Like in every profession, good tools are already half the work. The other half however, is getting the right tool, at the right moment and using it, correct, in the right way.
Especially new CISOs might want to invest time and create a proper toolkit, before trying to patch systems with a hammer.
Overview of business critical assets
The first resource a CISO might use, is an overview of the business critical assets, including systems and applications. This list consists of the assets which are critical to the mission of the organization, like the mission critical services, or critical business units. Additional areas of interest are the critical business processes and procedures.
Bigger companies usually create their version of the Yellow Pages, including the name, picture and some basic details of employees. This might be extended with a hierarchical tree overview, or a link to their manager or business unit they belong to. Additionally there is usually some room left for location and personal information.
The organization chart might be also used as input to mark the right people in overviews, like all employees related to IS security. Great for disaster recovery plans and making sure the people on the list are still working for the company.
To account all budgeting requests a proper budget sheet might be very useful. It should include the security programs, projects and operational security costs. Tooling and other costs might be included, depending on who owns the budget.
Business Continuity plan & Disaster Recovery Plan
The BCP is part of Business Continuity Management and enlists the efforts to keep the organization running and limit the risks for serious disruption. Additionally an up-to-date DR plan should be available, in case a disaster strikes the company.
Risk and Compliancy
Compliancy mapping overview
Companies dealing with several regulations like SOx, HIPAA or GLBA usually have a matrix of compliancy requirements available. Additionally this matrix might be extended with a clear mapping related to your ISMS (Information Security Management System) and the related controls. Within the ISMS itself, a document matrix is another great addition to list all available documents and their status. This way the CISO and other individuals can quickly find the right documentation and maintain it properly.
Depending on your organization, there should be at least a basic enterprise risk register available. This overview contains the data of the risk management programs within the company.
Programs, Projects, Architecture
The project overview is a basic list of the available projects and their status, including the approval status and the owner of each project. This list is great input for the CISO to determine what is going on in the company and where security efforts might have the biggest impact.
Architecture road map
To support the architects in their endeavors, having access to their road map is very useful. This way expenses can be budgeted in time and the CISO can assist where needed.
Documents might include network zoning, Identity & Access Management (IAM) and preferred stance on how to store or handle data (e.g. using cloud services).
Reports might include control testing reports, vulnerability reporting, management reporting and auditing results. Depending on the organization several levels of reporting might be available, with more (or less) details.
Management dashboards, including security dashboards are useful to get a quick overview about the status of the security efforts.
Most companies have different kind of templates available, depending on the needs. For the CISO the most important documents are: business case template, budget templates and business impact template.
Policies and procedures
These documents are a very useful tool for the CISO to define preferred behavior and improve quality. Since these documents are also the basis for educating the employees within the organization, these documents should be up-to-date.
Do you use other useful tools within your organization? Let us know in the comments!