Organizational Roles and Responsibilities

00:01

listen. 3.3

00:03

organizational roles and responsibilities

00:10

during this lesson will be covering specifically closed 5.3 organizational roles, responsibilities and authorities,

00:19

and we'll look at who the responsibility sits with for setting roles and responsibilities.

00:25

We'll take a look at some examples of roles within an icy mess as well as how to document these roles.

00:37

So

00:38

who needs to define and assign roles and responsibilities?

00:42

Yes, top management.

00:45

This is another way in which top management demonstrates their commitment to implementing and maintaining an icy mess, as well as getting it certified against the I. So 27,001 standard.

00:56

Without formally understanding the roles that are required to perform the ice mess

01:00

and ensuring that these roles are appropriately fold

01:03

and communicating not only the importance of these roles but the authority that these roles hold within the organization.

01:10

The ice miss will not likely succeed.

01:12

Top management needs to back these roles and stress their importance to the rest of the organization,

01:19

especially in the cases where these are new rules.

01:22

Implementing new controls and increased security measures is challenging

01:26

even more so where no one in the company knows what your role is or why it is important.

01:34

So top management is responsible for ensuring that the responsibilities and roles relating to the ISMs are formally assigned and communicated.

01:44

Formal roles with associated authorities should be mandated to carry out required functions.

01:51

It doesn't help creating roles that don't have appropriate authorities to make decisions and carry out functions within your organization.

01:59

They must be recognized authority associate ID to rules

02:05

activity should be formally assigned to individuals to ensure that they are performed.

02:09

Generally, actions are just left hanging unless someone is specifically made responsible

02:15

and accountable for ensuring that these activities are completed as and when they need to be.

02:28

So what roles or responsibilities are required?

02:31

There are specific roles and responsibilities that are defined in the 27,001 standard, which are required to be filled.

02:39

These are not the only roles that could be required by your SMS,

02:44

depending on the size and nature of your organization.

02:46

Specifically, in terms of its risk profile,

02:50

you may need a large information security team that manages everything from governance, risk management, compliance, network hardening, incident monitoring and response, and so forth.

03:02

In small organizations. These functions may be required on a much smaller scale, making it possible for across skilled team to manage the roles and responsibilities.

03:13

Ultimately, you need to ensure that the required information security functions are being performed

03:19

and that the appropriate monitoring of these functions is taking place.

03:23

In many instances,

03:24

existing stuff that I'm not directly responsible

03:28

for an information security function may be required to assist in monitoring and reporting on information security performance within their department.

03:38

For example, your H R team may be responsible to participate in your eye smears

03:44

by providing you with specific metrics pertaining to the HR department.

03:50

Another example of that

03:52

when new hires join,

03:53

does HR ensure

03:55

that the correct paperwork pertaining Thio user access rights

04:01

is kept on their users file so that when the user leaves organization, the appropriate access rights are terminated.

04:10

I'm not saying it's a child's responsibility to perform determination,

04:14

but it is a child's responsibility to help ensure that users are appropriately off boarded.

04:27

It is clear, and now, based on the example why top management involvement in the communication of these roles and responsibilities is quite important,

04:34

many departments would really feel overwhelmed

04:39

and overloaded with their own work and adding additional items to worry about, for which they may not see the value can be a challenge to overcome.

04:47

Let's have a look at the two requirements that the ISO 27,001 standard defines

04:54

The first one

04:55

is to ensure that the Information security management system conforms to the requirements of this international standard.

05:03

So that's a very broad statement.

05:05

In essence, this is saying there must be a dedicated resource that ensures that the ice mess maintains a compliance state.

05:14

In other words, all the clauses set forth in the standard are incorporated appropriately into the ice, Miss

05:19

and I'll be being performed as and when they should be.

05:25

The second requirement is reporting on the performance of the Information security management system to top management.

05:33

So this simply states that top management, your sponsors for the ice mess and for getting it certified

05:40

need to be kept in the loop regarding the performance of the ice Miss,

05:45

we will get into the matrix and monitoring later on. But this is an important element in your eyes mess and the appropriate support and authority for this reporting activity must be present.

06:01

Let's take a look at some examples of roles and activities.

06:08

Generally, you would have an icy mess coordinator or champion.

06:12

They would be the spearhead off your Christmas implementation and maintenance project.

06:17

They would not necessarily do all of the activities alone and shouldn't,

06:21

but they would have the in depth knowledge about the I. So 27,001 standard. How to implement this on how Thio involve the rest of the organization In making this a successful activity

06:38

and activity you would need to perform is an information security risk assessment and treatment advisory

06:46

because of the nature off a nice mess and how focused it is on information security risk management.

06:55

Ideally, you would want someone dedicated thio

06:58

understanding information security risk management principles

07:01

to a very deep level so that they can guide and advise participants in your risk assessment and management workshops

07:10

to ensure that the correct level of information is obtained during these workshops,

07:16

information security processes and system design.

07:20

This is an important activity. While it might not be a standalone role, there should be assigned to someone with the appropriate level of skill

07:29

to perform

07:31

sitting standards for the configuration and operation for information security controls

07:38

again, this is an activity to be performed and not necessarily a standalone role, although it could be.

07:45

The important thing is to ensure that there is someone dedicated to this activity

07:49

and there are formerly assigned as the responsible party.

07:56

You would need to have an information security incident manager

07:59

and your team

08:01

to ensure that information security incident activities

08:05

are appropriately conducted and coordinated.

08:09

Information owners

08:11

are important in a nice mess as they are the decision makers regarding controls and different requirements around your information

08:22

process Owners.

08:24

These roles own processes within the organization and would be responsible for processes occurring,

08:31

as well as reporting on the effectiveness of the processes.

08:35

Asset owners are similar Thio information owners as information is an asset.

08:39

However, there would also be acid owners for your supporting assets, such as hardware and software.

08:48

Risk owners are are an important role

08:50

as these are the people that own specific risks within the organizations.

08:58

Line manages

09:00

are important to ensure departments and teams are carrying out their required supporting Iceman's functions,

09:07

and you will also have information users.

09:13

So how should responsibilities be defined

09:20

when it comes to information, security roles and responsibilities. There is often more than one party involved in one way or another.

09:26

Now, While the Standard doesn't explicitly say that this information needs to be documented, it does say it must be assigned and communicated.

09:35

Now it is often a lot easier to define and communicate something that is documented.

09:41

So let's have a look at a couple of ways in which the information can be documented

09:45

and each organization will need to choose what works best for them.

09:50

A racy chart is a really nice way to depict in a one page of you who the involved parties are, what the functionalities and responsibilities are

10:00

onto, what level each party is involved in each function.

10:05

Yeah, we've included a really basic example of a racy chart,

10:09

but these will obviously get really complicated the more roles and responsibilities your organization has.

10:16

You can also organize roles and responsibilities in organizational charts

10:22

and obviously have write ups off roles and responsibilities in people's job descriptions.

10:31

In this lesson, we covered white Top management should define the roles and responsibilities.

10:37

We examine some examples of roles and activities performed to support a nice Amis

10:45

and recovered ways in which roles and responsibilities can be documented, either using a racy chart organizational chart