Security Roles, Responsibilities, and Accountabilities
Establish responsibilities and accountabilities for information security roles, and check enforcement.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Roles, Responsibilities, and Accountabilities at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Develop roles for key information security activities and start to assign accountabilities.
- Outcome
- There is increased understanding of information security and its fit with business priorities. There is some ability to set targets for security and measure progress against them.
- Metric
- # of IT function staff with allocated ISM responsibility or accountability % of senior management endorsing/communicating ISM
- 3Intermediate
- Practice
- Develop a detailed set of security roles and responsibilities and assign accountabilities across IT and some business units.
- Outcome
- There is clarity on where responsibility lies and ability to set and monitor security goals and targets against those of individuals, IT, and other business units.
- Metric
- # of IT function staff with clearly defined ISM responsibility or accountability % of senior management endorsing/communicating ISM
- 4Advanced
- Practice
- Review information security roles and assignments to balance business process efficiency and security needs across the organization.
- Outcome
- Security is applied consistently and efficiently across the organization. Non compliances with responsibilities are addressed with the instances' severity.
- Metric
- Evidence of regular review of security roles across the organization e.g. annually during setting of business plans, budget reviews or audits
- 5Optimized
- Practice
- Review and revise security roles and responsibilities regularly to reflect business changes in the internal and external environment and the life cycle state of information.
- Outcome
- Dynamically adjusting organization roles and accountabilities manage security appropriately and efficiently across the business ecosystem.
- Metric
- Frequency of regular review of security roles across the business ecosystem.