In this article we will try to list in more or less detail the main tasks that a typical IT Security Officer must perform. As certainly known to many, this is an extremely important figure for any organization that manages its business using IT tools, as it has the role of defining and implementing IT security policies.
However, despite the enormous quantity of informative articles published by all the specialized magazines and the urgent need to comply with the provisions of the law, there are still many companies that ignore (and in some cases "pretend to ignore") the importance to equip itself with such a function, responsible - as we will see - for numerous activities, including very delicate ones.
Who is the IT Security Officer?
Before moving on to the list of activities in charge of the IT Security Officer, sometimes also known as IT Security Manager or CISO, it is appropriate to spend a few words to understand which professional profile this figure corresponds to. In a nutshell, this is the function responsible for Information Security within the organization: in other words, it is responsible for defining the strategic vision, as well as implementing the software and defining processes to protect information assets to limit the associated risks. the adoption of digital technologies. From this definition we can immediately understand how the tasks of the IT Security Officer can vary greatly depending on the type of organization and the sector in which it operates: in any case, however, it is a figure who is required to have a skill set. very versatile, as it must be able to understand all the main technical and organizational aspects relating to safety, as well as the necessary managerial skills and communication skills to be able to apply them successfully.
Not surprisingly, despite this being a role traditionally played by IT technicians and/or people with a strong IT focus, skills and background history, in recent years there has been a significant increase in profiles from very different realities, such as management engineers, IT Communication experts, and so on.
Here is a list of the activities carried out by the IT Security Officer. For each of them we have thought of a "title" of one or two words that has the task of summarizing the scope, the topic or the basic context.
- IT Security Manual. Make sure that the company has an updated IT Security Manual that documents the system in use, including this list of periodic duties for the manager and the list of policies to keep up to date.
- Operating Systems Update. Make sure that all operating systems on company clients and servers (on-premise and in the cloud) are updated to the latest versions.
Software update. Make sure that all third-party software and applications (on-premise and in the cloud) are present on all server and client systems and updated to the latest versions, with particular regard to protection software (Firewall, Antivirus, Backup & Replication, SAST, DAST, VMDR, etc), logging and monitoring.
- Vulnerability Monitoring. Verify that the various prevention tools installed on clients and servers have not detected problems or vulnerabilities related to failure to update, incorrect or incomplete configuration, presence of viral elements, attacks carried out from outside or other anomalous situations.
Vulnerability Prevention. Check that the latest bulletins and security notices published by the main vendors (Microsoft, Apple, etc.), by the most authoritative IT Security newsletters (OWASP, Qualys, etc.) and by the main websites that deal with disseminating information in the IT field Security does not contain any news of bugs, exploits or vulnerabilities that could impact the corporate IT infrastructure.
- Authentication. Verify that all access procedures to company IT systems provide for the insertion of sufficiently complex credentials, with particular regard to the criteria of complexity and periodic expiration of the password in accordance with the latest regulations in force; also verify that all systems that are critical or that allow access to information, data or functionality that present a high risk have a two or more factor authentication system (2FA, MFA). Also check that all accesses are documented by written lists that are easily identifiable, viewable and verifiable, and that all credentials relating to users no longer active as of today have been appropriately decommissioned.
- Authorization. Verify that all IT operators, developers and system administrators can access only the information necessary to carry out their activity, according to the principle of deny by default.
- Encryption. Verify that all personal or confidential data present within the corporate infrastructure are encrypted at-rest on clients, servers, virtual machines and databases (using TDE or equivalent techniques), as required by Data Encryption policy. Verify that all personal or confidential data transmitted to or from the corporate infrastructure are encrypted in-transit and that transmission takes place over a secure protocol (TLS, HTTPS, etc).
- Backup. Make sure that the company's periodic backup systems work correctly and are documented within the Backup Policy; verify that at least one Backup Recovery Test has been carried out in the last 12 months, with its written report.
- Business Continuity. Make sure that the hardware and software systems necessary for corporate Business Continuity function correctly and are documented within the Business Continuity Policy; verify that at least one Business Continuity Test has been carried out in the last 12 months, with the relative production of a written report documenting the results, and that any problems resulting from the last test have been appropriately managed.
- Disaster Recovery. Make sure that the hardware and software systems required for corporate Disaster Recovery are functioning correctly and are documented within the Disaster Recovery Policy; verify that at least one Disaster Recovery Test has been carried out in the last 12 months, with the relative production of a written report documenting the results, and that any problems resulting from the last test have been appropriately managed.
- Penetration Testing. Make sure that all websites, services and company applications exposed to the internet have been subjected to Penetration Test in the last 12 months, with the relative production of a written report documenting the results, and that any problems resulting from the last test have been appropriately managed.
- Logging. Make sure that all company applications connected to the provision of services produce a log of the activities carried out, including any errors (Fatal, Error) or non-blocking anomalies (Warning); make sure that the logs are controlled and managed adequately, as required by the company Logging & Monitoring Policy.
- Risk Analysis and Assessment. Make sure that a Risk and Vulnerability Assessment has been carried out for all company projects and that this analysis contains the appropriate assessments in the IT Security field; also ensure that all projects for which a high risk profile has emerged during the analysis contain a Risk and Vulnerability Assessment Report that documents the methods of risk management and mitigation.
- Issue Tracking. Verify that any IT Security and Data Security anomalies have been appropriately resolved or managed by the competent personnel.
- Documentation. Make sure that all corporate IT Security documentation (policies, employee information, etc.) has been updated in the last 12 months.
- Training. Make sure that all employees and company collaborators have completed at least one IT Security refresher course in the last 12 months and that they have filled in the relevant evaluation form; make sure that the written minutes of attendance and topics covered are present for the course; make sure that a further refresher course is planned, to be held within the next 12 months.
Ideally, all the above activities should also be recorded in a specific company Time Tracker (or other equivalent task-tracking tool) in order to give the IT Security Officer, as well as the company, the opportunity to demonstrate that everything is managed periodically and continuous.
Why we need it?
As we can see by looking at the above list, the IT Security Officer is an extremely complex job description, which certainly cannot be performed by a CEO, a standard IT Administrator, or "delegated" to a function that already carries out other activities. Even the hypothesis of entrusting this type of assignment to an external consultant or a supply company, a very popular solution in some small and medium-sized companies (SMEs), is difficult to implement in practice. given that these are activities that require not only very strong technical and IT know-how, but an in-depth knowledge of the company and of all the IT tools used by its main functions for carrying out ordinary activities: from the business unit to logistics , from administration to general services, from operations to delivery, from the personnel office to the legal office, not to mention any hardware and software solutions adopted with employees, customers and suppliers: system integration, remote working, file sharing, messaging & communication, and so on - within all the on-premise and cloud environments.
If we consider all these factors, we can easily understand how the preferable solution for most companies is to have an internal IT Security staff, consisting of an IT Security Officer who is in charge of coordinating activities and a number of IT Security Specialists (employees or consultants) commensurate with the size of the organization and the quantity of hardware and software tools and solutions present or adopted. This approach obviously does not exclude the possibility that, in reality very small and where the number of hardware devices used is very low, the entire office can be run by a single person ... But these are highly residual situations, considering the very numerous legal obligations under the data security and protection regulations, as well as the risks typically associated with incorrect or incorrect management of the IT infrastructure and system (trojans, ransomware, viruses, worms, social engineering and so on), or the exfiltration of confidential data. It goes without saying that, for very large companies, the opposite may also be true: a multiplicity of IT Security Officers, perhaps relating to each of the production plants or company offices, coordinated by a Chief IT Security Officer (CISO) with strategic and managerial functions.
That's it for now: we hope that this list will be of help not only to novice IT Security Officers, but also and above all to CEOs and managers of companies that have not yet equipped themselves with this fundamental figure to understand the importance of getting one on board before it's too late.