Management should define security roles and responsibilities in the organization. This includes not only the roles and responsibilities of dedicated security personnel, but of all employees in the organization.
Roles and responsibilities should be formally defined in two places:
General and specific expectations of security staff and other employees should be defined in the organization’s security policy.
Individual job descriptions of security staff and other employees should define specific security-related roles and responsibilities.
What needs to be defined?
The roles and responsibilities that need to be defined include:
Ownership of assets.
Individual assets and groups of assets need to have designated owners who are responsible for their operation and protection.
Access to assets.
The owners of assets should be designated as the persons who decide who may access or use those assets. A higher level of management may be responsible for approving non-standard access to assets.
Use of assets.
All employees should be explicitly designated as responsible for their individual use of assets.
Managers should be designated as being responsible for the behavior of employees under their control.
Published on Sun 02 March 2014 by Derek Packard in Security with tag(s): roles responsibilities