
estimating that there are 600 staff in the Paris site and 400 staff in the England site. The reasons why
two security officers are recommended for each site, is that if one the security officers is sick or
holiday.

There will always be a one security officer to maintain daily operations. The average salary for data
security officer in the United Kingdom is £35,000 – £37,000 per annum Which would translate to:
€39,000-€41,000 in Euros. Therefore the cost of the security officers to the organisation will be
£140,000 per annum. Furthermore to see how a security officer would fit into the structure of the
organisation please see appendix 1 and appendix 2.

Implications of a merger
Now that the companies are merging, with the new organisation now consists of two sites (Kovacich,
2003). The consequences of that are the protection of physical assets will decrease due through a lack
of communication and coordination. The data security officer be conscious of the division and must
encourage more coordination and communication within these divisions. The security officer must be
vigilant in all phases during the merger which will include (Tipton and Krause, 2007);

 Protecting management from unintentional disclosure

 Knowing the goals and aims of the acquisition team
 To ascertain any security risks that will affect the merger
 Monitoring of any projects that are scheduled during the merger.

4
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

Conclusion and recommendations

In light of the issues discussed a security officers plays an important role in an organisation by
coordinating efforts, make ensuring that the organisation adheres to legal requirements and standards,
reducing security breaches, auditing, executing a risk analysis of the organisation and applying
sufficient countermeasures. The return of investment of a security office outwears the risks to the
organisation increasing productivity and security.

References

1) Forcht, K., (1994) Computer security management. Massachusetts: Boyd and Fraser

2) Kovacich, G., (2003) The information systems security officer’s guide: Establishing and
managing and information protection program. Burlington: Butterworth and Heinemann

3) Infosec , (1996) The information security (ISS0) guide book.[online] Available from:
<<http://www.marcorsyscom.usmc.mil/sites/ia/references/don/NAVSO%20P5239-
07%20ISSO%20Guide.pdf > [assessed 14 March 2010]

4) ICO, (2009). The guide to data protection. [online]. London: Information Commissioner’s
Office: Available from:<
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/the_gu
ide_to_data_protection.pdf > [assessed 5 March 2010]

5) The IT Job Board,(2010) Information security officer [online ] Available from: <
http://www.theitjobboard.co.uk/IT-Job/Information-Security-Officer/7810956/en/?
source=Search&SearchTerms=information+security+officer&LocationSearchTerms=&JobTy
peFilter=0&DatePostedFilter=0&Page=1&OrderBy=0&CountryId=0&nocache=1268857217
> [assessed 15 March 2010]

6) OPSI, (2009) Computer Misuse Act 1990. [online] Available from: Office of Public Sector
Information < http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm>
[assessed 16 March 2010]

7) Killmeyer ,J., (2006) Information security architecture: An integrated approach to security in

the organisation. 2nd ed. Raton. Taylor and Francis Group

8) Tipton, H., Krause, M., (2007) Information security management handbook. 6 th ed. Raton.
Auerbach Publications

5
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

6
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

Appendences

Appendix: 1

Board of Directors

President / CEO

Security Officer

Information Division /
Division /Department
Technology Department

Information Security

Operations and
Maintenance

Architecture, Plans
and Supprt

Source: Killmeyer (2006) .Security Officer Placement

7
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010

Appendix: 2

IT Component
Administrators

Help Desk

Human Resouces

Security Officer

Department Legal Counsel

Security
Coordinators

Network Application
Administrator Administrators

Source: Killmeyer (2006) The Security Team

8
Philemon Mapfumo: W1125681 Coursework 1

IT Security Awareness [2ITS7H5] March 22, 2010