An Introduction To Information Security Roles and Responsibilities
Information security involves securing information assets, financial information, customer data and other sensitive details. In order to accomplish the Information Security, organization, regardless of size needs to clearly define the roles and responsibilities of their professionals. For larger organizations, this will support to ensure that no work is ignored and for small organizations & less structured organization, this will support to evenly distribute the workload as the workers may be needed to involve in more than one task. Here in this article, we are going to present the outline of the basic roles and responsibilities involved in the information security with reference to the NIST special publication 800 – 12 Revision 1.
1. Risk Executive Function
This role represents an individual or group of members such as CEO, board members, CIO within an enterprise who are responsible for guaranteeing that risk related considerations are viewed, and overall strategic goals are stated to meet the business missions and functions.
- Defining a complete strategy to address the security risk across the whole enterprise.
- Developing an enterprise risk management strategy.
- Supervising risk associated activities across the enterprise.
2. Chief Executive Officer
This role represents the highest-level senior executive or officials in the enterprise who includes the whole responsibility to offer protection of information security commensurate with the possibilities and influence of the risk, which may result from unauthorized disclosure, access, destruction, and modification.
- Integrating the process of information security management with the process of strategic as well as operational planning
- Ensuring that the systems and information used to facilitate organization operation includes the respective information security safeguards
- Approving that the trained personnel are fulfilling with associated information security policies, legislation, instructions, directives, and guidelines
3. Chief Information Officer
This role represents the official of the organization who is responsible for designating the senior information security officer, developing as well as maintaining policies, procedures & control techniques of security, supervising personnel with notable responsibilities for security & guaranteeing that personnel is properly trained and supporting senior enterprise officials with their security activities.
- Allocating resources for system protections that support the business mission and functions of the organization
- Guaranteeing that systems are shielded by confirming security plans & are permitted to function
- Ensuring that there is an enterprise-wide security program, which is being effectively implemented
4. Information Owner
This role represents the official in the enterprise who includes the authority on the operation, management or statutory for certain details.
- Establishing the rules for the proper use as well as protection of the sensitive details
- Offering input to the system owners about the security controls and requirements needed to sufficiently protect the sensitive information.
- Creating the policies & procedures supervising its generation, processing, collection, disposal and dissemination
5. Senior Agency Information Security Officer
This role represents the official in the enterprise who is responsible for serving as the chief contact person between the enterprise chief information officer and the system owners, authorizing officials, system security officers, and common control providers. This role can also be referred as the Chief Information Security Officer.
- Managing & implementing an enterprise-wide information security program.
- Assuming the responsibility of confirming security control assessor when required.
6. Authorizing Official
This role represents the senior officials in the executives who possess the authority to assume the responsibility for functioning a system at a certain range of risk to enterprise assets & operations.
- Confirming security plans, action plans and determining whether certain changes in the environments or systems of the operation need reauthorization.
- Guaranteeing that designated representatives are performing their activities and function with the security authorization.
7. Authorizing Official Designated Representative
This role represents the official who coordinates as well as conduct the essential day-to-day activities linked with the security authorization process on behalf of the authorizing official.
- Assuming the responsibilities of the authorizing officials.
- Taking decisions with respect to planning & resourcing of the authorization process, monitoring, and approval of the implementation of the action plan.
- Preparing the authorization package, acquiring the signature of the authorizing officials on the documents related to authorization decision.
8. Senior Agency Official for Privacy
This role represents the senior official of the organization who possesses the entire accountability and responsibility for guaranteeing implementation of privacy protections such as full compliance of agency with federal laws, policies, and regulations associated with privacy.
- Supervising, facilitating and coordinating the privacy compliance efforts of the agency.
- Reviewing the information privacy procedures of the agency to guaranteeing that they’re comprehensive as well as current.
- Ensuring that the contractors and employees of the agency receive proper education and training programs about the information regulation, policies, procedures and privacy laws governing the information handling of the agency.
9. Common Control Provider
The role represents an individual or group who are responsible for the creation, implementation, evaluation and supervising of the common controls.
- Documenting the enterprise-identified common controls in the organizational documents like security plan.
- Guaranteeing that desired evaluations of the common controls are taken out by capable assessors defined by the enterprise.
10. System Owner
This role represents the officers who are responsible for the activities including procurement, integration, development, alteration, operation, maintenance & disposal of the system.
- Addressing the user’s operational interests.
- Guaranteeing the compilation with security requirements.
- Creating & developing the system security plan.
- Guaranteeing that the system is operated and deployed based on the agreed security controls.
11. System Security Officer
This role represents the officer who is responsible for guaranteeing that a proper operational security position is maintained in the systems.
- Supervising the regular security operation of the system.
- Supporting the security policies & procedures development and guaranteeing compliance with those security policies & procedures.
12. Information Security Architect
This role represents the individual or group who are responsible for guaranteeing that security requirements mandatory to safeguard business mission and the process of the organization are perfectly addressed in entire factors of enterprise architecture such as segments, reference models, and solution models.
- Serving as the contact person between the organization architect & the security engineer.
- Coordinating with common control providers, system owners and system security officers on the distribution of security controls as common, hybrid or system-dependent controls.
13. System Security Engineer
This role represents the individual or group who is responsible for performing security engineering activities for the systems.
- Designing & developing enterprise systems or enhancing legacy systems.
- Coordinating security-oriented activities with the security architects, system owners, senior agency information security officers, system security officers and common control providers.
14. Security Control Assessor
This role represents the individual or group who is responsible for performing a comprehensive evaluation of the operational, managerial and technical security controls as well as the control enhancements inherited by or used within the systems for determining the complete effectiveness of the security controls.
- Offering an evaluation to determine deficiencies or weakness in the system & its operating environments.
- Suggesting corrective actions to address determined vulnerabilities.
- Preparing a security assessment report comprising the results of the evaluation.
15. System Administrator
This role represents the individual or group who are responsible for forming up and preserving a system / certain component of the system.
- Installing, configuring & updating hardware & software.
- Establishing & managing user accounts.
- Supervising backup & recovery tasks.
- Implementing technical controls related to security.
The user is an individual/group / organization who possesses rights to access the data of an organization to perform their assigned duties.
- Following to policies, which govern acceptable utilization of systems.
- Employing the enterprise provided resources for certain purposes only
- Reporting suspicious or anomalies system behavior.
17. Other Supporting Roles
- Auditors – Responsible to analyze the systems to identify whether the security controls are appropriate and whether the system satisfies stated security needs and enterprise policies.
- Physical Security Staff – Responsible for creating & enforcing corresponding physical security controls.
- Disaster Recovery Staff – Responsible for eventuality planning for the whole organization & function with other staffs to acquire extra eventuality planning support as required.
- Quality Assurance Staff – Responsible for enhancing the program quality by guaranteeing the integrity, confidentiality, and availability of the system.
- Procurement Office Staff – Responsible for guaranteeing that enterprise procurements have been revised by corresponding officials.
- Training Office Staff - Responsible to ensure effective training program.
- Human Resources – Responsible for security-oriented exit procedures when workers leave an enterprise. Work closely on problems, including background investigations.
- Risk Management Staff – Responsible for analysing the entire manner of risks in terms of security to which the enterprise may be exposed.
- Physical Plant Staff – Responsible for guaranteeing the services provision, fundamental to the security as well as the safe operation of the systems.
The above outline of the roles and responsibilities are not a comprehensive list in terms of information security but the basic roles should consider. Organizations can customize their structure according to their resources and requirements.