How should a company's security program define roles and responsibilities?

Our company has an increased awareness of computer security. The problem, however, is that the physical security, legal, and IT security departments all want to be the decision-makers. How does a company define roles and responsibilities for these areas when all of these departments have a stake in our security program?

    Requires Free Membership to View

This is a common issue that many organizations are running into today. Security is practiced in different silos, which prevents standardization or a real understanding of what the company's risk level is. To address the issue, a CISO or CSO position must be created, and that officer should be responsible for security in all of these areas. He/she has to set up processes, communication structures and reports. Someone in such a position can follow this security program implementation approach:

  • Plan and organize
    • Establish management commitment
    • Create oversight steering committee
    • Assess business drivers
    • Carry out a threat profile on the organization
    • Perform a risk assessment
    • Develop security architectures at an organization, application, network and component level
    • Identify solutions per architecture level
    • Obtain management approval to move forward
  • Implement
    • Assign roles and responsibilities
    • Develop and implement security policies, procedures, standards, baselines and guidelines
    • Identify sensitive data at rest and in transit
    • Implement the following programs:
      • Asset identification and management
      • Risk management
      • Vulnerability management
      • Compliance
      • Identity management and access control
      • Change control
      • Software development life cycle
      • Business continuity planning
      • Security awareness training
      • Physical security
      • Incident response
    • Implement solutions (administrative, technical, physical) per program
    • Develop auditing and monitoring solutions per program
    • Establish goals, service level agreements, and metrics per program
  • Operate and maintain
    • Follow procedures to ensure that all baselines are met in each implemented program
    • Carry out internal and external audits
    • Carry out tasks outlined per program
    • Manage service level agreements per program
  • Monitor and evaluate
    • Review logs, audit results, collected metric values and SLAs per program
    • Assess goal accomplishments per program
    • Carry out quarterly meetings with steering committee
    • Develop improvement steps and integrate into the "Plan and organize" phase

Your management needs to understand that one person has to be coordinating security within the organization and serving as the liaison between management and the rest of the company. The chief security officer (or chief information security officer) needs to then understand the risks that the company faces and reduce these risks to an acceptable level. This officer is responsible for understanding the organization's business drivers and should be creating and maintaining a security program that facilitates these drivers while providing compliance with a long list of regulations and laws.

Additionally, the security business leader must balance security requirements with business needs and ensure that business is not disrupted in any way due to security issues. This extends beyond IT and reaches into business processes, legal concerns, operational issues, revenue generation, reputation protection and risk management -- all of this needs to be done in a cost-effective manner, too!

It is also helpful for an organization to set up a security steering committee, which provides a more holistic approach to security and allows the current owners of security to work as a team. Such a committee is responsible for making decisions on tactical and strategic security issues within the enterprise and should not be tied to any particular business unit. The group should view the impact of security decisions on individual departments and then the organization as a whole. The CEO should head the steering committee, and the CFO, CIO, department managers and chief internal auditor should all be members of this group.

This committee should meet at least quarterly and have a well-defined agenda. Some of this group's responsibilities are listed below:

  • Define the acceptable risk level for the organization
  • Develop security objectives and strategies
  • Determine priorities of security initiatives based on business needs
  • Review risk assessment and auditing reports
  • Monitor business impact of security risks
  • Review major data security breaches and incidents
  • Approve any major change to the security policy and program

Overall, it's important for an organization's management to adhere to this outline, so that the right people are charged with the right security responsibilities.


  Introduction: IT security policy management
  Defining IT security policy roles
  Planning for an effective IT security policy
  Setting up an IT security policy
  Implementing a group IT security policy
  Managing change in IT security policies
  IT security policy management: Manual vs. automated tools

This was first published in February 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.