I work at a company that currently does not have a position dedicated to information security. I come from a background in networking with a good portion of my focus on firewalls and other security related technologies.
I am interested in positioning myself into the role of InfoSec Admin at my compnay and was hoping that i could get some advice on how to sell the position to a reluctant management team. I know where most of our security issues currently are, but I need a more general description of the role and its value in order to justify dedicating a good percentage of my time to it.
Any advice and help would be appreciated.
You can take a look at the gov't model which has become widely accepted in many industries.
It is based on FISMA, a public statute which governs all federal IT operations.
NIST is responsible for publishing the policies and guidlines: http://csrc.nist.gov/sec-cert/
The umbrella for all IT security operations is Information Risk Managment.
After that, find examples from trade magazines and other info sites regarding industries like yours who have created IT security positions like CISO, ISO, ISSO, etc. . .
Good luck! tg
Last Wiki Answer Submitted: December 12, 2006 2:13 pm by TomGrg0 pts.