Who owns the main responsibility of implementing the technological and security measures?
If you noticed your neighbor’s house was on fire, you would call the fire department. You would want to help the neighbor and also ensure that the fire doesn’t spread to other homes. It takes a lot of people to protect your neighborhood. Everyone in the neighborhood has some responsibility to ensure everyone’s safety. Show
Information has a life of its own. It travels by many different methods; it is collected on paper forms, through Web sites and over the phone. It is processed by people and used in business transactions, such as transferring money or mailing bank statements. Information resides on desktops, laptops and servers. No single person is responsible for the security of the information. It is the responsibility of the whole to ensure the privacy and accuracy of the information. Those responsible for securing information include: Managers, data custodians and system ownersThese groups collaborate with business partners, technologists, employees and users to ensure that policies, procedures and best practices are implemented. They are aware of the risks to managing the information and how it is processed. They identify resources for addressing these risks. They may lead efforts to:
Business partnersBusiness partners are responsible for processing the information. They collaborate with technologists to implement systems that digitally collect, store and transfer the information. Business Partners collaborate internally and externally to build and maintain information systems. Business partners may work with:
EmployeesEmployees are responsible for following the policies and procedures for managing the information in a secure manner. Examples include but are not limited to:
TechnologistsTechnologists develop, implement and maintain the information systems by setting up servers, developing code, administering applications, maintaining networks and building security controls and procedures. They implement controls and processes to protect the information. Their job functions include:
VendorsBusiness partners often rely on vendors as a solution for implementing services in a cost-effective manner. In contractual agreements, system owners and business partners should identify how the vendor should manage the information. Contractual agreements should include:
System usersSystem users are responsible for understanding policies and procedures that apply to them. Unlike employees, they might not work for the system swner (for example, applicants to UW use our system but are not employees). They should also be aware of how to protect their identity information. System Users will benefit from an understanding of:
Information Owners Information Custodians Chief Information Officer (Corporate) Chief Information Officer (Local) Chief Information Security Officer (CISO) Information Security Officer Executive / Director / Manager / Supervisor Employee Contractor Vendor Information Owners
Information Custodians
Chief Information Officer (Corporate)CIO develops, proposes, and maintains corporate-wide IM/IT policy, procedures, and standards, and evaluates compliance. Areas associated with this authority include data access, electronic identity management, records management, asset inventory management, information management, information technology, privacy, security applications, and systems of the organization. Governance and Policy:
Security:
Chief Information Officer (Local)
Security:
Also:
Chief Information Security Officer (CISO)
Information Security Officer
Executive / Director / Manager / Supervisor
Employee
Contractors
VendorsFrom security controls in supplier agreements concerning supply chain security:
Who is responsible to implement information security policy?Chief Information Security Officer
The official responsible for directing implementation of the enterprise information security program. The Chief Information Security Officer will: Coordinate the development and maintenance of information security policies and standards.
Who is responsible for the development of the security plan?Key Roles and Responsibilities
The primary responsibility for the system security plan rests with the system owner, but developing a SSP is not a one-person job, and delivering a complete SSP typically requires input and active participation from many different sources and individuals.
Who has a role in the responsibility for IT security in an organization?The CISO (or CIO) should be the one to put together the strategy, programs, policies, and procedures to protect the organization's digital assets, from information to infrastructure and more.
What is the most important responsibility of the IT security person?At a mile-high level, cybersecurity professionals are responsible for protecting IT infrastructure, edge devices, networks, and data. More granularly, they are responsible for preventing data breaches and monitoring and reacting to attacks.
|