Manage Learn to apply best practices and optimize your operations.

How should a company's security program define roles and responsibilities?

In many organizations, it's not uncommon for physical, legal and information security departments to step on each other's toes. In this expert Q&A, security management pro Shon Harris reveals how a CSO can bring these teams together and implement a stronger security program.

Our company has an increased awareness of computer security. The problem, however, is that the physical security,...

legal, and IT security departments all want to be the decision-makers. How does a company define roles and responsibilities for these areas when all of these departments have a stake in our security program?

This is a common issue that many organizations are running into today. Security is practiced in different silos, which prevents standardization or a real understanding of what the company's risk level is. To address the issue, a CISO or CSO position must be created, and that officer should be responsible for security in all of these areas. He/she has to set up processes, communication structures and reports. Someone in such a position can follow this security program implementation approach:

  • Plan and organize
    • Establish management commitment
    • Create oversight steering committee
    • Assess business drivers
    • Carry out a threat profile on the organization
    • Perform a risk assessment
    • Develop security architectures at an organization, application, network and component level
    • Identify solutions per architecture level
    • Obtain management approval to move forward
  • Implement
    • Assign roles and responsibilities
    • Develop and implement security policies, procedures, standards, baselines and guidelines
    • Identify sensitive data at rest and in transit
    • Implement the following programs:
      • Asset identification and management
      • Risk management
      • Vulnerability management
      • Compliance
      • Identity management and access control
      • Change control
      • Software development life cycle
      • Business continuity planning
      • Security awareness training
      • Physical security
      • Incident response
    • Implement solutions (administrative, technical, physical) per program
    • Develop auditing and monitoring solutions per program
    • Establish goals, service level agreements, and metrics per program
  • Operate and maintain
    • Follow procedures to ensure that all baselines are met in each implemented program
    • Carry out internal and external audits
    • Carry out tasks outlined per program
    • Manage service level agreements per program
  • Monitor and evaluate
    • Review logs, audit results, collected metric values and SLAs per program
    • Assess goal accomplishments per program
    • Carry out quarterly meetings with steering committee
    • Develop improvement steps and integrate into the "Plan and organize" phase

Your management needs to understand that one person has to be coordinating security within the organization and serving as the liaison between management and the rest of the company. The chief security officer (or chief information security officer) needs to then understand the risks that the company faces and reduce these risks to an acceptable level. This officer is responsible for understanding the organization's business drivers and should be creating and maintaining a security program that facilitates these drivers while providing compliance with a long list of regulations and laws.

Additionally, the security business leader must balance security requirements with business needs and ensure that business is not disrupted in any way due to security issues. This extends beyond IT and reaches into business processes, legal concerns, operational issues, revenue generation, reputation protection and risk management -- all of this needs to be done in a cost-effective manner, too!

It is also helpful for an organization to set up a security steering committee, which provides a more holistic approach to security and allows the current owners of security to work as a team. Such a committee is responsible for making decisions on tactical and strategic security issues within the enterprise and should not be tied to any particular business unit. The group should view the impact of security decisions on individual departments and then the organization as a whole. The CEO should head the steering committee, and the CFO, CIO, department managers and chief internal auditor should all be members of this group.

This committee should meet at least quarterly and have a well-defined agenda. Some of this group's responsibilities are listed below:

  • Define the acceptable risk level for the organization
  • Develop security objectives and strategies
  • Determine priorities of security initiatives based on business needs
  • Review risk assessment and auditing reports
  • Monitor business impact of security risks
  • Review major data security breaches and incidents
  • Approve any major change to the security policy and program

Overall, it's important for an organization's management to adhere to this outline, so that the right people are charged with the right security responsibilities.

IT Security Policy Management

This was last published in February 2009

Dig Deeper on Information security policies, procedures and guidelines