Information Security Office (ISO)

Information Security is Everyone's Responsibility

man using computer with security icons overlayed

The Information Security Office (ISO) is dedicated to supporting the Organization's goals by ensuring the confidentiality, integrity, and availability of its information resources. This includes safeguarding data stored on computers, transmitted across networks, and shared in various formats, as well as overseeing the systems and processes used to manage this information. A key aspect of the ISO's mission is to protect these resources, investigate unauthorized access, and promote compliance with security policies while raising awareness among personnel about potential risks.

The Information Security Officer reports to the Director of Administration and has the authority to enforce information security policies and conduct investigations into security incidents. While the ISO's role in investigations is to gather factual findings, decisions regarding administrative actions are made by management. The office maintains strict confidentiality, accessing information only as necessary and sharing it solely with individuals who have a legitimate need to know. This comprehensive approach ensures robust protection of the Organization's information assets.

What is the mission of the Information Security Office?

The mission of the Information Security Office (ISO) is to support the goals of the Organization by providing leadership in assuring the confidentiality, integrity and availability of its information resources. The term "information resources" includes two different components: 1) the information itself such as data stored on computers, transmitted across networks, printed out or written on paper, sent by fax, stored on storage devices such as tapes, diskettes, hard disks and memory sticks or spoken in conversations or over the telephone; and 2) the processes, systems and networks that are used to create, collect and disseminate these types of information.

A major part of this mission involves protecting the information resources of the Organization, investigating unauthorized access to information and systems, monitoring compliance with all the procedures and policies with regard to the acceptable and proper use of information resources and raising awareness among all PAHO personnel about existing and potential risks to PAHO's information assets.

Who does the Information Security Officer report to?

The Information Security Officer reports to the Director of Administration.

What is the level of authority of the Information Security Office?

The ISO has the authority to enforce policies and procedures that have been issued on information security issues. The ISO has the responsibility to carry out investigations whenever information security incidents occur. Its role in investigations is limited to findings of fact. Decisions on any administrative or disciplinary action following the completion of an investigation are a management function and are taken by the Human Resources Manager, Director of Administration or Director.

What is the level of confidentiality of the Information Security Office?

The Information Security Office has complete access to information stored in all PAHO computer systems as well as to any other information required during the course of an investigation. It has a duty to protect the confidentiality of information to which it has access or brought to its attention and can only share this information with people who have a legitimate need to know.

Who can use the services of the Information Security Office?

The Information Security Office is accessible to all users of PAHO's information resources.

When should you contact the Information Security Office?

You should contact the Information Security Office to:

  • Ask questions about information security procedures, guidelines or policies;
  • Get guidance on the personal use of information resources;
  • Inquire whether a particular use of a computer resource raises ethical issues;
  • Report information security incidents such as unauthorized use of computers or information, loss of records or data, loss of hardware or software, computer fraud, disclosure or loss of sensitive information (electronic, paper, or other medium), use of PAHO's information resources for commercial purposes, email harassment, etc.
  • Provide information about possible unauthorized access to staff sensitive data such as health records, family information, social security numbers, passport numbers, etc.
  • Report concerns about activities taking place in our systems and networks that may place PAHO's reputation at risk, such as copyright infringement of software or downloaded material from the Internet, creating or maintaining unauthorized websites or Blogs, loss or compromise of confidential data and tampering with PAHO's or other organizations' web sites, computer systems and networks.

How can the Information Security Office be contacted?