ANSI CSO.1-2013 CHIEF SECURITY OFFICER - AN ORGANIZATIONAL MODEL《首席安全官.组织模式》.pdf

1、Chief Security Of cer An Organizational ModelASIS INTERNATIONAL STANDARDAMERICAN NATIONAL1625 Prince StreetAlexandria, Virginia 22314-2818 USA+1.703.519.6200Fax: +1.703.519.6299www.asisonline.orgANSI/ASIS CSO.1-2013ASIS International (ASIS) is the preeminent organization for security professionals,

2、with more than 38,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as spec

3、ific security topics. ASIS also advocates the role and value of the security management profession to business, the media, governmental entities, and the general public. By providing members and the security community with access to a full range of programs and services, and by publishing the indust

4、rys number one magazine, Security Management, ASIS leads the way for advanced and improved security performance. For more information, visit www.asisonline.org.ANSI/ASIS CSO.1-2013 an American National Standard CHIEF SECURITY OFFICER AN ORGANIZATIONAL MODEL Approved November 8, 2013 American Nationa

5、l Standards Institute, Inc. ASIS International Abstract This standard is a model for organizations to use when developing a leadership function to provide a comprehensive, integrated and consistent security/risk strategy to contribute to the viability and success of the organization. It is structure

6、d at a high level, although specific considerations and responses are also addressed for deliberation by individual organizations based on identifiable risk assessment and requirements, intelligence, and assumptions. ANSI/ASIS CSO.1-2013 ii NOTICE AND DISCLAIMER The information in this publication w

7、as considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document. ASIS International stan

8、dards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this pu

9、blication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained

10、in its standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce complianc

11、e with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect

12、, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims an

13、d makes no warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide. In publishing and makin

14、g this document available, ASIS is not undertaking to render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgmen

15、t or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional

16、 views or information not covered by this publication. ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or con

17、duct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to a

18、dopt, modify or reject. Any certification or other statement of compliance with any information in this document should not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement. All rights reserved. No part of this publication may be reproduced, stored

19、in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Copyright 2013 ASIS International ISBN: 978-1-934904-51-0 ANSI/ASIS CSO.1-2013 iii FOREWORD The information con

20、tained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain

21、requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation ar

22、e specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. ASIS International (ASIS) is the preeminent organization for security professionals, with more than 38,000 members worldwide. ASIS is dedicated

23、to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security

24、 management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services and by publishing the industrys No. 1 magazine Security Management - ASIS leads the way for advanced and improved s

25、ecurity performance. The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization (SDO), ASIS actively participat

26、es in the International Organization for Standardization. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to th

27、e fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. Ch

28、arles A. Baley, Farmers Insurance Group, Inc. Jason L. Brown, Thales Australia Michael Bouchard, Sterling Global Operations, Inc. John C. Cholewa III, CPP, Mentor Associates, LLC Cynthia P. Conlon, CPP, Conlon Consulting Corporation William J. Daly, Control Risks Security Consulting Lisa DuBrock, Ra

29、dian Compliance Eugene F. Ferraro, CPP, PCI, CFE, Convercent F. Mark Geraci, CPP, Purdue Pharma L.P. Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc. Robert W. Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group Inc. Michael E. Knoke, CPP, Express Scripts, Inc. B

30、ryan Leadbetter, CPP, Alcoa Inc. Marc H. Siegel, Ph.D., ASIS International, European Bureau Jose Miguel Sobron, United Nations Roger D. Warwick, Pyramid International Allison Wylde, University of Roehamptom ANSI/ASIS CSO.1-2013 iv At the time it approved this document, the CSO Standards Committee, w

31、hich is responsible for the development of this Standard, had the following members: Committee Chairman: Jerry J. Brennan, Security Management Resources Commission Liaison: Charles A. Baley, Farmers Insurance Group, Inc. Committee Secretariat: Susan M. Carioti, ASIS International Christopher Aldous,

32、 CPP, PSP, Design Security Ltd Timothy Alexander, CPP, PMP, TYCO Integrated Security James Almeida, Solstice Marketing Concepts Raymond Andersson, ICPS, Independent Grant Ashley, CPP, CPA, Merck Scott Ast, CPP, Metro Wastewater Reclamation District Jay Beighley, CPP, CFE, Nationwide Insurance Jody B

33、issonnette, CHS III, Bisonnette therefore, the safeguards against these risks are interdependent at all levels. A successful model for organizations is to have a designated single point of accountability at the senior governance level with responsibility for crafting, influencing, and directing an o

34、rganization-wide security/risk strategy. In these organizations, accountability is clearly defined and supports role imperatives. The ability to influence strategy and address matters of internal and external risk exposures requires such a leadership role. 4. REPORTING RELATIONSHIP It is strongly re

35、commended that the position report to a key senior-level executive of the organization so as to ensure a strong liaison with designated leadership bodies such as the Board of Directors and its operating committees or in the appointed and/or elected governing public agency councils, oversight committ

36、ees, boards or designee(s). This alignment within the organizational hierarchy should signal executive commitment, support, and the importance of such a role. 5. MODEL FUNCTION Table 1 illustrates the scope of an organizations security/risk program, including functional areas of responsibility, key

37、processes, and discussion of work elements that should be found within an organization. It is not intended to be a complete road map for every program and initiative within a given process since these should be customized and would naturally vary based on numerous geographical, political, cultural,

38、industry sector, legal, and other specific requirements. ANSI/ASIS CSO.1-2013 3 Leadership should clearly establish strategic accountability and exert effective influence on the security and risk mitigation activities of the organization in order to achieve organizational goals and objectives. Gover

39、nance may take the form of a single Enterprise Risk Management Council; separate risk committees to address key risk areas or processes; actual managerial and budgetary accountability and/or various combinations to better align with and adjust to evolving organizational structures. Each organization

40、s unique culture, business model, public purpose, and/or needs should guide specific decisions establishing the best structure. This model is intended to assist any organization considering its best approaches and provide guidance on placement of the role, the skills, and competencies required withi

41、n the organization. While many different approaches may be taken to align the role within an organizations culture, to aid in understanding and facilitating the design and implementation, this model presents a representative framework (see Table 1) and position description (see Annex A). ANSI/ASIS C

42、SO.1-2013 4 Table 1 - Profile of the Functions Execution Major Areas of Risk to the Viability catastrophic events (hurricanes, tornados, earthquakes, etc.), or related significant security incidents that might include white collar crime - such as fraud, theft, product tampering, sabotage, etc.). Pre

43、paration for these events should involve the development, implementation, and administration of policies, plans, programs, procedures, and exercises to establish baseline organizational responses. The process of performance management, to include regular periodic review, testing, and evaluation of o

44、rganizational readiness in the event of disruptive attacks or events, is a key responsibility. The protection of the organizations integrity, human capital, processes, information, reputation and other critical assets from harm and loss is a key responsibility. While guarding the financial and physi

45、cal assets of the enterprise (i.e., cash, facilities, and equipment), it is important that the senior security executive should also be able to counter the potential risks involved in the loss of intangible assets (i.e., reputation and customer and client confidence), intellectual property, confiden

46、tial information, and trade secrets. Human capital here includes leadership and external directors, employees, customers, and others the organization has a duty to protect. The senior security executive should be expected to identify and understand the nature of security/risks in the business enviro

47、nment, as well as the application of appropriate controls and countermeasures to mitigate those risks. This requires an understanding of how and when to enlist the support of external resources and other staff functions such as: information technology, risk management, internal audit, controllers, l

48、egal, and human resources to mitigate the various risks to the business. ANSI/ASIS CSO.1-2013 8 Another key responsibility of the role is the analysis of information and the coordination of activities with persons inside and outside the organization to identify, prevent, and / or mitigate attacks an

49、d catastrophic events. The senior security executive plays a leading role in the strategic oversight of preparations, detection and analysis of incidents, as well as containment, mitigation, eradication, recovery plans, and post incident activities. In order to ensure that incident management policies, plans, processes, and reports are in place throughout the organization, the senior security executive facilitates the creation, maintenance, and periodic evaluation of an incident, attack or catastrophic event. The senior security executive may have a role in both in