CISSP: Security Roles & Responsibilities

In the realm of cyber security, clearly defined roles and responsibilities reduce the risk of tasks being missed and increase accountability for their completion.

Summary of Roles

Security RoleDescription
Mission/Business OwnerMission Owners (AKA Business Owners) are responsible for ensuring that security activities and implementations provide a balance of benefit vs cost, they are also concerned with profitability of the business.
System Owner (Data System)The System Owner role specifically applies to data or a system that may contain data (e.g. a database server). This is often the same person as the data owner. Multiple system owners are not uncommon, for example in an e-commerce store the IT Manager might the System Owner for firewalls and hypervisors while a development manager is the System Owner for the web application server.
Senior ManagerUltimately responsible (and held accountable/liable) for security and must approve all policy and activities.
Security ProfessionalNormally a technical engineer or team of engineers. They will draft security policies and once approved by the senior manager, are responsible for implementing them.
Data OwnerResponsible for classifying data (a critical activity with wide ranging effects including who can access it, back up procedures, data sanitising actions, etc.)
Data CustiodianThe maintainer of the data in terms of ensuring protected (confidential), appropriately controlled (integrity) and backed up (available).
UserWhile users must agree to abide by security policies and procedures, they are primarily consumers/creators of data.
AuditorAuditors assess and report on the effectiveness and implementation of security policies, reporting to the Senior Manager so that any remediation or improvements can be build in to the security policy and implemented.

Chief Information Security Officer


When planning security projects or activities, planning types are categorised as follows:

Strategic Planning

Duration: 3 to 5 Years
Strategic planning is for the long term view of the direction of security and/or large long term project.

Tactical Planing

Operational & Project Planning


Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.