IVI Framework Viewer

Roles, Responsibilities, and Accountabilities

A4

Identify the roles required for information security management tasks, and assign employees with the requisite knowledge and experience to those roles. Define the associated responsibilities and assign these to employees who will be accountable for ensuring that information security management objectives are met.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Roles, Responsibilities, and Accountabilities at each level of maturity.

2Basic
  • Practice
    Define basic information security roles and start to assign responsibilities and accountabilities across discrete teams.
    Outcome
    There is growing understanding of information security, and some ability to set targets for security and measure progress against them.
    Metrics
    • # of roles defined.
    • % of IT function employees with allocated responsibilities and accountabilities.
    • % of business unit employees with allocated responsibilities and accountabilities.
3Intermediate
  • Practice
    Formalize and document the organization's information security roles and assign responsibilities and accountabilities to a group of competent individuals.
    Outcome
    There is increased clarity on where responsibility and accountability lies, and there is the ability to set and monitor security goals and targets against those of individuals and various business units.
    Metrics
    • # of roles defined.
    • % of IT function employees with allocated responsibilities and accountabilities.
    • % of business unit employees with allocated responsibilities and accountabilities.
4Advanced
  • Practice
    Assign responsibilities and accountabilities to dedicated individuals across the entire organization.
    Outcomes
    • Organization-wide clarity on responsibilities and accountabilities ensures that security is applied consistently and effectively across the organization.
    • Non-compliances with responsibilities are addressed in alignment with the severity of the non-compliance instances.
    Metrics
    • % of IT function employees with allocated responsibilities and accountabilities.
    • % of business unit employees with allocated responsibilities and accountabilities.
5Optimized
  • Practice
    Continually review and refine information security roles as appropriate, and determine the requisite responsibilities and accountabilities that key business ecosystem partners need to fulfil.
    Outcome
    Dynamically adjusting roles, responsibilities, and accountabilities enable security to be managed consistently and effectively across the business ecosystem.
    Metrics
    • Frequency of review of security roles.
    • % of IT function employees with allocated responsibilities and accountabilities.
    • % of business unit employees with allocated responsibilities and accountabilities.
    • % of business ecosystem partners with allocated responsibilities and accountabilities.