Define roles and responsibilities

Establishing roles and responsibilities is very important to ensure a smooth planning process for the organization. These roles and responsibilities will be the ones that will be assigned specific information security functions in future policies and procedures.

Example roles and responsibilities you can include in your information security program plan include:

  • Executive management: Executive managers are senior business managers who own the IT security risk for the organization and are responsible for overseeing information security for their respective areas of responsibility and ensuring compliance with all information security policies. Such responsibilities include, but are not limited to:
    • Ensure that the necessary funding required to provide adequate information security management for information systems under their control is acquired
    • Ensure that information security policies are adhered to within their respective area of responsibility
    • Ensure that the data owner properly classifies data and that the information owner has properly established information security controls to protect that data
    • Ensure that adequate training is budgeted for and provided to teams maintaining information systems
  • Chief information security officer: The chief information security officer is responsible for operating and maintaining the enterprise-wide information security program, including:
    • Develops, documents, and disseminates organization-wide information security policies
    • Responsible for the information security risk management program
    • Establishes the information security training and awareness program
    • Provides guidance on how to implement enterprise information security policies
    • Manages the information security compliance programs
    • Establishes information security technical requirements, standards, and procedures
    • Authorizes exceptions to the information security policy
  • Data owner: Data owners are responsible for ensuring that data under their responsibility is maintained in accordance with applicable organizational policies and governmental rules, laws, and regulations. Such responsibilities include, but are not limited to:
    • Identifies and classifies data under their control
    • Implements technical information security requirements to protect data
    • Establishes rules for data labeling:
      • Sensitive data
      • Confidential data
    • Establishes rules for how data should be accessed
    • Establishes rules for proper sanitization and disposal of data when the information system is decommissioned
  • System owner: System owners are responsible for ensuring that information systems meet the requirements of the data owner in addition to applicable organizational policies and governmental rules, laws, and regulations. Such responsibilities include, but are not limited to:
    • Responsible for the successful operation of the information system
    • Responsible for the implementation of information security controls as prescribed by the information security program and the data owner
    • Responsible for notifying the information security program and the data owner of any change that may change the information security risk of the information system
    • Ensure that audit and logging mechanisms exist and that they are reviewed and provided to the security operations center
    • Ensuring that an asset inventory is maintained for the information system and any of its subcomponents
    • Ensure that data sanitization procedures are followed in accordance with information security and data owner requirements when the information system is decommissioned
  • IT custodian: IT custodians are IT personnel who provide information system support. IT custodians typically work for the system owner and are responsible for carrying out the requirements provided by the system owner, data owner, and information security program. Such responsibilities include, but are not limited to:
    • Executes operation and maintenance procedures on the information system
    • Ensures information security controls are implemented and working
    • Documents and executes changes to the information system
    • Reviews logs and executes audits for the information system
    • Executes sanitization and disposal procedures when the information system is decommissioned
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.84.32