Disciplinary Process talks about the need for organisations to put in place some form of disciplinary process to serve as a deterrent so that personnel will not commit information security violations. Information security violation is a breach of the rules or laws governing the proper handling of information. Information security policies are established by organisations to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Information security policies also include computer security policies that help ensure the safety and integrity of data stored on computers. Information security violations include but are not restricted to:

• Browsing computer or paper records without appropriate authorization and a legitimate business reason
• Information lost or compromised
• Loss or theft of equipment containing organizational information
• Repeated incidents of unattended or lost smart cards
• Using unencrypted memory sticks
• Using customer or employee personal data or information without appropriate authorization and a legitimate business reason
• Disclosing customer or employee personal data or information without appropriate authorization and a legitimate business reason
• Disclosing computer passwords
• Sending the information insecurely outside the organization
• Sending sensitive personal data or identifiable personal information to the wrong person or customer
• Unauthorized disclosure of organizational information to third parties e.g. the press.

This Disciplinary process should be formally communicated and a suitable penalty designed for employees and other relevant interested parties who commit an violation. If an employee violates an organisation’s information security policy, he or she could be subject to disciplinary action or termination from employment. In some cases, a company may choose not to terminate an employee who breaks its computer usage policy, but instead take other appropriate measures to prevent future violations of company policy.

A 6.4 Disciplinary process

Control

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Purpose

To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.

ISO 27002 Implementation Guidance

The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred .
The formal disciplinary process should provide for a graduated response that takes into consideration factors such as:
a) the nature (who, what, when, how) and gravity of the breach and its consequences;
b) whether the offence was intentional (malicious) or unintentional (accidental);
c) whether or not this is a first or repeated offence;
d) whether or not the violator was properly trained.
The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions.

Other information

Where possible, the identity of individuals subject to disciplinary action should be protected in line with applicable requirements. When individuals demonstrate excellent behavior with regard to information security, they can be rewarded to promote information security and encourage good behavior.

There should be a formal disciplinary process for employees who have committed a security breach. A security breach happen where there has been a deliberate attempt, whether successful or not, to compromise organizational assets such as information, people, IT, premises, or any accident resulting in loss of assets. A formal disciplinary process must be established by the organization in relation to employees who have violated the organization’s security policies and procedures and, for retention of evidence. Disciplinary processes should aim to be a deterrent to employees who might otherwise be inclined to disregard security policies and procedures. Where appropriate, discipline should be in line with the relevant employment act conditions. For employees not covered under this, discipline should be in line with contract terms and conditions. Where it is formally stated that some activity is not allowed, but informally action is not generally taken against the activity (e.g. banning the distribution of jokes via e-mail), any subsequent disciplinary action that is taken in this regard may be subject to legal challenge and may, therefore, be unenforceable. Disciplinary action should accurately reflect the nature of the breach of policy. Minor infringements are to be expected and should be dealt with through cautions and user security awareness education. Repeated minor infringements may be symptomatic of an inappropriate policy or control, and should entail a re-assessment of its suitability. Repeated minor infringements not due to an inappropriate policy or control, or a major breach of security, maybe more suitably dealt with by formal sanctions such as termination of access (temporary or permanent) or legal action. The nature of appropriate disciplinary action should be determined by the workforce management function, in consultation with security officers and with legal officers if legal action is contemplated. Control includes:

• a reasonable evidentiary standard to initiate investigations (reasonable suspicion that a breach has occurred);
• appropriate investigatory processes, including specification of roles and responsibilities, standards for the collection of evidence and chain of custody of evidence;
• disciplinary proceedings that observe reasonable requirements for due process and quality of evidence;
• a reasonable evidentiary standard to determine fault, that ensures correct and fair treatment for persons suspected of a breach;
• sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offence, whether or not the violator was appropriately trained, whether or not the violator exercised due care or exhibited negligence;
• an overall process that functions both as deterrent and sanction.

Security responsibilities must be addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment. Candidates must be adequately screened commensurate to the sensitivity of the information being handled. If necessary all employees and third-party users should sign a confidentiality (non-disclosure) agreement. Prior to hiring or contracting employees or companies, security roles and responsibilities should be clearly articulated in job descriptions or well defined in contract terms and conditions. These roles and responsibilities should be defined in accordance with the organization’s security policies. Careful attention should be paid to the validation of references and the appropriate level of background checks as determined by the security roles and responsibilities of the position or contract. Consideration should be given that the receipt of affirmative references and the successful completion of a background check at a level commensurate with the position’s roles and responsibilities be a condition of hire. The purpose of this section is to introduce the security controls for people who work for the organization (both the employees and other people who are contracted). These controls are really important because the statistics worldwide show that people working for the companies represent the biggest threat to information security. The most common ways of implementing these security controls are:

• Documenting a human resource management procedure, although it is not a mandatory document.
• Signing contracts with employees and other contractors that include information security clauses.
• Regularly training people on security issues and continual awareness-raising campaigns.
• Introducing a disciplinary process, for all employees who have committed information security breaches.

The objective of this category is to ensure that employees, contractors, and third-party users understand their responsibilities, and are suitable for the roles for which they are considered, in order to reduce the risk of theft, fraud, or misuse of facilities. Security roles and responsibilities of employees, contractors, and third-party users should be defined and documented in accordance with the organization’s information security policy. Control includes requirements to:

act in accordance with the organization’s information security policy, including the execution of processes or activities particular to the indivi

A 6.2 Terms and conditions of employment

Control

The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

Purpose

To ensure personnel understand their information security responsibilities for the roles for which they are considered.

Guidance

The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:

a) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets
b) legal responsibilities and rights (e.g. regarding copyright laws or data protection legislation );
c) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel
d) responsibilities for the handling of information received from interested parties;
e) actions to be taken if personnel disregard the organization’s security requirements.

Information security roles and responsibilities should be communicated to candidates during the pre-employment process. The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change. Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment.

Other information

A code of conduct can be used to state personnel’s information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organization’s information and other associated assets, as well as reputable practices expected by the organization. An external party, with which supplier personnel are associated, can be required to enter into contractual agreements on behalf of the contracted individual. If the organization is not a legal entity and does not have employees, the equivalent of contractual agreement and terms and conditions can be considered in line with the guidance of this control.

Employees, contractors, and third-party users should agree to and sign a statement of rights and responsibilities for their affiliation with the organization, including rights and responsibilities with respect to information security. The organization should define security roles and responsibilities in accordance with its information security policy. The organization must ensure that information security policies are readily accessible and formally communicated to all personnel on a periodic basis. All employees including contractors, temporary staff, board, and/or committee members should sign confidentiality or non-disclosure agreements as part of their initial terms and conditions of employment. Such agreements should give notice to users of the Organization’s policies, rights, obligations, and responsibilities in relation to access to information assets. This controls talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar. Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII. Information security obligations should be explicitly stated in contracts with both employees and contractors. Insist that all parties involved are aware of and familiar with NDAs, legal rights and duties, data processing, and the use of third-party information. It is critical that disciplinary measures are guided by certain policies within the organisation. The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. This is also very important as regards to compliance obligation. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc.

Confidentiality, non-disclosure, and/or contractual agreements should also be reviewed when there are changes to terms of employment or contract, particularly when employees are due to leave the organization or contracts are due to expire. The organization should ensure that that all personnel employed are adequately bound to the confidentiality and non-disclosure requirements. Punitive and/or remedial action(s) to be taken if the employee disregards security requirements should also be clearly described in the terms and conditions. Such measures must be aligned with a formally documented disciplinary process. Casual staff and third-party users (such as volunteers) not already covered by an existing contract (containing the confidentiality agreement) should also be required to sign a confidentiality agreement prior to being given access to information processing facilities or information assets. The organization must establish agreements with equipment repairers to safeguard the confidentiality of information (and data) on equipment undergoing repair. Control includes, in the signed agreement:

1. information about the scope of access and other privileges the person will have, with respect to the organization’s information and information processing facilities;
2. information about the person’s responsibilities, under legal-regulatory-certificatory requirements and organizational policies, specified in that or other signed agreements
3. as appropriate, information about responsibilities for classification of information and management of organizational information facilities that the person may use;
4. as appropriate, information about the handling of sensitive information, both internal to the organization and that received from or transferred to outside parties;
5. information about responsibilities that extend outside the organization’s boundaries (e.g., for mobile devices and teleworking);
6. information about the organization’s responsibilities for the handling of information related to the person him/herself, generated in the course of employment, contractor or other third party relationship;
7. actions that can be anticipated, under the organization’s disciplinary process, as a consequence of failure to observe security requirements.

This control may also include the provision of an organizational code of conduct or code of ethics to the employee, contractor, or third party. It may also include a requirement to sign, prior to being given access or other privileges to information or information processing facilities, a separate confidentiality or non-disclosure agreement; and/or acceptable use of assets agreement.

Code Of Conduct

Your firm could lose money if your workers casually share proprietary information with your competitors. Additionally, you could face lawsuits if employees fail to protect your client’s financial information. To avoid such issues, implement a company code of conduct. This HR document should include clear instructions for safeguarding sensitive information. Provide every employee with a copy of this policy and require every new hire to sign an agreement to abide by the code of conduct. Over time you might need to update or amend this document to accommodate the implementation of new processes or procedures. HR representatives are responsible for ensuring that employees are made aware of such changes.

Appropriate background verification checks — also known as “screening” or “clearance” — for all candidates for employment, contractor status, or third-party user status, should be carried out. Prior to employment screening is the process of verifying information that job candidates supply on their resumes and job applications. It may also be referred to by other names, such as:

• Background Checks
• Criminal Background Checks
• Background Screening

This type of background check is usually initiated to see if a prospective employee is trustworthy enough to protect confidential or sensitive information, or manage the financial resources of a business. They may also be used to try to determine if job candidates have any criminal tendencies or character flaws that might limit their effectiveness or hurt the employer in other ways, such as endangering the staff or tarnishing the company’s reputation. Most employers conduct a prior to employment screening of job applicants. However, all or part of the screening process is usually outsourced to private third-party organizations that specialize in this type of background check. An employment background check verifies the employee’s past employment details, criminal records, and/or financial records. This is usually the final step in the recruitment cycle and it ensures that the hiring decision made by the employers is sound and appropriate.  Control includes checks that are:

• commensurate with the organization’s business needs, and with relevant legal-regulatory-certificatory requirements;
• take into account the classification/sensitivity of the information to be accessed, and the perceived risks;
• take into account all privacy, protection of personal data and other relevant employment legislation; and
• include, where appropriate, components such as identity verification, character references, CV verification, criminal and credit checks.

Control

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Purpose

To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.

ISO 27002 Implementation Guidance

A screening process should be performed for all personnel including full-time, part-time and temporary staff. Where these individuals are contracted through suppliers of services, screening requirements should be included in the contractual agreements between the organization and the suppliers. Information on all candidates being considered for positions within the organization should be collected and handled taking into consideration any appropriate legislation existing in the relevant jurisdiction. In some jurisdictions, the organization can be legally required to inform the candidates beforehand about the screening activities. Verification should take into consideration all relevant privacy, PII protection and employment-based legislation and should, where permitted, include the following:

1. availability of satisfactory references (e.g. business and personal references).
2. a verification (for completeness and accuracy) of the applicant’s curriculum vitae.
3. confirmation of claimed academic and professional qualifications.
4. independent identity verification (e.g. passport or other acceptable document issued by appropriate authorities).
5. more detailed verification, such as credit review or review of criminal records if the candidate takes on a critical role.

When an individual is hired for a specific information security role, the organization should make sure the candidate:

1. has the necessary competence to perform the security role;
2. can be trusted to take on the role, especially if the role is critical for the organization.

Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities and, in particular, if these involve handling confidential information (e.g. financial information, personal information or health care information) the organization should also consider further, more detailed verification’s. Procedures should define criteria and limitations for verification reviews (e.g. who is eligible to screen people and how, when and why verification reviews are carried out). In situations where verification cannot be completed in a timely manner, mitigating controls should be implemented until the review has been finished, for example:

1. delayed on boarding;
2. delayed deployment of corporate assets;
3. on boarding with reduced access;
4. termination of employment.

Verification checks should be repeated periodically to confirm ongoing suitability of personnel, depending on the criticality of a person’s role.

Prior to employment screening involves gathering all the information required to make a good hire. This includes identifying candidates that meet predetermined job qualifications and verifying the information they provide. The prior to employment screening process spans from application review to the final hiring decision. Throughout that time, candidates are screened for the following items:

• Relevant skills and abilities required to be successful in the position
• Personality traits
• Cultural fit
• Educational experience
• Professional experience
• History of drug abuse
• Criminal history

When the time comes to make an offer, thorough prior to employment screening leaves you confident that you’ve selected the most qualified candidate and the best fit for the organization. Employment background verification involves reviewing a potential candidate’s past employment records, personal information (identity, address, etc.), and financial data to confirm the authenticity of their claims.  The verification ensures that the candidate can be trusted with sensitive information and will be able to execute their tasks responsibly. Hence, you will be able to make an informed decision based on the background verification. Employee background screenings in add a layer of security in the hiring process, filtering the most dependable candidates from the lot. Additionally, these checks offer the following benefits:

• Improvement in staff quality
• Lower risk of workplace violence
• Reduction employee attrition
• Identifying qualified employees for the technical work
• Better organization culture and environment

Employers must be mindful of the following things when conducting employment background screening :

• Identify the legislation and laws that require you to conduct the background verification
• Inform the candidate that their candidature in the organization is subject to police verification
• Seek the candidate’s approval for the background check
• Keep the candidate’s information and background check results private and confidential

The employment background screening is a tedious process involving the following steps:

1. Selection of the applicant by the hiring department
2. Contingent offer made to the applicant by the hiring department
3. Acceptance of the offer letter by the applicant
4. The hiring department submits an employment background check request
5. The human resource department approves the request
6.  Instructions are sent to the employment background check agency or are done in house
7. The agency/HR conducts the background check and submits the results

Types of Prior to Employment Screening

There are actually a number of different types of pre-employment screening, and employers will often use more than one.

Criminal Records Checks

Criminal record checks will often include a combination of records derived from multiple sources. They can be done at county, state, federal, or even international levels. Companies can commonly access this data from just online databases. Using those databases to check criminal records is referred to as screen-scraping. This process can sometimes turn up charges against job applicants that are very old or have been dismissed. The general consensus is that the most effective method of getting an accurate picture of a job candidate is to have real people looking through hard copies of records, in order to ensure that they are getting information about the correct person and the true outcome of all criminal cases. Prior to employment screening services are offered by government agencies to employers who want information about driving or criminal records. It’s possible that checking criminal records will protect a company in any negligent hiring lawsuits.

Drug Testing

Drug testing is probably one of the most common screenings that employers use to ensure that job candidates will be productive employees and as a preventative measure against injuries in the workplace. Drug tests identify illegal substances potential employees may have ingested or been exposed to. It must be done in strict compliance with laws of the state where the business is located.

Motor Vehicle Records Screening

Records of license suspensions, accidents, convictions, violation or any disciplinary actions may be verified. Companies whose employees operate motor vehicles in the course of their work, such as trucking, delivery or sales, are most likely to require this type of prior to employment screening.

Employment Verification

Employers verify previous employment listed on resumes and job applications using this type of prior to employment screening. It is also used to check the accuracy of dates of employment, job title, and other related details. However, some of the employers which job candidates list on their resume or application may have policies which limit what type of information they will provide about a former employee. Another important screening element is to verify that a job applicant is eligible to work in the said country.

Supervisor/Reference Interviews

Employers will sometimes want to interview references or former supervisors, in order to evaluate the ability of a candidate to perform the job in question. In these cases, the employers will usually be required to provide written permission from the applicant before anyone will speak with them.

Education Verification

Particularly for entry-level employees, employers like to verify a job applicant’s degree, academic performance or major. These reports will verify the dates students attended the academic institution, which fields were studied, the degree earned, grade point averages, and the date of graduation.

Licensing and Professional Certification Verification

Companies will always want to verify that their employees have any licenses that are required for their work. This would include attorneys, medical personnel, engineers, accountants, real estate agents, and more. The pre-employment screening will reveal whether a license is valid, the expiration date, and whether the applicant has been the subject of any type of disciplinary action.

Should Social Media Be Utilized for Prior to employment Screening?

Using social media as a form or prior to employment screening is a controversial issue. While you may be able to tell a lot about a potential employee by looking at their Instagram, Twitter, or Facebook account, doing so may result in legal issues for a company.There are pros and cons to a business considering social media checks, but it is not yet typically included in standard background screening.

A firm’s screening procedures for the appointment or employment of officers and employees must ensure that an individual is not appointed or employed unless:

1. for a higher-impact individual — the firm is satisfied that the individual has the appropriate character, knowledge, skills and abilities to act honestly, reasonably and independently; or
2. for any other individual — the firm is satisfied about the individual’s integrity.

The procedures must, as a minimum, provide that, before appointing or employing a higher-impact individual, the firm must:

(a) obtain references about the individual;
(b) obtain information about the individual’s employment history and qualifications;
(c) obtain details of any regulatory action taken in relation to the individual;
(d) obtain details of any criminal convictions of the individual; and
(e) take reasonable steps to confirm the accuracy and completeness of information that it has obtained about the individual.

Management Responsibilities covers the need for management to ensure that all personnel stick to all the information security topic-specific policies and procedures as defined in the established information security policy of the organization. An effective information security policy should be tailored to the specific needs of an organization and supported by senior management to ensure appropriate allocation of resources. It communicates the overarching principles on how management would like employees to handle sensitive data and how the company will protect its information assets. IT is often derived from laws, regulations and best practices that must be adhered to by the organization. Information security policies are usually created by an organization’s senior management, with input from its IT security staff. Policies should also include a framework for defining roles and responsibilities and a timeline for periodic review.

A 5.4 Management responsibilities

Control

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Purpose

To ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfil their information security responsibilities.

ISO 27002 Implementation Guidance

Management should demonstrate support of the information security policy, topic-specific policies, procedures and information security controls. Management responsibilities should include ensuring that personnel:

1. are properly briefed on their information security roles and responsibilities prior to being granted access to the organization’s information and other associated assets.
2. are provided with guidelines which state the information security expectations of their role within the organization.
3. are mandated to fulfil the information security policy and topic-specific policies of the organization.
4. achieve a level of awareness of information security relevant to their roles and responsibilities within the organization.
5. compliance with the terms and conditions of employment, contract or agreement, including the organization’s information security policy and appropriate methods of working.
6. continue to have the appropriate information security skills and qualifications through ongoing professional education.
7. where practicable, are provided with a confidential channel for reporting violations of information security policy, topic-specific policies or procedures for information security (“whistleblowing”). This can allow for anonymous reporting or have provisions to ensure that knowledge of the identity of the reporter is known only to those who need to deal with such reports.
8. are provided with adequate resources and project planning time for implementing the organization’s security-related processes and controls

Management should require employees, contractors and third-party users to apply security controls in accordance with established policies and procedures of the organization. Managers and Supervisors, or those acting in supervisory capacities must ensure that personnel under their direction and control, including contractors and temporary staff, apply security practices in accordance with the organization’s established policies and procedures. Management should define responsibilities for general personnel, including contractors and volunteers, in relation to implementing or maintaining security in line with the organization’s policies. It must also specific responsibilities for the protection of particular assets, including critical infrastructure, or for the execution of particular security processes or activities. They must also communicate the requirement for personnel to report security events and incidents (actual or perceived) and uphold the requirement to report other security risks that are identified. Management may note that the personal circumstances of personnel such as financial problems, changes in their behavior or lifestyle, recurring absences and evidence of stressful situations or illness may give rise to security implications in the workplace. Control includes:

• appropriately informing all employees, contractors, and third-party users of their information security roles and responsibilities, prior to granting access to sensitive information or information systems.
• providing all employees, contractors, and third parties with guidelines/rules that state the security control expectations of their roles within the organization.
• achieving an appropriate level of awareness of security controls among all employees, contractors, and third parties, relevant to their roles and responsibilities, and an appropriate level of skills and qualifications, sufficient to execute those security controls.
• assuring the conformity to the terms and conditions of employment related to security.
• motivating adherence to the security policies of the organization, such as with an appropriate sanctions policy; and
• mitigating the risks of a failure to adhere to policies, by ensuring that all persons have appropriately limited access to the organization’s information and information facilities.

The Information Security Management (ISM) is responsible for establishing and maintaining a corporate wide information security management program to ensure that information assets are adequately protected. The management must be responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise. The ISM must have a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. The ISM must work with business units to implement practices that meet defined policies and standards for information security. They must oversee a variety of IT-related risk management activities.

The ISM serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with the organization’s information security policies. A key element of the ISM’s role is to determine acceptable levels of risk for the organization. The ISM must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode.
The ISM’s role is to act as an interface between the Management’s strategic and process-based activities and the work of the technology-focused analysts, engineers and administrators in the IT organization. The ISM must be able to translate the IT-risk requirements and constraints of the business into technical control requirements and specifications, as well as report on ongoing performance. The ISM coordinates the IT organization’s technical activities to implement and manage security infrastructure, and to provide regular status and service-level reports to management.
ISM is a thought leader, a consensus builder, and an integrator of people and processes. While the ISM is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the business’s activities. It cannot be undertaken at the expense of the enterprise’s ability to deliver on its goals and objectives. Expertise in leading project teams and developing and managing projects is essential for success in this role. The ISM must be able to prioritize work efforts — balancing operational tasks with longer-term strategic security efforts. Other project management tasks will include resource balancing across multiple IT and security teams, task prioritizing and project reporting. Vendor relationship management — ensuring that service levels and vendor obligations are met — is also an important aspect of the position. ISMs are responsible for managing highly technical staff as they work to accomplish company and personal development goals and must, therefore, have proven leadership skills. Documentation and presentation skills, analytical and critical thinking skills, and the ability to identify needs and take initiative are key requirements of the ISM’s position.

The ISM’s responsibilities are composed of a variety of activities, including very tactical, operational and strategic activities in support of the ISM’s program initiatives, such as:

1) Strategic Support and Management

1. Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.
2. Manage the enterprise’s information security organization, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
3. Facilitate information security governance through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
4. Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
5. Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
6. Develop and manage information security budgets and monitor them for variances.
7. Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
8. Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
9. Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program.
10. Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
11. Develop and enhance an information security management framework based on the National Information Assurance Policy
12. Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
13. Liaise with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
14. Coordinate information security and risk management projects with resources from the IT organization and business unit teams.
15. Ensure that security programs comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
16. Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
17. Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company’s reputation.
18. Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
19. Develop and oversee effective disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
20. Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
21. Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.

2) Security Liaison

1. Liaise among the information security team and corporate compliance, audit, legal and HR management teams as required.
2. Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.
3. Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
4. Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
5. Manage security issues and incidents and participate in problem and change management forums. Ensuring timely reporting and adequate participation in investigation for ICT security incidents, with Q-CERT and / or Law Enforcement agencies as applicable.
6. Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
7. Work with the IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.

3) Architecture/Engineering Support

1. Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
2. Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
3. Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
4. Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
5. Develop a strong working relationship with the security engineering team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.

4) Operational Support

1. Coordinate measure and report on the technical aspects of security management.
2. Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
3. Manage and coordinate operational components of incident management, including detection, response and reporting.
4. Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
5. Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
6. Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and comply with policies and audit requirements.
7. Design, coordinate and oversee security-testing procedures to verify the security of systems, networks and applications, and manage the remediation of identified risks.

Most organizations today have some sort of relationship with special interest groups. They may be a customer group, supplier group, or a group that has some influence in the organization. The purpose is to ensure appropriate flow of information takes place with respect to information security among these special interest groups. A special interest group may be defined as an association of persons or organizations with an interest in, or working in, a certain field of expertise, where members cooperate / work to solve issues, generate solutions, and acquire knowledge. In our situation, this area of expertise would be information security. You must identify and document any professional associations, forums or interest groups you are part of or can be part of. Specialist forums, professional groups and even the government are examples of a special interest group. You are involved in getting knowledge about best practice, you are up to date with current best practices, that you get early warnings of alerts, advisories and patches being a part of special interest group. It can show that you got specialist information security advice and share and exchange information.

A 5.6 Contact with special interest groups

Control

The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Purpose

To ensure appropriate flow of information takes place with respect to information security.

Implementation guidance

Membership in special interest groups or forums should be considered as a means to:

• improve knowledge about best practices and stay up to date with relevant security information;
• ensure the understanding of the information security environment is current;
• receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities;
• gain access to specialist information security advice;
• share and exchange information about new technologies, products, services, threats or vulnerabilities;
• provide suitable liaison points when dealing with information security incidents

Other Information

Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.

An Information Security Management System (ISMS) is only as good as its ability to keep up with the requirements of the business and provide adequate protection against the risks the organization is exposed to. To accomplish this, information about the environment must be evaluated constantly, but who will do this? Moreover, where can this information be found? The truth is that no one in your organization, not even dedicated teams, can do that by themselves. With the use of critical information getting broader and broader (e.g., by the use of teleworking, virtual teams, etc.), IT demands became more complex, and ISMS and security needs along with it. This means that the level of effort required to cover information related to every single security aspect of your organization would make the costs prohibitive. But, you still have to monitor this information. So, how to do it? Fortunately, ISO 27001 suggests an alternative: contact with special interest groups, control A.5.6 of Annex A of the standard.
In a general way, you can define a special interest group as an association of individuals or organizations with interest in, or acting in a specific area of knowledge, where members cooperate/work to solve problems, produce solutions, and develop knowledge. In our case, this area of knowledge would be information security. examples are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group.These organisations will be able to identify security dangers that you may have ignored. As a partnership, both sides may benefit from each other’s knowledge in terms of new ideas and best practices, which is a win-win scenario. In addition, these groups may be able to provide useful suggestions or recommendations regarding security practices, procedures, or technologies that can make your system more secure while still achieving your business objectives.
An organization’s ISMS needs to keep up with business requirements and organizational risks. To cover these issues, the A.6.1.4 control from Annex A suggests the following issues for you to identify a special interest group to help you:

• Best practices adopted by the market: policies, procedures, guidelines, and checklists that you can adapt to your organization’s needs.
• Market and security trends related to your industry: laws and regulations, customers’ requirements, suppliers situations your organization has to be aware of or comply with.
• News and alerts about threats, vulnerabilities, attacks, and patches: you need these to check your defenses because it is better to learn from others’ mistakes and misfortunes than your own, isn’t it?
• News related to new technologies and products: what can you use to improve your security, or to achieve the same level with reduced costs and/or effort?
• Specialized consultancy: you may not have the expertise, or time, to make the solution or resolve the problem by yourself, so who can help you?
• Specialized support to handle information security incidents (e.g., other organizations, police, government security agencies, etc.): when you have a problem and need help to resolve it, who can help you?
• membership of special interest groups or forums should be a means to improve knowledge about best practices and stay up to date with relevant security information.
• ensure the understanding of the information security environment is current.
• receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities.
• gain access to specialist information security advice.
• share and exchange information about new technologies, products, services, threats or vulnerabilities.
• provide suitable liaison points when dealing with information security incidents.

The government as a special interest group is a unique case, because of its access to additional resources (like police, emergency services, firefighters, etc.), and, depending on the legal requirements of each country, its involvement is mandatory. Some of these issues you can identify for free (accessing the public content on the Internet, signing up for a regular newsletter, or identifying the person/job title to be in contact with a professional association or state agency), and some you have to pay for (consultant or support services). However, in the latter case, it would be recommended to establish contact with potential suppliers through your procurement process (it is always better to have a previous relationship than to call only in an emergency).
Since the information you will be working with could have a great impact on your ISMS (over management and/or security controls), you should be careful about which special interest groups you interact with, considering:

• The quality of the information provided: Not all of them have precise or updated information (some only repost news or information from other sources).
• The availability of the information: what is the update frequency of the information? If the source you use takes too much time to update its info, your organization could be exposed to a problem or risk for a longer period.
• The legitimacy of the source: Not all of them are authorized representatives of the one responsible for the information (e.g., manufacturers have specific forums to communicate with their clients or to provide patches). Another case is if security peers recognize the group as a reliable source of information.

In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected. Appropriate contacts with special interest groups or other specialist security forums and professional associations must be maintained. Some of these issues may be available for free (accessing public content on the Internet, signing up for a regular newsletter, or identifying the person / job title to be in contact with a professional association or state agency), and some may require payment (consultant or support services). However, in the latter case it is recommended to establish contact with potential suppliers through the procurement process (it is always better to have a previous relationship than to call only in an emergency) and identify this as a Key Supplier rather than a SIG. IS owners can keep appropriate contacts with Special Interest Groups (SIGs) or other specialist security forums and professional associations maintained. Contact details, business cards, membership certificates, diaries of meetings etc. can provide evidence of professional contacts, particularly for information risk, security and compliance specialists. Valid contact details embedded within incident response, business continuity and disaster recovery plans provide further evidence of this control, along with notes or reports from previous incidents concerning the contacts made. In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected.

Communication with the appropriate authorities must be kept open at all times. Processes should be put in place to define when and with whom officials should communicate and how identified information security violations will be reported as soon as possible by organisations.Organisations that have been attacked over the internet may compel authorities to take counter-measures. Maintaining these connections may also be required in information security to assist incident management or business continuity and contingency planning operations. Contacts with regulatory authorities are also beneficial in predicting and planning for any changes in the rules or regulations that the organisation must enforce. You can consider to contact with your data protection regulator that is likely mandated in law, utility companies for power and water, health and safety if relevant, fire departments for business continuity and incident management, perhaps your telecoms provider for routing if lines go down.You are going to have to ensure that:

• you identify and document what authorities apply to you
• in what circumstances you would contact them
• how information security incidents should be reported if relevant
• understand what expectations these authorities have, if any
• include relevant contact steps in your incident management processes
• include relevant contact steps in your business continuity and disaster recovery processes

A 5.5 Contact with authorities

Control

The organization should establish and maintain contact with relevant authorities.

Purpose

To ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.

Guidance

The organization should specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner. Contacts with authorities should also be used to facilitate the understanding about the current and upcoming expectations of these authorities (e.g. applicable information security regulations).

Other information

Organizations under attack can request authorities to take action against the attack source. Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in
relevant laws or regulations that affect the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety [e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment)].

The organization needs to maintain useful contact information with appropriate authorities.The purpose is to ensure appropriate flow of information take place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. An appropriate forum for dialogue and cooperation between the Company and relevant legal, regulatory and supervisory authorities must be in place.Obviously, with more significant organizations, the need for this is greater as the interruption of service to a larger part of the population increases. Particularly relevant to utilities, telecoms, banking organizations, and emergency services (and for smaller companies these might be on your list). It covers the requirement, purpose and implementation instructions on how to identify and report information security events in a timely way, as well as who and how to contact in the event of an incident.Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress/mitigate the threat. You can’t fix everything, but you can be ready should the need arise. This will help with business continuity and security incident management. The objective is to identify which stakeholders (e.g., law enforcement, regulatory bodies, supervisory authorities) would need to be contacted in the event of a security event. It is important that you have already identified these stakeholders before an incident occurs.A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure for the organization. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security officer or safety officer). Contact with Authorities means that the organisation should establish and implement informal communication with authorities concerning information security issues, including:

• Ongoing communication with relevant authorities to ensure that the organisation is aware of current threats and vulnerabilities.
• Informing relevant authorities of vulnerabilities discovered in the organisation’s products, services or systems.
• Receiving information from relevant authorities about threats and vulnerabilities.

The main objective of control is to establish the organisation’s relationship with law enforcement agencies as it relates to managing information security risks.To meet the requirements, it is expected that if an information security incident is discovered, the organisation should specify when and by which authorities (such as law enforcement, regulatory bodies, and supervisory authorities) should be notified, as well as how identified information security incidents are to be reported in a timely manner. The exchange of information with authorities should also be used to gain a better knowledge of the existing and forthcoming expectations of these agencies (e.g. applicable information security regulations). This requirement is designed to ensure that the organisation has a coherent strategy for its relationship with law enforcement agencies and that it has identified the most appropriate point of contact in these agencies. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organisation.

Appropriate contacts with relevant authorities must be maintained and the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies should always be continued particularly relevant to utilities, telecoms, banking organisations and the emergency services. Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress / mitigate the threat. All authorities can be listed and retained in an appropriately shared and access controlled repository.
The ISMS coordinator can keep records up to date and identify which and when contact is made by the appropriate relationship owner with specific contact circumstances, and the nature of the information provided. It should clearly identify who is responsible for contacting authorities (e.g. law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g. which region/country), and in what cases this needs to happen. Specification of the manner and timing in which breaches shall be communicated to external authorities so as to ensure appropriate reporting.

.

The purpose of segregation of duties in ISO 27001 is to ensure that a single point of compromise does not have significant impacts on the business.Conflicts can occur when two or more employees have similar or different responsibilities towards a particular task. When this happens, the employees may end up doing the same thing twice, or doing different things that cancel out each other’s efforts. This wastes corporate resources and reduces productivity, which affects both the company’s bottom line and morale.In order to make sure that your organisation does not suffer from this problem, it is important to understand what conflicting areas of responsibilities are, why they happen and how you can prevent them from occurring in your organisation. For the most part, this means separating duties so that different people handle different roles in the organisation.

Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organisation’s assets.The risk being that if a single post is responsible for highly privileged actions and is not monitored or controlled, then compromise of that role could result in disastrous impacts to the organisation. For example, malicious system or network admins managing the network could greatly disrupt or leak highly sensitive data if not controlled and monitored through controls. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate.To be compliant with this requirement, the organisation must be able to demonstrate that highly privileged role functions and conflicting duties/areas of responsibility are sufficiently segregated. For example, this may be achieved by providing additional layers of authorization for privileged tasks such as issuing or revoking user accounts, or system management functions. A two-man rule might be appropriate in certain circumstances, in others it may be appropriate to provide an extra layer of authorization before a task can be carried out supported by enhanced monitoring of user operations. This provides a defense in depth approach and means that any unauthorized activity can be tracked, monitored and alerted upon.

A 5.3 Segregation of Duties

Control

Conflicting duties and conflicting areas of responsibility should be segregated.

Purpose

To reduce the risk of fraud, error and bypassing of information security controls.

ISO 27002 Implementation Guidance

Segregation of duties and areas of responsibility aims to separate conflicting duties between different individuals in order to prevent one individual from executing potential conflicting duties on their own. The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation:

1. initiating, approving and executing a change;
2. requesting, approving and implementing access rights;
3. designing, implementing and reviewing code;
4. developing software and administering production systems;
5. using and administering applications;
6. using applications and administering databases;
7. designing, auditing and assuring information security controls.

The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision. Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using
automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.

Segregation of duties reduces the risk of intentional manipulation or error and increases the element of checking. Functions that should be separated include those of authorization, execution, custody, and recording and, in the case of a computer-based accounting system, systems development, and daily operations. Segregation of duties is the concept of having more than one person required to complete a task. Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers). While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled.  This is a best practice, especially in cases where sensitive data is being handled. This is seemingly obvious, but often difficult to do in practice. Essentially try to eliminate processes or situations where someone can access, change or use information assets without detection. For example network access and logging should be conducted by someone different from those authorized to use the data. If in doubt – no-one holds the keys to something from which they could gain.

Segregation of duties is a control put in place by many organizations to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the institution should be aware of the risks of a single person having too much access. Ideally, critical processes or activities should be split up between multiple people. For example, the initiation of a process, its execution, and authorization should be separated when possible. When this is not possible, monitoring and auditing critical processes are very important. Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.

The main reason to apply segregation of duties is to prevent the perpetration and concealment of fraud and error in the normal course of the activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors. Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges. However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.

The principles that can be applicable to segregation of duties are:

• Sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
• Individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
• Spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
• Factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).

These principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.

Segregation can be implemented by:

1. 1.Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
2. 2.Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
3. Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:

• authorization function (e.g., two people need to authorize a payment)
• documentation function (e.g., one person creates a document and another approves it)
• custody of assets (e.g., backup media creation and storage in different sites)
• reconciliation or audit (e.g., one person takes inventory and another validates it )

Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements. In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:

1. Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed.
2. Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.).

All information security and its responsibilities need to be defined and approved by the management. The responsibilities can be general (e.g. protecting information) or specific (e.g. the responsibility for accessing particular permissions). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Access to information security should be granted to relevant staff members for eg; CEOs, Business Owners, General Manager; HR managers; and Internal auditors. The auditor will be looking to gain confidence that the organization has made clear who is responsible for, and what is adequate according to the size and nature of the organization. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. To protect information security one can choose relevant authority with in the organisation to-hold the responsibly and implementing the process.

A.5.2 Information security roles and responsibilities

Control

Information security roles and responsibilities should be defined and allocated according to the organization needs.

Purpose

To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization.

ISO 27002 Implementation Guidance

Allocation of information security roles and responsibilities should be done in accordance with the information security policy and topic-specific policies. The organization should define and manage responsibilities for:

1. protection of information and other associated assets;
2. carrying out specific information security processes;
3. information security risk management activities and in particular acceptance of residual risks (e.g. to risk owners);
4. all personnel using an organization’s information and other associated assets.

These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Individuals with allocated information security responsibilities can assign security tasks to others. However, they remain accountable and should determine that any delegated tasks have been correctly performed.
Each security area for which individuals are responsible should be defined, documented and communicated. Authorization levels should be defined and documented. Individuals who take on a specific information security role should be competent in the knowledge and skills required by the role and should be supported to keep up to date with developments related to the role and required in order to fulfill the responsibilities of the role.

Other information

Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of risks and mitigating controls. However, responsibility for resourcing and implementing the controls often remains with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. Depending on the size and resourcing of an organization, information security can be covered by dedicated roles or duties carried out in addition to existing roles.

All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Information security is the responsibility of everyone at the organization. It is important to establish roles and responsibilities for staff, managers, and contractors/vendors so that everyone knows what is expected of them when handling information.Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the Organization.As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc. No matter what title is selected, there should be someone at the organization who can provide a high level of decision-making support to leadership when considering information security issues and solutions. It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation.

Here are some of the vital IT security roles and the responsibilities associated with them. Don’t be surprised that sometimes, different roles share some responsibilities.

1) Information Security Board of Review

The Information Security Board of Review (ISBR) may an appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance campus-wide. In collaboration with the Chief Information Officer (CIO), the ISBR’s specific oversight responsibilities include the following:

• Oversee the development, implementation, and maintenance of a strategic information systems security plan.
• Oversee the development, implementation, and enforcement of information systems security policy and related recommended guidelines, operating procedures, and technical standards.
• Oversee the process of handling requested policy exceptions
• Advise the management on related risk issues and recommend appropriate actions in support of the risk management programs.

2) CISO

A CISO (Chief Information Security Officer) is the one whose task is to oversee corporate security strategy. The typical CISO’s responsibilities include:

1. Planning long-term security strategy
2. Planning and implementing data loss prevention measures
3. Managing access
4. Ensuring that the company implements proper safeguards to meet compliance requirements
5. Investigating any incidents and preventing them in the future
6. Assessing security risk
7. Arranging security awareness training

3) Security and Information Compliance Officers

The Security and Information Compliance Officers may oversee the development and implementation of the ISP. Specific responsibilities can include:

• To ensure related compliance requirements are addressed, e.g., privacy, security, and administrative regulations associated with federal and state laws.
• To ensure appropriate risk mitigation and control processes for security incidents as required.
• To document and disseminate information security policies, procedures, and guidelines
• To coordinate the development and implementation of a information security training and awareness program
• To coordinate a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets.

4) Data Owner

A Data Owner is an individual or group or people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, location or administrative unit .The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, managers, supervisors, or designated staff. Responsibilities of a Data Owner include the following:

1. Ensure compliance with Organizational polices and all regulatory requirements. Data Owners need to understand whether or not any Organizational policies govern their information assets. Data Owners are responsible for having an understanding of legal and contractual obligations surrounding information assets within their functional areas.
2. Assign an appropriate classification to information assets. All information assets are to be classified based upon its level of sensitivity, value and criticality to the Organization.
3. Determine appropriate criteria for obtaining access to sensitive information assets. A Data Owner is accountable for who has access to information assets within their functional areas. This does not imply that a Data Owner is responsible for day-to- day provisioning of access. Provisioning access is the responsibility of a Data Custodian.
4. A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all staff members are permitted access to their own health benefits information. A Data Custodian should document these rules in a manner that allows little or no room for interpretation.
5. Approve standards and procedures related to management of information assets.While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner’s responsibility to review and approve these standards and procedures. A Data Owner should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process.
6. Understand how information assets are stored, processed, and transmitted.Understanding and documenting how information assets are being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Owner.
7. Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets. Data Custodians should work with Data Owners to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Owner.
8. Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets. Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that information assets are handled in a consistent manner and will also help ensure that safeguards are being effectively leveraged.
9. Provision and de-provision access as authorized by the Data Owner. Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Owner.
10. Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets. Data Custodians need to have a thorough understanding of security risks impacting their information assets. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching vulnerability’s in a system or application are both examples of security risks.
11. Security risks need to be documented and reviewed with the appropriate Data Owner so that he or she can determine whether greater resources need to be devoted to mitigating these risks. Information Technology dept can assist Data Custodians with gaining a better understanding of their security risks.

5) Data Users

All users have a critical role in the effort to protect and maintain information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the who is authorized to access Information Systems and/or information assets. Responsibilities of data users include the following:

1. Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
2. Users are also required to follow all specific policies, guidelines, and procedures established with which they are associated and that have provided them with access privileges.
3. Report actual or suspected security and/or policy violations or breaches to IT. During the course of day-to-day operations, users may come across a situation where they feel the security of information assets might be at risk. For example, a user comes across sensitive information on a website that he or she feels shouldn’t be accessible. If this happens, it is the users responsibly to report the situation.

6) Application Security Engineer

The job of an app security engineer has two major aspects. Firstly, you will need to help developers to create more secure apps. Secondly, you’ll need to control third-party apps used by your company and ensure their safety. Some of the typical responsibilities and tasks include:

• Configuring technical security controls
• Conducting an app risk assessment
• Whitelisting/blacklisting apps
• Performing penetration testing

For app security engineers, it’s vital to control SaaS apps and the risks related to them. Risky and insecure apps should be blacklisted. To automate the job and remain time-efficient, he will probably need specialized software that helps with app security assessment and whitelisting/blacklisting.

7) Data Protection Officer(DPO)

Having a DPO may be one of the compliance requirements. A DPO must be appointed in organizations working with large-scale systematic monitoring or processing of sensitive data. Officers oversee corporate data protection measures and their effectiveness. A specialist, appointed to the DPO role, controls whether corporate security is of a sufficient level to meet compliance requirements, and recommends security upgrades if needed. That’s why an in-depth understanding of data security and compliance are essential skills. The DPO orchestrates, manages, and supervises all the activities that are aimed at protecting users’ data and communicates the status to both internal and external parties. This includes:

• Creating an effective step-by-step privacy program
• Supervising the entire implementation process of the program at all stages
• Assuring that all the data processes are being conducted
• Reporting to the management, stakeholders, and all the parties involved on how the implementation process goes
• Reporting to the management on the potential threats to data security and general integrity, and what can be done to eliminate them
• Educating employees on the matters of data privacy and data protection
• Training staff that is directly related to or involved in the data collection, processing, or storing
• Keeping track of and recording all the operations that involve users’ personal data and the reasons for these operations to take place
• Auditing the data processes to assess their performance and address possible problems proactively
• Reporting on the progress of the implementation and maintenance of the data privacy program in the company to the authorities, stakeholders, and public/customers
• Being a connective link between the organization and data subjects (users/customers). Communicating with data subjects on how their data are being handled, what rights do they have, and addressing all their requests concerning their data
• Communicating with supervisors and being a connecting link between the organization and authorities

8)Network Security Engineer

As the name suggests, a network security engineer’s job is to protect corporate networks from data breaches, human error, or cyberattacks. Engineers are responsible for:

• Configuring network security settings
• Performing penetration testing
• Developing and implementing sufficient measures to detect cyber threats
• Implementing network security policies
• Installing and maintaining security software like firewalls or backups
• Also, a deep understanding of cloud security may be required.

9)Security Administrator

An IT security admin is a role that includes a wide range of skills and responsibilities to manage the protection of the company’s data. Some of the most common admin’s responsibilities include:

• Managing access
• Ensuring that data migration is secure
• Configuring security software
• Monitoring data behavior for abnormal activities
• Implementing security policies
• Testing company’s systems to locate potential risks and vulnerabilities
• Reporting security statuses and incidents (if any)
• Using software tools to automate some of the tasks

An admin’s role is more significant than it may seem at first glance. An admin has to keep the whole organization’s security landscape in mind and ensure that even the tiniest processes are executed correctly. After all, even one careless click may be enough to initiate a cyberattack.

10) Security Analyst

What is the role of an information security analyst? This role is related to protecting corporate information against cyber attacks and insider threats. Generally, an analyst has to determine potential risks and vulnerabilities inside the system, so a deep understanding of data security threats and ways to prevent them is a must. As a security analyst, your responsibilities will include:

• Analyzing and configuring corporate systems to improve their security
• Analyzing data loss prevention measures
• Looking for system vulnerabilities and ways to fix them
• Monitoring data behavior for abnormal activities
• Verifying security, availability, and confidentiality of corporate data
• Also, the security analyst’s role requires an understanding of white hat hacking to design more advanced protection against cyber attacks. Analysts often work together with security architects.

11) Security Architect

A security architect is one of the senior-level IT security positions. An architect is focused on creating a secure-by-design environment. Unsurprisingly, this position requires a solid understanding of network, app, and hardware security, as well as experience with various systems. Generally, an architect’s responsibilities include:

• Assessing the system’s security controls and processes to find potential security gaps
• Planning changes and upgrades for corporate IT infrastructure
• Maintaining system integrity
• Implementing insider threat control measures
• Choosing new security software if needed
• Implementing disaster recovery measures
• Analyzing previous incidents and creating an incident response plan
• Analyzing the costs and benefits of security solutions

Of course, the exact scope of your tasks as an architect will vary depending on each organization’s unique infrastructure and needs. Often, an architect needs to assess corporate systems for meeting security compliance standards to decide what changes are needed to become compliant.

12) Security Specialist

An IT security specialist is a person responsible for keeping corporate data safe. Security specialists maintain and upgrade systems and procedures to prevent data loss or leakage. IT specialists have many sub-specializations. Depending on a specific environment, an information security specialist will have a stronger focus on cloud, network, app, database or device security. In some cases, especially in small businesses, an IT security specialist is an all-rounder with responsibilities combining many cyber security roles at the same time. That’s why a security specialist must have strong IT skills and a deep understanding of both software and hardware—and, of course, an ability to locate potential vulnerabilities and fix them.