IVI Framework Viewer

Security Roles, Responsibilities, and Accountabilities

A3

Establish responsibilities and accountabilities for information security roles, and check enforcement.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Roles, Responsibilities, and Accountabilities at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Develop roles for key information security activities and start to assign accountabilities.
    Outcome
    There is increased understanding of information security and its fit with business priorities. There is some ability to set targets for security and measure progress against them.
    Metric
    # of IT function staff with allocated ISM responsibility or accountability % of senior management endorsing/communicating ISM
3Intermediate
  • Practice
    Develop a detailed set of security roles and responsibilities and assign accountabilities across IT and some business units.
    Outcome
    There is clarity on where responsibility lies and ability to set and monitor security goals and targets against those of individuals, IT, and other business units.
    Metric
    # of IT function staff with clearly defined ISM responsibility or accountability % of senior management endorsing/communicating ISM
4Advanced
  • Practice
    Review information security roles and assignments to balance business process efficiency and security needs across the organization.
    Outcome
    Security is applied consistently and efficiently across the organization. Non compliances with responsibilities are addressed with the instances' severity.
    Metric
    Evidence of regular review of security roles across the organization e.g. annually during setting of business plans, budget reviews or audits
5Optimized
  • Practice
    Review and revise security roles and responsibilities regularly to reflect business changes in the internal and external environment and the life cycle state of information.
    Outcome
    Dynamically adjusting organization roles and accountabilities manage security appropriately and efficiently across the business ecosystem.
    Metric
    Frequency of regular review of security roles across the business ecosystem.