Roles and Responsibilities
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> One of the next elements that we need as part of
00:00
our information security program is a set of
00:00
well-defined roles and responsibilities.
00:00
We've already talked about the idea that separation
00:00
of duties needs to be enforced within an environment.
00:00
If that's the case, we need
00:00
well-defined responsibilities that belong
00:00
to certain roles within the organization.
00:00
Senior management is the first element
00:00
that we'll talk about.
00:00
Here we're talking about
00:00
those C-suite executives, chief officers.
00:00
These are the folks that
00:00
have the ultimate accountability,
00:00
the ultimate responsibility for
00:00
the organization as a whole.
00:00
They're the ones who are liable.
00:00
Their job needs to be to
00:00
provide oversight and direction,
00:00
make sure that we're meeting stakeholder expectations,
00:00
and providing funding and support.
00:00
Look for questions on the exam that asks you,
00:00
what's the most important step in,
00:00
and the most important step
00:00
>> is almost always going to be
00:00
>> getting senior management's buy-in,
00:00
getting their commitment,
00:00
getting the check signed, for instance,
00:00
to create this program
00:00
or incident response or business continuity.
00:00
Whatever it is, senior management
00:00
is going to be critical.
00:00
They're also going to make sure
00:00
that these plans, and policies,
00:00
and procedures all have been tested and that they
00:00
are going to be successful in providing
00:00
the degree of mitigation that's necessary for risk.
00:00
Senior management also has to prioritize.
00:00
Every department thinks their department
00:00
is the most critical within the organization,
00:00
so senior management has
00:00
that bird's eye view and can say,
00:00
these are the critical services
00:00
>> across the board.
00:00
>> Also, ideas like establishing
00:00
a common vision throughout
00:00
the organization in relation to security,
00:00
in relation to being risk conscious and risk aware.
00:00
Culture stems from the top,
00:00
culture doesn't come up from the bottom.
00:00
If senior management isn't
00:00
on board with the security function,
00:00
we're not going to go anywhere.
00:00
Also sign-off on policy.
00:00
As we mentioned before,
00:00
a lot of times senior management may
00:00
not write the policy in full,
00:00
but they will be signing off as
00:00
policy comes from senior management.
00:00
Now your steering committee.
00:00
Your steering committee is usually going
00:00
to have representatives from senior management,
00:00
but also from other members of the team.
00:00
You'll have technical experts,
00:00
you'll have the various lines of business represented,
00:00
and they're going to have
00:00
a more complete understanding
00:00
of the organization as a whole.
00:00
We're going to have those elements
00:00
that are going to provide feedback that
00:00
senior management may not
00:00
have at the tip of their fingers, so to speak.
00:00
But it's not too heavily technical,
00:00
we've got that balance between
00:00
senior leadership, the business elements,
00:00
the technology elements,
00:00
>> the security elements,
00:00
>> ultimately so that we can make
00:00
good decisions in reference to specific areas.
00:00
For instance, we may invoke a steering committee to
00:00
help us determine how to
00:00
approach business continuity planning, for instance.
00:00
Often the steering committee is focused on
00:00
a specific decision or process or program at a time,
00:00
and they will contain representation from throughout
00:00
the organization, cross-functional team.
00:00
Now our CIO, our chief information officer,
00:00
they're responsible for making
00:00
sure informational assets are available,
00:00
they're protected, that they're managed in
00:00
such a way that value is delivered to the organization.
00:00
As you can see with the little illustration,
00:00
there are a lot of roles and
00:00
responsibilities that go to
00:00
the chief information officer.
00:00
They have to have knowledge across
00:00
many different domains,
00:00
and technology and security are not the only ones.
00:00
Now, you'll notice the little security circle
00:00
up at the top right.
00:00
Usually that one element is assigned to the CISO,
00:00
which is the chief information security officer.
00:00
They frequently report to the CIO
00:00
and they're the ones focused on confidentiality,
00:00
integrity, and availability of the assets.
00:00
I would assume in
00:00
this organization or on
00:00
this exam that you will be a CISO.
00:00
You will answer to
00:00
the chief information officer
00:00
and that these will be the responsibilities.
00:00
You'll conduct the risk assessments,
00:00
you will have input into policy,
00:00
you will be managing projects and
00:00
programs in relation to security,
00:00
making sure we have
00:00
information strategies and
00:00
overseeing the day-to-day operations.
00:00
Now, the information security manager,
00:00
this is more of a functional role.
00:00
Whereas your leadership team
00:00
is going to be responsible for
00:00
determining what we should be doing in making
00:00
sure we're satisfying stakeholder needs,
00:00
we're focused on compliance,
00:00
it's the managers that's going to figure out how.
00:00
For instance, senior leadership may
00:00
say we need 24/7 availability.
00:00
Well, the security managers are going to say or
00:00
the information security managers
00:00
are going to come in and say,
00:00
"We're going to need a five-node cluster,
00:00
it's going to be geographically distributed,
00:00
and here's how we're going to provide
00:00
the redundancy to satisfy those goals."
00:00
Just like always, you can think of governance,
00:00
determining what we're going to do,
00:00
management, figuring out how to make that happen.
00:00
Now the business managers,
00:00
I've already talked a little bit,
00:00
these are the folks that are
00:00
the heads of the various business units,
00:00
the lines of business.
00:00
These are very frequently the data owners.
00:00
That can come up a lot of different ways, but again,
00:00
data owners are usually tied to the lines of business.
00:00
They're responsible for making
00:00
>> sure the work gets done,
00:00
>> of course, and they're the decision makers.
00:00
They make sure that they've chosen
00:00
the proper security controls,
00:00
that the controls are working.
00:00
They are responsible for
00:00
day-to-day monitoring and reporting
00:00
any sort of compliance issues
00:00
or disciplinary actions with employees,
00:00
that all goes to the business managers.
00:00
Then we have our security practitioners.
00:00
These are the worker bees.
00:00
These are the ones that carry out the plans.
00:00
They configure permissions on user accounts.
00:00
They may write out
00:00
access control list for
00:00
our firewalls and implement those.
00:00
The risk management and risk assessment is conducted
00:00
and then carried out by
00:00
the actual practitioners themselves.
00:00
Of course, we have auditors to ensure compliance.
00:00
Policies will not be followed unless we enforce them.
00:00
Our auditors tell us if the policies are in place,
00:00
if they're effective, and of course,
00:00
auditors can be internal or external.
00:00
But always think of auditors and
00:00
compliance going hand in hand.
00:00
They document, they report,
00:00
but an auditor would never modify,
00:00
that's not their job.
00:00
As matter of fact, auditors usually have
00:00
read only access to certain resources.
00:00
Then the last of our roles and
00:00
responsibilities are information security trainers.
00:00
We are good people, treat us kindly.
00:00
We like brownies and more milk.
00:00
We like to be treated with respect.
00:00
Trainers are good people.
00:00
But in all seriousness,
00:00
they're relevant to the organization because we're
00:00
the ones that help raise awareness, yes,
00:00
but ultimately provide a means for
00:00
modifying the behavior of employees and
00:00
taking us from current state to
00:00
desired state as far as employee activity goes.
00:00
As a matter of fact, you may see things like
00:00
security incidents or reported security incidents
00:00
increase after cybersecurity
00:00
>> training because now people
00:00
>> know what an incident looks
00:00
like and they know how to report it.
00:00
We're going to see a change in behavior
00:00
for good information security training.
00:00
This is going to tell users
00:00
what security violations look like,
00:00
how to report those violations,
00:00
and ideally trainers will also provide why.
00:00
Tell me why this is important?
00:00
Training should never just be
00:00
a list of do this, don't do that,
00:00
there should always be why so that we can
00:00
help our users make
00:00
good decisions when we're not available.
00:00
This section, we talked about the roles that
00:00
are specified in an information security program,
00:00
and we said these roles must be clearly
00:00
defined in order to enforce separation of duties.
Up Next
Instructed By
Similar Content
