Roles, Responsibilities, and Accountabilities
Identify the roles required for information security management tasks, and assign employees with the requisite knowledge and experience to those roles. Define the associated responsibilities and assign these to employees who will be accountable for ensuring that information security management objectives are met.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Roles, Responsibilities, and Accountabilities at each level of maturity.
- 2Basic
- Practice
- Define basic information security roles and start to assign responsibilities and accountabilities across discrete teams.
- Outcome
- There is growing understanding of information security, and some ability to set targets for security and measure progress against them.
- Metrics
- # of roles defined.
- % of IT function employees with allocated responsibilities and accountabilities.
- % of business unit employees with allocated responsibilities and accountabilities.
- 3Intermediate
- Practice
- Formalize and document the organization's information security roles and assign responsibilities and accountabilities to a group of competent individuals.
- Outcome
- There is increased clarity on where responsibility and accountability lies, and there is the ability to set and monitor security goals and targets against those of individuals and various business units.
- Metrics
- # of roles defined.
- % of IT function employees with allocated responsibilities and accountabilities.
- % of business unit employees with allocated responsibilities and accountabilities.
- 4Advanced
- Practice
- Assign responsibilities and accountabilities to dedicated individuals across the entire organization.
- Outcomes
- Organization-wide clarity on responsibilities and accountabilities ensures that security is applied consistently and effectively across the organization.
- Non-compliances with responsibilities are addressed in alignment with the severity of the non-compliance instances.
- Metrics
- % of IT function employees with allocated responsibilities and accountabilities.
- % of business unit employees with allocated responsibilities and accountabilities.
- 5Optimized
- Practice
- Continually review and refine information security roles as appropriate, and determine the requisite responsibilities and accountabilities that key business ecosystem partners need to fulfil.
- Outcome
- Dynamically adjusting roles, responsibilities, and accountabilities enable security to be managed consistently and effectively across the business ecosystem.
- Metrics
- Frequency of review of security roles.
- % of IT function employees with allocated responsibilities and accountabilities.
- % of business unit employees with allocated responsibilities and accountabilities.
- % of business ecosystem partners with allocated responsibilities and accountabilities.