In the realm of cyber security, clearly defined roles and responsibilities reduce the risk of tasks being missed and increase accountability for their completion.
Summary of Roles
|Mission/Business Owner||Mission Owners (AKA Business Owners) are responsible for ensuring that security activities and implementations provide a balance of benefit vs cost, they are also concerned with profitability of the business.|
|System Owner (Data System)||The System Owner role specifically applies to data or a system that may contain data (e.g. a database server). This is often the same person as the data owner. Multiple system owners are not uncommon, for example in an e-commerce store the IT Manager might the System Owner for firewalls and hypervisors while a development manager is the System Owner for the web application server.|
|Senior Manager||Ultimately responsible (and held accountable/liable) for security and must approve all policy and activities.|
|Security Professional||Normally a technical engineer or team of engineers. They will draft security policies and once approved by the senior manager, are responsible for implementing them.|
|Data Owner||Responsible for classifying data (a critical activity with wide ranging effects including who can access it, back up procedures, data sanitising actions, etc.)|
|Data Custiodian||The maintainer of the data in terms of ensuring protected (confidential), appropriately controlled (integrity) and backed up (available).|
|User||While users must agree to abide by security policies and procedures, they are primarily consumers/creators of data.|
|Auditor||Auditors assess and report on the effectiveness and implementation of security policies, reporting to the Senior Manager so that any remediation or improvements can be build in to the security policy and implemented.|
Chief Information Security Officer
When planning security projects or activities, planning types are categorised as follows:
Duration: 3 to 5 Years
Strategic planning is for the long term view of the direction of security and/or large long term project.
Operational & Project Planning