Is the CISO responsible for purchasing physical security systems/devices?
Sort by:
I would say follow the business case (justification), and follow the proper purchasing process (purchasing policy).
Like Andres said, it depends on the size and structure of the organization. When it involves IT systems, the CISO should be involve in selecting and purchasing to ensure the system’s IT monitoring software meets piece the organization needs, specifically for access controls and other monitoring capabilities for the buildings and data centers the organization is using.
I don’t think the CISO should be responsible for purchasing. Instead, he should advise his team on the correct security system selection. Before that, the CISO must do a thorough analysis of security systems/devices considering his organization requirement & ISMS polices.
No, this lies in the domain of the Chief Security Officer, not the Chief Information Security Officer
I agree with Andres Andreu. It depends on the company, its size and organization. Fortune 100 companies may likely have different company and organizational responsibilities that are not all rolled up under a single CISO.
The CISO should be in a position to understand physical security gaps, and identify solutions and tools to plug those holes - but they shouldn’t be on Amazon swiping their cards!