search

Who owns the main responsibility of implementing the technological and security measures?

Ngày đăng: 27/10/2022
Trả lời: 0
Lượt xem: 23

If you noticed your neighbor’s house was on fire, you would call the fire department. You would want to help the neighbor and also ensure that the fire doesn’t spread to other homes. It takes a lot of people to protect your neighborhood. Everyone in the neighborhood has some responsibility to ensure everyone’s safety.

Show

Information has a life of its own. It travels by many different methods; it is collected on paper forms, through Web sites and over the phone. It is processed by people and used in business transactions, such as transferring money or mailing bank statements. Information resides on desktops, laptops and servers.

No single person is responsible for the security of the information. It is the responsibility of the whole to ensure the privacy and accuracy of the information.

Those responsible for securing information include:

Managers, data custodians and system owners

These groups collaborate with business partners, technologists, employees and users to ensure that policies, procedures and best practices are implemented. They are aware of the risks to managing the information and how it is processed. They identify resources for addressing these risks. They may lead efforts to:

  • Classify the information by understanding what information is vital to the organizational mission.
  • Document a security program to ensure that the organization understands the security controls and procedures.
  • Address risks as information systems are implemented, updated and taken off line.

Business partners

Business partners are responsible for processing the information. They collaborate with technologists to implement systems that digitally collect, store and transfer the information. Business Partners collaborate internally and externally to build and maintain information systems. Business partners may work with:

  • System owners to classify information and to identify and address risks.
  • Technologists to build requirements that include secure management of information.
  • Employees, system users and vendors to build awareness of how to securely manage information, including how to comply with policies and procedures.

Employees

Employees are responsible for following the policies and procedures for managing the information in a secure manner. Examples include but are not limited to:

  • Shred documents with restricted data such as Social Security numbers, bank and account numbers, and health information. Maintain documents in accordance with the policies and practices of the archives and records management services.
  • Manage/secure workstations by using a strong password or passphrase, using anti-virus software and not storing restricted information on local workstations or mobile devices.
  • Report risks and incidents to System Owners.

Technologists

Technologists develop, implement and maintain the information systems by setting up servers, developing code, administering applications, maintaining networks and building security controls and procedures. They implement controls and processes to protect the information. Their job functions include:

  • Implement access controls to enforce least privilege and separation of duties.
  • Establish good practices for managing changes to application code, servers and the network.
  • Protect the network by implementing network controls such as firewalls, intrusion detection/prevention devices and encryption of the information over the network.

Vendors

Business partners often rely on vendors as a solution for implementing services in a cost-effective manner. In contractual agreements, system owners and business partners should identify how the vendor should manage the information. Contractual agreements should include:

  • A statement of organizational policies and procedures that the vendor is responsible for following.
  • A statement that classifies the information.
  • Instructions for securing the information.

System users

System users are responsible for understanding policies and procedures that apply to them. Unlike employees, they might not work for the system swner (for example, applicants to UW use our system but are not employees). They should also be aware of how to protect their identity information. System Users will benefit from an understanding of:

  • The appropriate uses of the system.
  • Terms and usage agreements for the system
  • If and how their information may be shared with other parties in specific situations.
  • How to create and maintain a strong password.
  • How to identify a trusted web site or email.

Information Owners

Information Custodians

Chief Information Officer (Corporate)

Chief Information Officer (Local)

Chief Information Security Officer (CISO)

Information Security Officer

Executive / Director / Manager / Supervisor

Employee

Contractor

Vendor

Information Owners  

  • Information Owners have the responsibility and decision making authority for information throughout its life-cycle, including creating, classifying, restricting, regulating and administering its use or disclosure.  This includes responsibility for the physical assets that store, process, or transmit the information they own;
  • Determine business requirements including information security needs;
  • Ensure Security Threat and Risk Assessments are performed regularly to identify and minimize the risks to the information, information systems, and the physical assets;
  • Ensure information, information systems, and the IT assets they use and/or reside on, are protected commensurate with their information classification and value;
  • Define security requirements during the planning stage of any new or significantly changed information system;
  • Determine authorization requirements for access to information and information systems;
  • Approve and regularly review access privileges for each employee or set of employees;
  • Document information exchange agreements;
  • Develop service level agreements for information systems under their custody or control;
  • Implement processes to ensure employees are aware of their security responsibilities;
  • Monitor that employees are fulfilling their security responsibilities;
  • Be involved with security reviews and/or audits; and,
  • Follow the Information Incident Management Process for all suspected or actual information incidents.

Information Custodians

  • Information Custodians maintain or administer information resources on behalf of the Information Owner;  
  • Providing and managing security for the information asset and the hardware it resides on, throughout the lifecycle of the information asset and the physical asset;
  • Maintaining, operating, and inventorying the technical infrastructure that information and information systems reside on;
  • Maintaining and operating the security infrastructure protecting information and information systems;
  • Ensuring that the identified security controls are implemented throughout the supply chain;
  • Identifying and minimizing risks to information and information systems by regularly assessing physical infrastructure security control effectiveness and threats to the information, information systems, and the physical IT assets they reside on; and,
  • Follow the Information Incident Management Process for all suspected or actual information incidents including the loss or theft of hardware assets containing information.

Chief Information Officer (Corporate)

CIO develops, proposes, and maintains corporate-wide IM/IT policy, procedures, and standards, and evaluates compliance. Areas associated with this authority include data access, electronic identity management, records management, asset inventory management, information management, information technology, privacy, security applications, and systems of the organization.

Governance and Policy:

  1. Policies, Procedures, and Standards
    • Proposes corporate IM/IT architecture and related policy, procedures, and standards to protect and manage information assets and physical IT assets;
    • Ensures the privacy and security of the organization through policies, procedures and standards;
    • Ensures information systems are designed to be interoperable, secure, and able to authenticate and authorize appropriate access;
    • Ensures business areas procure information and technology goods and services compatible with the organization infrastructure and IM/IT procurement policies and IT Asset Management Security Standards;
    • Clarifies the interpretation of corporate IM/IT policies, procedures, and standards.
  2. Compliance Monitoring
    • Develops mechanisms and processes to ensure compliance with corporate IM/IT policies, procedures and standards;
    • Proposes corporate IM/IT performance metrics that enable business area compliance;
    • Informs business areas of their responsibilities in complying with corporate IM/IT policies, procedures and standards;
    • Recommends and reviews audits in coordination with other central authorities to ensure compliance with corporate IM/IT policies, procedures and standards;
    • Accesses audit report data to identify information management practices, and information system infrastructure and applications.

Security:

  • Provides the overall strategic direction and policy for securing the organization’s information technology infrastructure and records including electronic information and physical assets;
  • Ensures that measures are established to assess compliance with IM/IT security policies, procedures and standards;
  • Provide strategic direction for information management/information technology (IM/IT) and electronic service delivery and also for the development and maintenance of related corporate IM/IT policies, standards and architectures;
  • Coordination, investigation and resolution of information incidents; and,
  • Lead investigations into actual or suspected information or information technology incidents.

Chief Information Officer (Local)

  • Governance Authority
    • Maintains accountability for all business and operational IM/IT initiatives;
    • Maintains accountability for IM, budgets, records management, forms management, IT asset inventory management, privacy, security, e-services, business architecture, applications, information management, IM/IT strategic planning and IT;
    • Manages information and technology, and all related support activities;
    • Ensures that the delegated responsibility for information and technology is carried out fully;
    • Develops an IM/IT workforce strategy to support business transformation, information protection, business continuity and succession planning in consultation with HR.
  •  Policies and Standards
    • Reinforces IM/IT core policies and standards from a risk management perspective;
  • Compliance Monitoring
    • Ensures compliance with the IM/IT core policies and standards;
  • Advice
    • Ensures that information technology plans address human resource requirements in terms of job design, training and working environment;

Security:

  • Protects information holdings in all physical, electronic, and digital formats commensurate with its value and sensitivity at all stages in the life cycle of the asset to preserve the confidentiality, integrity, availability, intended use and value of all records;
  • Identifies and categorizes information and physical assets based on the degree of risk and potential impact (none, low, medium, high);

Also:

  • Being the single point of contact for information incidents;
  • Being a member of cross-organization IM/IT forums;
  • Ensuring that the Information Incident Management Process is followed for all actual or suspected information incidents;
  • Ensuring information security reviews and audits are supported by business areas; 
  • Ensuring asset inventories and inventory reviews are implemented by business areas;
  • Ensuring that the business area risks do not increase corporate risk.

Chief Information Security Officer (CISO)

  • Establish an Information Security Program to manage and co-ordinate information security activities across the organization;
  • Providing leadership on methodologies and processes for information security;
  • Establishing a cross organization information security forum;
  • Identifying security controls required to enable service delivery and documenting those controls in the Information Security Policy, standards and guidelines;
  • Providing security-related technical architecture advice to planning and development groups;
  • Promoting information security education, training and awareness throughout the organization;
  • Identifying significant threats and exposures associated with the security of information and physical assets; 
  • Ensuring the Information Incident Management Process is followed for all suspected or actual information incidents including the loss of physical IT assets;
  • Evaluating information received during and after an information security incident;
  • Implementing performance measurement processes for security controls;
  • Ensuring information security activities are in compliance with the Information Security Policy;
  • Identifying responses to remediate activities that are not in compliance with policies, standards or best practices;
  • Co-ordinating the implementation of information security controls;
  • Recommending appropriate actions in response to identified information security incidents and initiating audits where necessary; and,
  • Building relationships with stakeholder and partner organizations including suppliers and other peers to assist in maintaining the Information Security Program. The Information Security Program provides the security foundation necessary to protect information assets by:
    • Establishing an information security architecture for standard security controls across the organization;
    • Defining organizational roles and responsibilities for information security;
    • Developing and reviewing the Information Security Policy;
    • Monitoring and measuring the implementation of the Information Security Policy; and,
    • Developing and delivering a program to maintain information security awareness.

Information Security Officer

  • Knowing the Information Security Policy requirements and communicating them within their business areas;
  • Assisting business areas to understand and be in compliance with the Information Security Policy;
  • Ensuring that standards/procedures to support day-to-day security activities are documented in compliance with the Information Security Policy;
  • Co-ordinating information security awareness and education activities and resources;
  • Providing up-to-date information on issues related to information security;
  • Facilitating business areas with conducting Security Threat and Risk Assessments;
  • Ensuring that each information system has a current System Security Plan;
  • Providing advice on security requirements for information systems development or enhancements;
  • Co-ordinating information security initiatives with cross-organization information security initiatives;
  • Providing advice on emerging information security standards relating to business area specific lines of business; and,
  • Raising security issues to the cross-organization information security forum.

Executive / Director / Manager / Supervisor

  • Expected to promote information security initiatives within their business areas and support the information security activities of the Information Security Program published by the Chief Information Officer;
  • Ensuring terms and conditions of employment are agreed to by employees prior to employment or provision of services, including signing the Oath of Employmentand reading the Appropriate Use Policy and the Standards of Conduct;
  • Knowing and communicating information security policies and standards to employees;
  • Ensuring that employees are informed of their responsibilities regarding information security and privacy;
  • Ensuring that employees receive the necessary training on information security and have opportunities to participate in security awareness activities;
  • Ensuring that employee access to organization information resources is based on need-to-know and least privilege principles;
  • Reviewing employee access rights to information resources:
    • on a regular basis for all employees;
    • whenever there is a new employee;
    • whenever there is a change in employee roles and responsibilities.

Employee

  • All users of the organization’s information and information technology resources must take responsibility for, and accept the duty to, actively protect them;
  • Read about the appropriate use of corporate information and information technology resources as published in the Appropriate Use Policy;
  • Knowing, understanding, and complying with information security policies and standards;
  • Seeking guidance from their supervisors or Information Security Officers regarding questions on information security policies or other security concerns;
  • ​All actual or suspected information incidents must be reported immediately using the Information Incident Management Process.

Contractors

  • Contractors must adhere to the information security terms as defined by contract.

Vendors

From security controls in supplier agreements concerning supply chain security:

  • Understand information security requirements that apply to information systems and information technology product or service acquisitions;
  • Required to apply organization security requirements throughout their supply chain if the services are further subcontracted as a whole or in part;
  • Required to apply appropriate security practices throughout the supply chain for products that include components purchased from other suppliers;
  • Implement a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;
  • Implement a process for identifying product or service components that are critical for maintaining functionality and therefore require increased attention and scrutiny when built outside of the organization especially if the top tier supplier outsources aspects of product or service components to other suppliers;
  • Ensure that critical components and their origin can be traced throughout the supply chain;
  • Ensure that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features;
  • Adhere to the rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers; 
  • Implement specific processes for managing information and communication technology component life-cycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements;
  • Software vendors and service providers must provide current data flow and network communication diagrams for critical systems and maintain the diagrams to reflect system changes;
  • Vendors or service providers that provide IT assets for ministry use must maintain an inventory of the devices they provide.

Who is responsible to implement information security policy?

Chief Information Security Officer The official responsible for directing implementation of the enterprise information security program. The Chief Information Security Officer will: Coordinate the development and maintenance of information security policies and standards.

Who is responsible for the development of the security plan?

Key Roles and Responsibilities The primary responsibility for the system security plan rests with the system owner, but developing a SSP is not a one-person job, and delivering a complete SSP typically requires input and active participation from many different sources and individuals.

Who has a role in the responsibility for IT security in an organization?

The CISO (or CIO) should be the one to put together the strategy, programs, policies, and procedures to protect the organization's digital assets, from information to infrastructure and more.

What is the most important responsibility of the IT security person?

At a mile-high level, cybersecurity professionals are responsible for protecting IT infrastructure, edge devices, networks, and data. More granularly, they are responsible for preventing data breaches and monitoring and reacting to attacks.

Information security Security policy Information security policy

Bài Viết Liên Quan

Giáo phái tu luyện vụ án biình dương là gì năm 2024
Giáo phái tu luyện vụ án biình dương là gì năm 2024

là ai Hỏi Đáp Là gì
Lỗi không kết nối được wifi win 10 năm 2024
Lỗi không kết nối được wifi win 10 năm 2024

mẹo hay
22.4 trong hóa học là gì năm 2024
22.4 trong hóa học là gì năm 2024

là ai Hỏi Đáp Là gì Học Tốt Học
Kinh tế thị trường tồn tại đến khi nào năm 2024
Kinh tế thị trường tồn tại đến khi nào năm 2024

mẹo hay Cryto Thị trường
Bán mặt cho đất bán lưng cho trời là gì năm 2024
Bán mặt cho đất bán lưng cho trời là gì năm 2024

là ai Hỏi Đáp Là gì
Các thành viên exo được tuyển chọn như thế nào năm 2024
Các thành viên exo được tuyển chọn như thế nào năm 2024

mẹo hay Hỏi Đáp Thế nào
Giải toán lớp 8 bài 25 trang 47 năm 2024
Giải toán lớp 8 bài 25 trang 47 năm 2024

mẹo hay
Nội tại duy nhất trong liên quân là gì năm 2024
Nội tại duy nhất trong liên quân là gì năm 2024

là ai Hỏi Đáp Là gì
Block b chung cư 1050 chu văn an năm 2024
Block b chung cư 1050 chu văn an năm 2024

mẹo hay
Thế nào là phản ứng oxi hóa khử năm 2024
Thế nào là phản ứng oxi hóa khử năm 2024

mẹo hay Hỏi Đáp Thế nào
Ống nghe của bác sĩ tiếng anh là gì năm 2024
Ống nghe của bác sĩ tiếng anh là gì năm 2024

là ai Hỏi Đáp Là gì Học Tốt Tiếng anh
Điểm trung bình cả năm trên 6 năm 2024
Điểm trung bình cả năm trên 6 năm 2024

mẹo hay Cách tính phẩy
Top 10 nhung vu khi thoi xua o trung quoc năm 2024
Top 10 nhung vu khi thoi xua o trung quoc năm 2024

mẹo hay Top List Top Binh khí cổ
Áo bác sĩ gọi là gì năm 2024
Áo bác sĩ gọi là gì năm 2024

là ai Hỏi Đáp Là gì Blouse la gì Áo blouse trắng Áo bác sĩ
Toàn cầu hóa kinh tế được biểu hiện ở năm 2024
Toàn cầu hóa kinh tế được biểu hiện ở năm 2024

mẹo hay
Soạn văn bản đức tính giản dị của bác hồ năm 2024
Soạn văn bản đức tính giản dị của bác hồ năm 2024

mẹo hay
Chuyên viên tư vấn tài chính bảo hiểm là gì năm 2024
Chuyên viên tư vấn tài chính bảo hiểm là gì năm 2024

là ai Hỏi Đáp Là gì
Vở bài tập sinh học 8 bài 18 năm 2024
Vở bài tập sinh học 8 bài 18 năm 2024

mẹo hay Khỏe Đẹp Bài tập Học Tốt Học Giải bt sinh8
Ngưng kết hồng cầu là gì năm 2024
Ngưng kết hồng cầu là gì năm 2024

là ai Hỏi Đáp Là gì
Top 10 đề thi hsg hóa 9 cấp huyện năm 2024
Top 10 đề thi hsg hóa 9 cấp huyện năm 2024

mẹo hay Top List Top

Quảng Cáo

Có thể bạn quan tâm

Ngày lễ giáng sinh là ngày gì năm 2024
1 ngày trước . bởi BridalTerror
Bảng mã lỗi điều hòa fujitsu âm trần năm 2024
1 ngày trước . bởi NeutralRacism
Đảng cộng sản việt nam là gì năm 2024
1 ngày trước . bởi ImmaculateEmbodiment
Thôn tân hải xã hải lộc hậu lococj thanh hóa năm 2024
1 ngày trước . bởi UniqueFramework
Cách nào chỉnh màu trong mini world nhân vật năm 2024
1 ngày trước . bởi SemanticConsistency
Đường hùng vương nha trang thuộc phường nào năm 2024
1 ngày trước . bởi GeneratingGunman
Nvm là viết tắt của từ gì năm 2024
1 ngày trước . bởi RegulatedFiring
Bài diễn văn khai mạc đại hội cựu chiến binh năm 2024
1 ngày trước . bởi MandatoryVicinity
Đi vệ sinh nhiều lần là bệnh gì năm 2024
1 ngày trước . bởi ConspicuousRepayment
Cachs khắc phục màn hình lap top chuyeemr màu hồng năm 2024
1 ngày trước . bởi SkimpyMediator

Toplist được quan tâm

#1
Top 6 bản thân em phải làm gì để phòng chống hiv/aids 2023
5 tháng trước
#2
Top 7 số 20 gồm 2 và 0 đúng hay sai 2023
5 tháng trước
#3
Top 7 địa lý lớp 6 bài 19: lớp đất và các nhân tố hình thành đất một số nhóm đất điển hình trang 178 2023
5 tháng trước
#4
Top 7 h thực hiện chủ trương đường lối chính sách của đảng pháp luật của nhà nước 2023
5 tháng trước
#5
Top 6 on tập tiếng việt lớp 7 học kĩ 2 violet 2023
5 tháng trước
#6
Top 7 trung du và miền núi bắc bộ có thế mạnh nổi bật về luyện kim đen 2023
5 tháng trước
#7
Top 8 mơ thấy có người to tình với mình 2023
5 tháng trước
#8
Top 6 nước yến cao cấp yến sào thiên hoàng 2023
5 tháng trước
#9
Top 7 ví dụ về quyết định hành chính nhà nước 2023
5 tháng trước

Quảng cáo

Xem Nhiều

Chiều rộng cơ sở của xe ô tô là gì năm 2024
2 ngày trước . bởi DisjointedCemetery
Năm 1999 là năm con gì và mệnh gì năm 2024
2 ngày trước . bởi BelievablePublicity
Nhiệm vụ của trồng trọt là gì năm 2024
1 tuần trước . bởi AcridLiberation
Cao xuân tài là người theo đạo gì năm 2024
1 tuần trước . bởi PlayfulViability
Bánh trung thu văn hòa lạc ở tphcm năm 2024
1 ngày trước . bởi ThrivingDelegation
Lỗi iphone ko vào được imessage bằng số điện thoại năm 2024
4 ngày trước . bởi TransatlanticAversion
Beaune du chateau premier cru 2023 là nho gì năm 2024
1 tuần trước . bởi RetrospectiveRapidity
Nước tiểu có tên hóa học là gì năm 2024
2 ngày trước . bởi InstantBoldness
Vi khuẩn nội bào là gì năm 2024
3 ngày trước . bởi ComplexScrimmage
Cách thanh toán cước trả sau viettel bang the cao năm 2024
2 ngày trước . bởi ContraceptiveCheerleader

Quảng cáo

Chúng tôi

Điều khoản

Trợ giúp

Mạng xã hội

DMCA.com Protection Status
Bản quyền © 2021 Hỏi Đáp Inc.