CISO Council issues handbook for agency cyber execs
- By Sara Friedman
To help agencies get the cybersecurity talent they need, the Chief Information Security Officers Council has released the CISO Handbook, a new resource for key policies, initiatives, templates and processes to help prepare future cybersecurity executives for their roles and responsibilities for securing federal data and systems. The handbook was released on June 26.
“Breaking the complex conversation of the CISO role and risk management into consumable pieces can only help the community succeed in bringing new talent onboard and meeting our mission needs,” Emery Csulak, CISO at the Centers for Medicare and Medicare Services, was quoted as saying in a CIO Council blog post.
The handbook features three main sections and appendices with links and reference documents that provide a systematic overview of the risk management process. To help agencies comply with the Trump administration's cybersecurity executive order, the handbook "maps example agency policies to specific objectives in the Cybersecurity Framework Core as well as to key NIST publications," the CIO Council wrote in the blog post.
The first section outlines the CISO’s role at individual agencies and with the federal government as a whole. It also provides an overview of key federal cybersecurity organizations and a summary of the kinds of reporting that CISOs must submit to oversight authorities.
The second section includes high-level summaries of key risk management publications and focuses specifically on the National Institute of Standards and Technology’s Cybersecurity Framework. The section also lists key government policies and memos that include information security requirements for agencies.
The third section gives agency CISOs management resources to help them make personnel decisions and address workforce challenges. The section also lists some of the security services available from the General Services Administration and the Department of Homeland Security.
Lastly, the five appendices provide agencies with examples of internal policies for secure asset management, risk management, asset control, system maintenance and continuous monitoring. There are also links to governmentwide policies and publications that impact the CISO’s role, a breakdown of agency responsibilities under the Federal Information Security Management Act, links to governmentwide cybersecurity resources and acquisition vehicles as well as a glossary.
Read the full CISO Handbook here.