Information Security Professionals: Roles & Responsibilities

In Software Development Industry, Information security is best initiated from the top down. Security Professionals and the Organization It takes a wide range of professionals to support a diverse information security program. These article describes the typical information security responsibilities of various professional roles in an organization.

The senior technology officer is typically the Chief Information Officer (CIO), although other positions like vice president of information, VP of information technology, and VP of systems may be used. The CIO is mainly responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The CIO transcribes the strategic plans of the organization as a whole into strategic information strategy for the information systems or data processing division of the organization. Once this is accomplished, CIOs work with junior managers to develop tactical and operational plans for the different department and to enable planning and management of the systems that support the organization.

The Chief Information Security Officer (CISO) has primary responsibility for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for IT security, the security administrator, or a similar title. The CISO usually reports directly to the CIO, although in larger organizations it is not uncommon for one or more layers of management to exist between the two. However, the recommendations of the CISO to the CIO must be given equal, if not greater, priority than other technology and information-related proposals. The placement of the CISO and supporting security staff in organizational hierarchies is the subject of current debate across the industry.

Information Security Project Team

The information security project team should consist of a number of individuals who are experienced in one or multiple facets of the required technical and nontechnical areas in Software Development Industry. Many of the same skills needed to manage and implement security are also needed to design it. Members of the security project team fill the following roles:

Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.

Team Leader: A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.

Security Policy Developers: People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.

Risk Assessment Specialists: People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

Security Professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.

Systems Administrators: People with the primary responsibility for administering the systems that house the information used by the organization.

End Users: Those whom the new system will most directly affect. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Data Responsibilities

The three types of data ownership and their respective responsibilities are outlined below:

1. Data Owners: Those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.

2. Data Custodians: Working directly with data owners, data custodians are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.

3. Data Users: End users who work with the information to perform their assigned roles supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

Conclusion: AS Information Security is best initiated from the top down. Senior management is the key component and the vital force for a successful implementation of an information security program. But administrative support is also essential to developing and executing specific security policies and procedures, and technical expertise is of course essential to implementing the details of the information security program.