Table of Contents
Clearly defined and assigned roles and responsibilities enables organizations work efficiently by designating who will be responsible, accountable, consulted and informed in the information security and risk management lifecycle.
Due to the nature of organizations having customized job titles and roles (e.g., one individual performing tasks in multiple roles), some of the descriptions below may differ from your organization’s role naming convention.
The roles below highlights the key resources involved in an organization’s Information Security and Risk Management process.
Chief Executive Officer (CEO)
The Chief Executive Officer is the highest-level C-Suite executive in an organization. A CEO is responsible for ensuring Information Technology and Security controls are implemented in line with the organization’s risk probability and impact. He/She is also responsible for ensuring that Information Security controls and processes implementation is in line with the business strategy and operation.
A CEO’s responsibilities include, but are not limited to:
The CEO establishes the organizational commitment and the actions required to effectively manage security and privacy risk, and protect the missions and business functions being carried out by the organization while the rest of the C-Suite establishes a level of due diligence within the organization that promotes a climate for mission and business success.
Chief Information Officer (CIO)
The Chief Information Officer is responsible for developing and maintaining security policies, guideliness, and procedures to address all information technology requirements.
A CIO’s responsibilities include, but are not limited to:
The Chief Information Officer, with the support of the Chief Risk Officer, and the Chief Information Security Officer, works closely with authorizing officials and their designated representatives to ensure that:
Chief Information Security Officer (CISO)
The Chief Information Security Officer is responsible for managing and implementing an organization-wide information security program and acting as a security assessor for implemented security controls.
A CISO’s responsibilities include, but are not limited to:
Chief Risk Officer (CRO)
The Chief Risk Officer is an individual within an organization responsible for overseeing and ensuring that:
A CRO’s responsibilities include, but are not limited to:
Data Privacy Officer (DPO)
The Data Privacy Officer is responsible for maintaining a comprehensive privacy program that ensures compliance with applicable privacy laws and requirements (GDPR, HIPAA, etc.), develops and evaluates privacy policy, and manages privacy risks that may arise from information security measures.
A DPO’s Responsibilities include, but are not limited to:
Information Security Architect
The Information Security Architect is an individual or group responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution models, and the resulting systems supporting those missions and business processes.
An Information Security Architect’s responsibilities include, but are not limited to:
Information Security Control Assessor
An Information Security Control Assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the managerial, operational, and technical security controls and control enhancements employed within or inherited by a system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).
An Information Security Control Assessor’s responsibilities include, but are not limited to:
Information Owner
The Information Owner is an organizational official with statutory, management, or operational authority over a specific type of information and is responsible for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.
An Information Owner’s responsibilities include, but are not limited to:
System Administrator
A System Administrator is an individual, group, or organization responsible for setting up and maintaining a system or specific components of a system.
A System Administrator’s responsibilities include, but are not limited to:
Auditor
Auditors are responsible for regularly examining systems, people, policies and processes to verify whether they continuously meet the organization’s approved security requirements and whether the security controls are appropriate. Informal audits can be performed by those operating the system under review or by internal or external auditors.
An Auditor’s responsibilities include, but are not limited to:
User
A User is an individual, group, or organization granted access to organizational information in order to perform their assigned duties.
A User’s responsibilities include, but are not limited to:
References:
