Organizational Roles and Responsibilities

Security role
- Part an individual plays in the overall scheme of security implementation and administration within an organization

Security Roles

Senior Manager
- Assigned to the person who is ultimately responsible for the security maintained by an organization
- Most concerned about the protection of its assets
- Must sign off on all policy issues
- They will be the ones held liable for the overall success or failure of a security solution
- Responsible for exercising due care and due diligence in establishing security for an organization
- They rarely implement security solutions
Security Professional
- Assigned to a trained and experienced network, systems and security engineer
- Responsible for following the directives mandated by senior management
- Functional responsibility for security, this includes writing and implementing the security policy
- They do not make decisions, that is the job of the senior manager
Data Owner
- Assigned to the person who is responsible for classifying information for placement and protection within the security solution
- Often a high-level manager who is ultimately responsible for data protection
Data Custodian
- Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management
- Performs all activities needed to provide adequate protection for the CIA triad
  - Performing and testing backups
  - Validating data integrity
  - Deploying security solutions
  - Managing data storage based on classification
User
- Any person who has access to the secure system
- Access is limited so they only have enough access to perform the tasks necessary for their job position (PoLP)
- Responsible for understanding and upholding the security policy of an organization
Auditor
- Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate
- Produces compliance and effectiveness reports that are reviewed by the senior manager

PreviousPreventing and Responding to Incidents NextOrganizational Processes

Last updated 1 year ago

Security Roles

Senior Manager

Assigned to the person who is ultimately responsible for the security maintained by an organization
Most concerned about the protection of its assets
Must sign off on all policy issues
They will be the ones held liable for the overall success or failure of a security solution
Responsible for exercising due care and due diligence in establishing security for an organization
They rarely implement security solutions

Security Professional

Assigned to a trained and experienced network, systems and security engineer
Responsible for following the directives mandated by senior management
Functional responsibility for security, this includes writing and implementing the security policy
They do not make decisions, that is the job of the senior manager

Data Owner

Assigned to the person who is responsible for classifying information for placement and protection within the security solution
Often a high-level manager who is ultimately responsible for data protection

Data Custodian

Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management
Performs all activities needed to provide adequate protection for the CIA triad
- Performing and testing backups
- Validating data integrity
- Deploying security solutions
- Managing data storage based on classification

User

Any person who has access to the secure system
Access is limited so they only have enough access to perform the tasks necessary for their job position (PoLP)
Responsible for understanding and upholding the security policy of an organization

Auditor

Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate
Produces compliance and effectiveness reports that are reviewed by the senior manager