In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Now let’s take a look at the roles needed to implement an effective policy.
The intercom at the airport speaks the truth as it periodically repeats the mantra “Security is Everyone’s Responsibility”. If security is everyone’s responsibility then even the best written security policy is nearly worthless if it doesn’t include a section pertaining to roles and responsibilities.
A security policy has to identify WHO is responsible and WHAT they are responsible for. From there, those people can create processes to support the policy, which then improves both adoption of the policy and ultimately the overall security posture of the organization.
While the individuals or groups assigned with ownership of the elements of a security program will vary from organization to organization, at a high level, the elements themselves are fairly consistent. This includes:
- Technical overseer – usually CTO or Director of IT
- Technical operations (ITOPs) – usually CTO or IT Director
- Security – usually CISO, CSO, or Security Director
- Security operations (SecOps) – Security Operations Center
- Information owner – usually business unit leaders
- Human resources
- Users – this means you!
Now let’s break down these roles one by one to gain a better understanding of how they might fit within your organizational structure:
The Technical Overseer is responsible for implementing the technology used to provide reasonable safeguards to protect the confidentiality, integrity, availability, and security of company-wide and client information assets. In addition, this individual works closely with the security overseer to ensure that common goals are met and to understand emerging threats. While this individual is responsible for providing a strategic view, they often delegate the tactical day-to-day responsibilities to Technical Operations.
Technical Operations (TechOps) is responsible for carrying out the organization’s technical processes, oftentimes encompassing building/maintaining/documenting systems/networks, access controls, and data stores, provisioning access and access controls, and interfacing with the business to ensure that business needs are being addressed in a reasonably secure manner. Basically, this is where the rubber hits the road and it is essential that the TechOps team understands several details of a security policy. That is why the second half of Online’s security policy applies to only this group. In small and medium sized businesses, the TechOps team may also be responsible for Security Operations (“SecOps”), whereas oftentimes in larger organizations the SecOps team reports up to the Security Officer.
The Security Officer is responsible for setting the overall strategy and vision of an organization’s InfoSec program. The goal is the ensure that the ‘right’ amount of security controls are in place to provide a reasonable amount of protection for all digital assets. It is imperative that this person work closely with the business to ensure that they understand the value of their assets, the risks, threats, and controls. The Security Officer is often accountable for developing and maintaining the security policy, and often delegates responsibilities for particular elements to applicable groups and individuals. The security officer is also usually accountable for security awareness training, incident response, SecOps, addressing employee and customer security concerns, and Security Operations.
SecOps is responsible for the day-to-day management and operations of an organization’s security controls. This includes being the “eyes and ears of the institution” to detect and respond to all pertinent security events and incidents. This role is not limited to ‘office hours’ as security events occur around the clock.
The Information Owner represents the business in helping determine the value and sensitivity of the data for that particular business unit. Data sensitivity cannot be measured by a security or technical resource alone (though these people may be able to weigh in on industry laws and regulations) as the business must have a true understanding of the data and its sensitivity so that the IT and Security arms of the organization can implement controls that provide the reasonable amount of protection for that particular data sensitivity level, including access controls, encryption, and monitoring.
Human Resources (PeopleCare at Online) is responsible for publishing and disseminating security policies, including employee acknowledgement at the time of hire as well as whenever else deemed necessary. In addition, HR is responsible for the vetting of potential employees (i.e. background checks) and usually is the ‘group of record’ as it pertains to the requests for provisioning/deprovisioning user accounts and assets. Sometimes this team is also responsible for security awareness training, or at least tracking which employees undergo the training.
Each user of a company’s computing and information resources must realize the fundamental importance of information resources and recognize their responsibility for the safekeeping of those resources. Users must guard against abuses that disrupt or threaten the viability of every system, including reading applicable security policies, attending applicable security training, being vigilant in looking for anomalies, and being communicative when they do see something unusual.
In my next blog, I will be covering the electronic communication (i.e. E-mails) portion of security policies.
Are you looking for guidance on creating or reviewing your organization’s security policies? Feel free to reach out to me directly or leave a comment below.