Information Governance Roles and Responsibilities
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Well, hello, everybody and welcome back to
00:00
the HCISPP Certification course with Cybrary,
00:00
Information Governance Roles and Responsibilities.
00:00
My name is Charlene Hutchins,
00:00
and I will be your instructor for the day.
00:00
Today we're going to talk about
00:00
information governance roles and responsibility.
00:00
In addition to the characteristics and
00:00
components described in the previous module,
00:00
there are also common roles that are related to
00:00
information and privacy governance
00:00
that should be understood.
00:00
Many of the titles mentioned here
00:00
are from the government or public sector.
00:00
Similar roles and titles may also
00:00
exist in the corporate and private sector.
00:00
Heads of Agency or your Chief Executive Officer,
00:00
are responsible for ensuring that
00:00
information security management processes are
00:00
integrated with strategic and
00:00
operational planning processes.
00:00
They are senior officials who provide security for
00:00
the information and systems that support
00:00
operations and assets under their control.
00:00
The organization has trained this personnel or
00:00
these persons sufficient to
00:00
assist in compliance with regulatory requirements,
00:00
policies, instructions, standards, and guidelines.
00:00
Your Risk Executive Function or your Chief Risk Officer,
00:00
coordinates with the senior leadership of
00:00
an organization to provide a comprehensive
00:00
organization-wide holistic approach for addressing
00:00
risk that provides
00:00
a greater understanding of integrated operations.
00:00
They develop risk management strategies
00:00
to provide a strategic view of
00:00
information security-related risks related
00:00
to the whole organization.
00:00
A Risk Manager or a Risk Officer facilitates
00:00
the sharing of risk-related information
00:00
to senior leaders within the organization.
00:00
They provide oversight for all risk management
00:00
related activities to ensure
00:00
a consistent and effective risk acceptance decisions.
00:00
They identify the organizational risk posture based on
00:00
the aggregated risks to the information from
00:00
the operation and use of the information systems.
00:00
Your Chief Information Officer, or CIO,
00:00
is responsible for designating
00:00
the Senior Information Security Officer.
00:00
They're responsible for developing and
00:00
maintaining security policies and
00:00
procedures and control techniques
00:00
to address all applicable requirements.
00:00
They oversee personnel with
00:00
responsibilities for information security,
00:00
and ensure they are trained and reporting to the Head of
00:00
the Federal Agency and then the
00:00
private sector to the board of directors.
00:00
In information sharing environments,
00:00
the Information Owner or Steward is responsible for
00:00
establishing the rules for
00:00
appropriate use and protection of the information.
00:00
For example, the rules of
00:00
behavior and retains that responsibility
00:00
even when the information is
00:00
shared or provided to other organizations.
00:00
The Information Owner or Steward may or
00:00
may not be the same as the System Owner.
00:00
A single system could have information from
00:00
multiple owners or stewards who may
00:00
provide input to the System Owners
00:00
regarding security and control requirements.
00:00
For instance, should the system
00:00
contain data that is classified differently,
00:00
the security and controls around that data
00:00
should be aligned with the classification of that data.
00:00
Therefore, the Information Owner or Steward must meet
00:00
those classification requirements with
00:00
the controls that are being implemented.
00:00
The Senior Information Security Officer serves as
00:00
the primary liaison for the CIO
00:00
to the other officers and system owners.
00:00
This position is frequently referred to as
00:00
either the CISO or
00:00
the Chief Information Security Officer or the CSO,
00:00
the Chief Security Officer in other organizations.
00:00
While the titles may be different,
00:00
the intent of the role is the same.
00:00
An Authorizing Official typically
00:00
has budgetary oversight for
00:00
a system or are responsible for
00:00
the mission and or business
00:00
operations supported by the system.
00:00
Authorizing officials through
00:00
the security authorization process are
00:00
accountable for the security risks
00:00
associated with the information systems operations.
00:00
They approve security plans
00:00
and plans of actions and milestones,
00:00
and determine whether significant
00:00
changes in the systems or
00:00
environments of operation require re-authorization.
00:00
Again, mostly in the public sector.
00:00
The Information Systems Security Officer
00:00
is responsible for ensuring
00:00
the operational security posture is maintained and
00:00
works in close collaboration
00:00
with the Information Systems Owner.
00:00
They may also serve as the principal
00:00
adviser on all matters technical
00:00
and otherwise involving the security
00:00
of an information system,
00:00
and in many organizations is assigned
00:00
the responsibility for
00:00
the day-to-day security operations of the system.
00:00
In my role as ISO,
00:00
I'm responsible for security of
00:00
all systems and applications that we create.
00:00
I review contracts and agreements to
00:00
ensure that we are agreeing
00:00
to what we can
00:00
actually provide in terms of security requirements.
00:00
I ensure that policies and procedures
00:00
related to various aspects of security
00:00
exist and are maintained
00:00
and communicated throughout the organization.
00:00
Listed here are other roles that
00:00
may be designated in an organization.
00:00
A Common Control Provider,
00:00
documents controls for each system and maintains
00:00
assessments and assessment findings and reports.
00:00
The Information System Owner is
00:00
responsible for the operations of the information system.
00:00
The Information Systems Architect,
00:00
design security within
00:00
the organization's networks and systems.
00:00
The Information Systems Security Engineer,
00:00
this role in our organization is responsible for
00:00
performing threat models and managing firewall rules,
00:00
and working with the product teams to ensure
00:00
that security is implemented appropriately.
00:00
The Security Control Assessor is like an auditor.
00:00
They assess the controls of each information system.
00:00
Please refer to the supplemental materials
00:00
for additional information on these roles.
00:00
They may show up in the exam.
00:00
Now it's time to test your knowledge.
00:00
Who is the highest level senior official
00:00
with responsibility for information security protections?
00:00
[MUSIC] Did you guess?
00:00
The Chief Information Officer.
00:00
Next, who is responsible for
00:00
ensuring the operational security posture is maintained?
00:00
[MUSIC] That's right.
00:00
The Information Systems Security Officer.
00:00
One more, who is
00:00
responsible for providing a comprehensive,
00:00
organization-wide, holistic approach for addressing risk?
00:00
[MUSIC] You guessed it,
00:00
the Chief Risk Officer or the Risk Executive.
00:00
Today we reviewed the Information
00:00
Governance Roles and Responsibilities.
00:00
Thank you for watching and I look
00:00
forward to seeing you in the next video.
Up Next
