reports to the Chief Information Officer (CIO), leads the information security team, and has primary responsibility for implementation of the IT security program Key elements of this plan include risk management, vulnerability management, data ownership, security documentation and policies, security training, and incident response The ISO and the information security team advise and instruct other functional teams on infosec concerns related to areas such as change control (change management), software design, network architecture, and other areas where technical controls related to information security are implemented