Well, hello, everybody. And welcome back to the eight C I s P p certification course with Cyber Eri information, governance, roles and responsibility.
My name is Shalane Hutchins and I will be your instructor for the day
today we're gonna talk about information, governance, roles and responsibility.
In addition to the characteristics and components described in the previous module, there are also common roles that are related to information and privacy governments that should be understood.
Many of the titles mentioned here are from the government or public sector, and similar roles entitles may also exist in the corporate and private sector.
Heads of agency or your chief executive officer are responsible for ensuring that information security management processes are integrated with strategic and operational planning processes,
their senior officials who provide security for the information and systems that support operations and assets under their control.
The organization has trained this personnel or these persons sufficient to assist in complying with regulatory requirements, policies, instructions, standards and guidelines,
your risk executive function or your chief risk officer coordinates with senior leadership of an organization to provide a comprehensive organization. Why holistic approach for addressing risk that provides a greater understanding of integrated operations.
They developed risk management strategies to provide a strategic view of information security related risks related to the whole organization.
A risk manager or risk officer facilitates the sharing of risk related information to senior leaders within the organization. They provide oversight for all risk management related activities to ensure consistent and effective risk acceptance decisions.
They identify the organizational risk posture
based on the aggregated risk to the information from the operation and use of the information systems.
Your chief information officer or C i o is responsible for designating the senior information security officer.
They're responsible for developing and maintaining security policies and procedures and control techniques to address all applicable requirements.
They oversee personnel with responsibilities for information security and ensure their trained and reporting to the head of the federal agency and in the private sector to the board of directors,
an information sharing environments. The information owner or steward is responsible for establishing the rules for appropriate use and protection of the information, for example, the rules of behavior and retains that responsibility even when the information is shared or provided to other organizations,
the information owner or Stewart May or may not be the same as the system owner.
A single system could have information from multiple owners or stewards who may provide input to the system owners regarding security and control requirements. For instance, should a system contain data that is classified differently, the security and controls around that data
should be aligned with the classification of that data.
Therefore, the information owner or Stewart must meet those classifications requirements with the controls that are being implemented.
The senior information security officer serves as the primary liaison for the C I O to be
other officers in system owners.
This position is frequently referred to as either the CIS oh, or the chief information security officer or the C. S. O, the chief security officer in other organizations. While the tiles may be different, the intent of the role is the same.
And authorizing official typically has budgetary oversight for a system or are responsible for the mission and or business operations supported by the system.
Authorising officials, through the security authorization process, are accountable for the security risks associated with the information systems operations.
They improve security plans and plans of actions and milestones and determine whether significant changes in the systems or environments of operation require re authorization
again, mostly in the public sector.
Your Information Systems security officer is responsible for ensuring the operational security posture is maintained and works in close collaboration with the information systems owner. They may also service the principal adviser on all matters technical and otherwise involving the security
oven information system and in many organisations, is assigned responsibility
for the data days security operations of a system.
In my role as isil, I'm responsible for security of all systems and applications that recreate
I reviewed contracts and agreements to ensure that that we are agreeing to, um what we can actually provide in terms of security requirements. I ensure the policies and procedures related to various aspects of security exist and are maintained and communicated throughout the organization.
Listed here are other rules that may be designated in an organization.
A common control provider documents controls for each system and maintains assessments and assessment findings and reports.
The information system owner is responsible for the operations of the information system,
the information systems architect,
design security within the organisations and networks in systems,
the information systems security engineer
Ah and this role in our organization is responsible for performing threat models and managing firewall rules and working with the product teams to ensure that security is implemented appropriately.
So the Security control assessor is kind of like an auditor. They assess the controls of each information system.
Please refer to the supplemental materials for additional information on the's roles. They may show up in the exam.
Now it's time to test your knowledge.
Who is the highest level senior official with responsibility for information security protections?
Did you guess the chief information officer
who is responsible for ensuring the operational security posture is maintained?
That's right, the information systems security officer
who is responsible for providing a comprehensive, organization wide, holistic approach for addressing risk.
You guessed it the chief risk officer or the risk executive.
So today we review the information, governance, roles and responsibilities.
Thank you for watching, and I look forward to seeing you in the next video