iso27diy-corp/Corpus/Literature notes/Roles in Information security management.md

See also:

• a-5.2-Information-security-roles-and-responsibilities
• a-5.3-Segregation-of-duties

For examples of defined roles, see:

• Platform 161, ISP §3.6
• Open-ICT
• Methode NHC
• OrgFit Architectuurprincipes Humankind

Related:

• Asset ownership
• Control ownership
• Risk ownership
• Segregation of Duties
• Access Control Models

Roles according to CISSP (p. 23 ev.):

• Senior Manager: decides on policies, ultimately responsible.
• Security Professional: writes and implements the policies.
• Data Owner: classifies information, ultimately responsible for protection of his data.
• Data Custodian: responsible for implementing the controls.
• User: has access to the protected information. Responsible for understanding and following the security policy.
• Auditor: reviews the policy, verifies that it is properly implemented, and that the implemented controls are adequate.

Roles according to source:

Information security functions are generally split across several areas :

1. Information security management
   • setting direction;
   • setting policy;
   • analysing and advising on the treatment of information security risks;
   • developing or commissioning standards, procedures and guidelines, plus security awareness and training materials;
   • liaising with general management, risk management, HR, legal etc. on information security matters;
   • security incident management;
   • ISMS management and direction.
   • line management for the security function;
   • Staffed with security managers and security officers.
2. Information security administration/operations
   • user access management (access rights, passwords, joiners/movers/leavers);
   • log analysis;
   • security awareness & training delivery;
   • assisting with incidents and investigations etc.
   • Staffed with security analysts.
3. Information security architecture & design
   • pushing information security deep into IT application development, IT procurement etc.;
   • providing architectural guidance, policies and standards on various security matters (such as authentication, cryptography and security logs) etc.
   • Staffed with security architects.
4. Physical/site security
   • often an independent function but with close liaison to information security.
   • Staffed with security guards.
5. Fraud
   • again, often independent but with liaison, especially for incident investigation and analysis.
   • Staffed with fraud specialists.

This article defines 6 roles and assigns responsibilities to each role:

• Employee
• Information Security Officer
• IT Administrator
• Top Management
• Internal auditor
• Data Protection Officer

This article identifies five ‘typical roles and responsibilities’:

• Security leadership
• Security risk management
• Internal audit
• Control owners
• All employees

This article identifies somewhat different roles:

• Information owners;
• Process owners;
• Asset owners (e.g. application or infrastructure owners);
• Risk owners;
• Information security coordinating functions or persons (this particular role is generally a supporting role within the ISMS);
• Project managers;
• Line managers;
• Information users.