Information security is a hot topic and receives frequent headlines due to the weekly—if not daily—security breaches that occur on a global scale. At Linford & Co, we work with service providers on a regular basis to evaluate aspects of their information security by independently testing the design and operating effectiveness of their controls. In doing so, we often come across the following question: What is the most effective organization structure for information security roles and responsibilities?
The answer can vary depending on the service organization’s size, structure, and business processes, but several universal truisms apply. It is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all, and that organizations assign and communicate security-related functions to designated employees. These requirements and others are outlined in the AICPA’s Trust Services Principles governing SOC 2 audit reports. The following is an example of functional roles and associated responsibilities:
Executive Management: Assigned overall responsibility for overall information security and should include specific organizational roles such as the CISO (Chief Information Security Officer), CTO (Chief Technology Officer), CRO (Chief Risk Officer), CSO (Chief Security Officer), etc.
Information System Security Professionals: Responsible for the design, implementation, management, and review of the organization’s security policies, standards, baselines, procedures, and guidelines.
Data Owners: Owners (data owners, information owner, system owners who have budgetary authority); responsible for:
- Ensuring that appropriate security—consistent with the organization’s security policy—is implemented in their information systems
- Determining appropriate sensitivity or classification levels
- Determining access privileges
Data Custodians: A function that has “custody” of the system/databases, not necessarily belonging to them, for any period of time. Usually network administration or operations (those who normally operate the systems for the owners).
Users: Responsible for using resources and preserving availability, integrity, and confidentiality of assets; responsible for adhering to security policy.
IS / IT Functions: Responsible for implementing and adhering to security policies.
IS Auditors: Responsible for:
- Providing independent assurance to management on the appropriateness of the security objectives
- Determining whether the security policy, standards, baselines, procedures, and guidelines are appropriate and effective to comply with the organization’s security objectives
- Identifying whether the objectives and controls are being achieved
As you consider the structure of your information security organization, keep in mind that proper security roles strongly influence the design of your control framework and increase the likelihood that they will operate effectively. These roles and responsibilities need to be clearly communicated and often reinforced. Linford & Company is a team of seasoned experts that independently evaluates the design and operating effectiveness of service provider security controls and can help your company stay out of the headlines for the wrong reasons.