Table of Contents
Clearly defined and assigned roles and responsibilities enables organizations work efficiently by designating who will be responsible, accountable, consulted and informed in the information security and risk management lifecycle.
Due to the nature of organizations having customized job titles and roles (e.g., one individual performing tasks in multiple roles), some of the descriptions below may differ from your organization’s role naming convention.
The roles below highlights the key resources involved in an organization’s Information Security and Risk Management process.
Chief Executive Officer (CEO)
The Chief Executive Officer is the highest-level C-Suite executive in an organization. A CEO is responsible for ensuring Information Technology and Security controls are implemented in line with the organization’s risk probability and impact. He/She is also responsible for ensuring that Information Security controls and processes implementation is in line with the business strategy and operation.
A CEO’s responsibilities include, but are not limited to:
- Ensuring senior officials within the organization provide information security for the information and systems supporting the operations and assets under their control.
- Ensuring Information Security and privacy management processes are integrated with strategic and operational planning processes.
- Adequate personnel training to enable them comply with security and privacy requirements in legislation, executive orders, policies, directives, instructions, standards, and guidelines.
The CEO establishes the organizational commitment and the actions required to effectively manage security and privacy risk, and protect the missions and business functions being carried out by the organization while the rest of the C-Suite establishes a level of due diligence within the organization that promotes a climate for mission and business success.
Chief Information Officer (CIO)
The Chief Information Officer is responsible for developing and maintaining security policies, guideliness, and procedures to address all information technology requirements.
A CIO’s responsibilities include, but are not limited to:
- Overseeing personnel for information security responsibilities and ensuring that personnel are adequately trained.
- Ensuring the effective implementation of the organization’s information technology and security program.
- Reporting on the overall effectiveness of the organization’s information security programs.
The Chief Information Officer, with the support of the Chief Risk Officer, and the Chief Information Security Officer, works closely with authorizing officials and their designated representatives to ensure that:
- An organization-wide security program is effectively implemented resulting in adequate security for all organizational systems and environments of operation.
- Security and privacy (including supply chain) risk management considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, the SDLC, and acquisitions.
- Organizational systems and common controls are covered by approved system security plans and possess current authorizations.
- Security activities required across the organization are accomplished in an efficient, cost-effective, and timely manner.
- There is centralized reporting of security activities.
Chief Information Security Officer (CISO)
The Chief Information Security Officer is responsible for managing and implementing an organization-wide information security program and acting as a security assessor for implemented security controls.
A CISO’s responsibilities include, but are not limited to:
- Establish, implement, and maintain the organization’s continuous security monitoring program
- Identify, document, and publish organization-wide common controls
- Assign responsibility for common controls to individuals or organizations
- Acquire/develop and maintain automated tools to support security authorization and continuous monitoring
- Develop a security configuration guidance for the organization’s information technology assets
- Serve as a liaison between authorizing officials and the chief information officer
- Serve as a liaison between the organization’s risk management roles and system level risk management roles
Chief Risk Officer (CRO)
The Chief Risk Officer is an individual within an organization responsible for overseeing and ensuring that:
- Risk-related considerations for individual systems are viewed from an organization-wide perspective, taking into consideration the overall strategic goals of the organization in carrying out its core missions and business functions, and
- The management of system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success.
A CRO’s responsibilities include, but are not limited to:
- Develop and implement an organization-wide risk management strategy that provides a strategic view of security risks for the organization and informs organizational risk decisions (including how risk is framed, assessed, responded to, and monitored over time)
- Provide a comprehensive, organization-wide, holistic approach for addressing risk—an approach that provides a greater understanding of the integrated operations of the organization
- Establish organization-wide forums to consider all types and sources of risk (including aggregated risk)
- Provide oversight for the risk management activities carried out by organizations to help ensure consistent and effective risk-based decisions
- Develop a broad-based understanding of risk regarding the strategic view of organizations and their integrated operations
Data Privacy Officer (DPO)
The Data Privacy Officer is responsible for maintaining a comprehensive privacy program that ensures compliance with applicable privacy laws and requirements (GDPR, HIPAA, etc.), develops and evaluates privacy policy, and manages privacy risks that may arise from information security measures.
A DPO’s Responsibilities include, but are not limited to:
- Identify all stages of the information life cycle.
- Assign individuals to specific roles associated with privacy risk management and ensure no conflict of interest in privacy risk management roles.
- Assess ongoing, organization-wide privacy risk.
- Identify, document, and publish organization-wide common privacy common controls.
- Ensure compliance with applicable privacy requirements and managing privacy risk.
- Coordinate with the CISO on privacy and information security activities.
- Identify assessment methodologies and metrics to determine whether privacy controls are implemented correctly, operating as intended, and sufficient to ensure compliance with applicable privacy requirements and manage privacy risks.
- Conduct assessments of privacy controls and document results, or delegate assessment functions, consistent with applicable policies
- Establish and maintain a privacy continuous monitoring program to ensure compliance with privacy requirements and manage privacy risks
Information Security Architect
The Information Security Architect is an individual or group responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution models, and the resulting systems supporting those missions and business processes.
An Information Security Architect’s responsibilities include, but are not limited to:
- Implement an enterprise architecture strategy that facilitates effective security and privacy solutions
- Assist in reducing complexity within the IT infrastructure to facilitate security
- Assist with determining appropriate control implementations and initial configuration baselines as they relate to the enterprise architecture
- Assist with integration of the organizational risk management strategy and system-level security and privacy requirements into program, planning, and budgeting activities, the SDLC, acquisition processes, security and privacy (including supply chain) risk management, and systems engineering processes.
Information Security Control Assessor
An Information Security Control Assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the managerial, operational, and technical security controls and control enhancements employed within or inherited by a system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).
An Information Security Control Assessor’s responsibilities include, but are not limited to:
- Providing an assessment to identify weaknesses or deficiencies in the system and its environment of operation;
- Recommending corrective actions to address identified vulnerabilities; and
- Preparing a security assessment report containing the results and findings from the assessment.
Information Owner
The Information Owner is an organizational official with statutory, management, or operational authority over a specific type of information and is responsible for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.
An Information Owner’s responsibilities include, but are not limited to:
- Identify the types of information to be processed, stored, and transmitted by the system.
- Establish the rules for the appropriate use and protection of the specific information.
- Implement and verify controls to ensure the confidentiality, integrity and availability of the information system.
- Determine the suitability of common controls for use in the system.
- Review the controls periodically and, when necessary, update the control selections.
- Ensure the system is protected from unauthorized disclosure, modification or deletion.
- Document control implementation to allow for traceability of decisions prior to and after deployment of the system.
System Administrator
A System Administrator is an individual, group, or organization responsible for setting up and maintaining a system or specific components of a system.
A System Administrator’s responsibilities include, but are not limited to:
- Installing, configuring, and updating hardware and software;
- Establishing and managing user accounts;
- Overseeing backup and recovery tasks; and
- Implementing technical security controls.
Auditor
Auditors are responsible for regularly examining systems, people, policies and processes to verify whether they continuously meet the organization’s approved security requirements and whether the security controls are appropriate. Informal audits can be performed by those operating the system under review or by internal or external auditors.
An Auditor’s responsibilities include, but are not limited to:
- familiarization with the organization’s technology and security solutions and policies in order to properly review them;
- reviewing the effectiveness of the process for designing and developing internal controls;
- Identify risks, estimate the severity of the risks, and develop audit tests to substantiate the impact of the risks on the organization asset;
- conduct vulnerability assessments, determine the vulnerabilities present and the severity of the resulting risks;
- review inadequacies in the management’s system of internal controls; and
- follow up on audit findings and recommendations to ascertain that a resolution has been achieved.
User
A User is an individual, group, or organization granted access to organizational information in order to perform their assigned duties.
A User’s responsibilities include, but are not limited to:
- Adhering to policies that govern acceptable use of organizational systems;
- Using the organization-provided IT resources for defined purposes only;
- Reporting anomalies or suspicious system behavior; and
- Submitting and justifying system change requests to the information owner/system owner or through the organization’s formal configuration management process.
References:
- NIST Special Publication (SP) 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Systems: A Security Life Cycle Approach
- NIST Special Publication 800-12 Rev. 1 – An Introduction to Information Security
- NIST Special Publication 800-39 – Managing Information Security Risk – Organization, Mission, and Information System View