Development and maintenance of Enterprise-wide deployment processes of computing security policies and requirements.

Provide consultation to support audit and business processes, technical product reviews, incident tracking and coordination as they relate to existing Enterprise-wide computing security policies and requirements.

Represent Computing Security at Business Unit leadership meetings. Compliance & Risk Assessments - Provide Computer Security Compliance Reports (CSCR) and a risk assessment (RA) consultation including primary responsibility for coordination of CIO approvals for CSCRs containing Enterprise-wide RAs. Establish and maintain the CSCR/RA database.

Provide records and statistics related to CSCR/RA activity and approval. Team with regional security and Business Unit focal points.

Ensure policy support by defining and providing computing tools and processes to deploy existing policies and requirements.

Ensure commonality in tools and processes across Operating Systems where necessary. Security Quality Assessments - Evaluation of Computing Security Programs.

Enterprise-wide Computing Security Policies & Procedures - Development and

maintenance of Information Systems Security Governance Documents for Corporate and Government Programs.

Represent the Enterprise at National and International Policy Forums.

Participate in the development of Computing Disaster Recovery procedures.

Provide consultation to the Computing Disaster Preparedness Council (CDC).

Computing Security Training, Education & Awareness - Consultation services,

development and distribution of briefing materials, and on-site training to the Enterprise Business Units.

Security Quality Assessments - Evaluation of Computing Security Programs.

Incident Response - Analyze and respond to network/computing security incidents.

Minimize damage to the computing infrastructure by responding to and resolving suspected intrusions, hacking, and other attacks

Investigation Support - Provide technical support to enterprise investigative

organizations.

Provide technical support for investigations that involve computing systems.

Contribute to successful investigation and resolution of Security, EEO, Ethics, and Legal investigations.

Vulnerability Assessments - Perform technical vulnerability assessments on Firewalls, internal networks, and critical computing systems. Report on identified vulnerabilities and suggest fixes to mitigate operational/business risks.

Threat Monitoring & Analysis - Monitor external and internal threats; analyze in conjunction with vulnerabilities to determine risk.

Determine risk to Enterprise computing infrastructure components and support operations.

Communicate risks to appropriate management to influence mitigation project selection and funding.

Information Protection Support - Assist individuals accountable for information assets to identify sensitivity/impact of loss, use, threats and vulnerabilities.

Prepare information protection plan based on risk analysis. Support implementation.

International Security - Assist individuals accountable to protect ITAR and EAR controlled information to provide appropriate protections.

Enterprise-wide Information Security Policies, Procedures & Tools - Develop and maintain Information Security Governance Documents for protection of Enterprise sensitive and government classified information.

Information Security Education, & Awareness - Develop information security education materials, deliver information security briefings, and develop and distribute awareness materials.

Access Management - Sustaining support for authentication systems. Execute plans for audits; mergers, acquisitions, and divestitures.

Team with regional and business units access administration groups. Identify and implement improvements to tools and processes.

Develop and Maintain the Tools and Processes for an International IS Security and Information Protection (IP) Program -

In-country Authorization Process

International Assessment and Status Process

Stream-lined Network and Access Process

Gathering Requirements, Strategic Partners

Develop Processes for WWSO Employees

Implement International IS Security and Information Protection (IP) Program -

Conduct Site Assessments

Develop and Maintain Security Documents

Conduct Education of (world-wide security office) WWSO personnel and International Employees and

Customers

The ability provide technical requirements for DCE Distributed Computing Environment, DART Distributed Access Request Tool, SSA Secured System Access, STAC Single Terminal Access Control for access administration.

The Authentication Services organization offers a number of services to validate the identity of those who have access to information. These are designed to further our e-commerce and computing security goals.

The Corporate Electronic Directory's mission is to enhance corporate communications and facilitate efficient processes at the Enterprise by providing effective standards-based directory services. Developed to support the multiple electronic mail systems within the various enterprises; to provide naming and e-mail directory synchronization services.

Services provided are virus, intrusion detection and virus.

Supports the computing infrastructure (also called the "perimeter" or "firewall") that enables secure external access to computing resources. These are some of the expertise: Virtual private networking, firewall proxy servers, reverse proxy server software and SOCKS generic outbound proxy servers

Standard and secure set of solutions to enable the domestic and international partner or contracted workforce to gain access to resources on the perimeter and inside the enterprise network while on-site assisting in project development or training. These solutions have many requirements driven business, security policies, contractual obligations of our Government and sometimes those of other Governments. The solutions need to be flexible enough to adapt to the broad spectrum of projects within the company and maintain strong security safeguards of sensitive Government and Company data.

Web Single Sign-On initiative (affectionately known by the technologists as Web Security Infrastructure). This activity is being done in concert with EIP, the Web Application Integration Architecture activity, ESP, and others. The major requirements include cross-domain web single sign-on, reusable security infrastructure, delegated administration, role-based access control.

Responsibilities include daily guard force management to protect enterprise physical access from unauthorized person. Perform routine roving security controls of specific areas of the enterprise. Perform search and seizure of enterprise assets. Monitor all access points, hallways and delivery points where asset maybe compromised. Upon receive alerts, take appropriate action to investigate and escalate to proper management.

Perform routine investigation of potential new hires to the organization. Perform research and obtain information from outside source to determine availability. Work with external organization to collect public information of potential employee.

Create badges for employees, contractors and vendors for enterprise physical access to facilities. Inventory badges and control the all unused badges periodically. Take badge pictures employees, contractors and vendors.

Create employee selection and the retention process. Ensure that safety and security of key executives and employees are in accordance to security policies. Evaluate information obtained from internal or external investigations. Develop and implement security education and awareness programs for the enterprise.

Identify security controls and dissemination of critical information for the enterprise. Develop classification instructions and process for both employees and security staff. Identify the sensitive levels of access required to gain employee access to sensitive information.

Create emergency planning process for the enterprise security group. Develop plans and types of emergencies that could occur. Work closely with the enterprise disaster recovery group and team to establish roles and responsibilities during a disaster.

Corporate and executive leadership skills are necessary to establish goals/objectives and to enhance the asset protection program. The security executive must be well rounded in all disciplines that he/she will be leading. Must have the technical knowledge, leadership skills and the ability and the art to influence key executives to make critical decisions on security related issues. Must have the ability to work with a variety of personnel ranging from front line assemblers, engineers, administrators and senior level executives.

Understand both the technical security controls, corporate security methodology, export compliance and contracts to include mergers, acquisitions and divestitures.

Enterprise organizations are becoming more complicated because of the size, different countries perception of security laws and statues, language and trade barriers.

The old concept that the enterprise has a clear organization structure, which does not include contractors, vendors or suppliers, sub-business entities in other countries is misleading and does not reflect access to information.

This is considered to be a virtual organization that encompasses E-business solutions to ensure a competitive enterprise advantage in the global economy.

Old security rules must be re-established or created from scratch. The use of Virtual Private Networks (VPNs), security zones and policy directories must be enabled to ensure information is available to perform ones job but only available on a business need to know.

The complexities of a large organization that performs a multi-national interest will have complicated items to overcome concerning both political and legal barriers.

Privacy is related to outsource consumer or personal information to non-affiliated business entities. There are FTC security controls and requirements that clearly express how personal information is to utilized and shared with external customers.

The enterprise security person should be familiar with the role and responsibility of the Privacy Officer and their duties and assignments.

Privacy issues are specific controls in-placed between the enterprise and the external customers. Note: the privacy officer functions and responsibilities are out the scope of the enterprise security professional, therefore this is no direct or in-direct reporting structure to the enterprise security functions.

However, some of the technical controls, impacts and safeguards are essential elements of security functions. The privacy officer should report to Legal sub-unit for responsibilities and delegation of controls. Note: funding maybe less in the security budget (at the beginning) to fund privacy initiatives.

Understanding the elements of both export compliance requirements and contracts is essential practice for the security professional. Information released to foreign nations may require specific government approval and acknowledgment to protect ITAR and EAR controlled information. It is essential to understand the fundamentals of export compliance and where to obtain additional information. Security professionals must work very closely with Export Compliance officials on all matters of export controls and laws.

The world of contracts could be overwhelming and intimidating for the security professional to create a binding contract, review and to ensure all the information is located in the body of the contract language. It’s essential to work very closely with Legal personnel to ensure both parities are aware of there responsibilities and "due diligence" in the contract.

When mergers, acquisitions and divestitures occurs, what policies and standards will be obsolete and what processes must be re-written. For most security professional, this may happen some time within you work experience involved in merger of two different businesses.

Understanding and implementing another enterprise security policies and standards that have no similarities between the old policies and new policies.

Security professional must be prepared for increasing inherent responsibilities or reducing key responsibilities to include downsizing the security group and personnel.

Cultural difference and diversity between languages, customs, due diligence and the laws that effect enterprise security are real and must be reviewed on an ongoing basis especially operating in various or multiple countries. It is important to foster cooperation between business entities and have a security focal available in each specific country that understands the customs and language.

With this in mind, various controls must be in place to protect the enterprise business units (within the United States) at the same time ensuring that information is available on a need to know bases. This can be complicated but necessary to protect the entire interest of the enterprise.