1.6 A Organization Structure, Roles & Responsibilities

Information Security Governance

  • Definition and Purpose

    • Information security governance is concerned with aligning security practices with the overall goals and objectives of an organization, known as corporate enterprise governance.

  • Roles and Responsibilities

    • Although security is considered everyone's responsibility within an organization, specific roles focused on security must exist.

    • The comprehension of accountability versus responsibility is crucial for proper governance.

Accountability vs. Responsibility

  • Accountability

    • Definition: If someone is accountable for something, they cannot delegate that accountability to anyone else. They remain responsible for the outcome regardless of circumstances.

    • Example: For organizations that leverage cloud services, the business remains accountable for data protection, even when that data is processed or stored by a third-party cloud provider.

  • Responsibility

    • Definition: Responsibility can be delegated. Therefore, while security remains a collective responsibility, specific individuals or groups may take on responsibilities associated with managing security.

    • Example: Executive management, including the CEO, is accountable for protecting the organization's valuable assets but can and does delegate various responsibilities to others, such as information system security professionals.

Roles Related to Accountability and Responsibility

  • Executive Management

    • The board of directors and CEO are accountable for safeguarding all organizational assets, including data integrity and value.

    • They delegate security responsibilities to relevant professionals but maintain ultimate accountability for security governance.

  • Asset Owners

    • Asset owners bear accountability for the protection of what they own within the organization.

    • Success in security programs is rooted in strong ownership principles, necessitating clear messaging from top management to reinforce this accountability.

  • Custodians and Users

    • Custodians take responsibility for protecting assets under their custody, which do not belong to them.

    • Their responsibilities include maintaining confidentiality, integrity, and availability of the assets while they are in their possession.

Security Management Structure and Trends

  • Historical Context

    • Traditionally, security functions reported to IT departments, often the CIO or CTO.

    • This structure has evolved, as the role of security has expanded beyond mere data protection to encompass protecting a wider range of valuable assets and interests.

  • Current Trends

    • It's important for security functions to report directly to the CEO to enhance governance and ensure that security is integrated into the organization's objectives effectively.

    • This evolution reflects the recognition that security encompasses compliance, risk management, and the protection of organizational value beyond simple IT considerations.

Implications for Organizations

  • Integration of Security in Governance

    • Security governance must leverage the accountability of senior executives, maintaining that both accountability and responsibility are properly defined and communicated in organizational policy.

  • Compliance Needs

    • Achieving compliance requires direct involvement from security functions, further justifying the need for these teams to report directly to top-level executives.

    • Compliance encompasses understanding and adhering to laws, regulations, and industry standards that govern the organization's operations.