Pitfall #4 of 100: Security Program Roles and Responsibilities
The next pitfall from my eBook, Security Program Pitfalls and Prescription to Avoid Them, that I’d like to highlight in this blog post is “Pitfall #4 – Security Program Roles and Responsibilities.”
An organization’s security program, and the resulting compliance with control requirements, becomes at-risk if everyone thinks, or assumes, that “someone else” owns the implementation or ongoing management of specific security roles and responsibilities. A successful security program is unlikely to be sustained if defined stakeholders are not held accountable for fulfilling their assigned responsibilities.
Your organization needs to ensure that key roles and responsibilities are defined, documented, and assigned to appropriate personnel. This can be done by name, but it is preferable to complete this exercise based on job title, as titles generally change less frequently than the names of personnel filling those positions. Once assignments are made, the assignments should be communicated to each control owner. Security program responsibilities should be acknowledged by all appropriate personnel. The assigned control owners should have the appropriate authority to complete tasks in support of the overall program.
While there are many roles attributed to maintaining a comprehensive security program, arguably two of the most crucial roles are the Board and the Chief Information Security Officer (CISO).
The Board, or an appropriate executive level committee, should provide management with expectations, along with the accountability, for the oversight, coordination, assignment of responsibility, and effectiveness of the security program. Security expertise should be maintained by the Board. If appropriate, the Board should engage external security experts to assist with oversight responsibilities.
The CISO, or similarly titled role, needs to be appointed for your organization. The CISO should be assigned the responsibility and accountability for effectively managing your organization-wide security program. This includes developing, documenting, approving, maintaining, and communicating control requirements within security policies, plans, and procedures. As one person is not likely to be successful by themselves, this role also needs to be assigned the necessary resources, be they personnel, tools, or budget dollars, to support their success.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.