Incident Component Roles

Information and Data Security Team Structure

• Information security governance begins at the top with the Board of

Directors and CEO enforcing accountability for adherence to standards and
commissioning the development of security architectures that address the
security requirements of the business as a whole.

• The auditing function might be its own group (or outsourced to a third
party) and might report to the CEO or directly to the Board of Directors to
maintain its independence.
1. Board of Directors:
– Responsible for protecting the interests of the
shareholders of the corporation.
– This duty of care (fiduciary responsibility) requires that
it understand the risk to the business and its data.
– The Board of Directors is responsible for approving the
appropriate resources necessary to safeguard data.
– It also needs to be kept aware of how the security
program is performing.
2. Security Steering Committee
– The Committee has an important role in security governance; this group is
responsible for setting the tactical and strategic direction for the organization
as a whole.
– The group generally consists of the CEO, CFO, CIO/CISO, and the internal
auditing function (or oversight if it is outsourced to a third party).
– Other business functions might also be present, such as Human Resources
and business operational leaders, depending on the size and organizational
complexity of the business.
– This team reviews audit results, risk assessment, and current program
performance data.
– The committee also provides approval for any major policy or security
strategy changes.
3. CEO or Executive Management
– Senior management must answer to the Board of Directors and
shareholders of a company.
– Furthermore, if the company is publicly traded, the CEO and CFO must
personally attest to the accuracy and integrity of the financial reports the
company issues.
– Executive management sets the tone and direction for the rest of the
company and must be aware of the risks the company faces for the
confidentiality, integrity, and availability of sensitive data.
• CIO/CISO

– Responsible for aligning the information security program strategy and

vision to business requirements.
– The CIO/CISO ensures that the correct resources are in place to adhere
to the policies and procedures set forth by the steering committee.
– This role generally reports to the CEO and Board of Directors and
reports how the organization is performing relative to the company’s
goals and similar organizations in the same industry.
• Security Director
• The role is to coordinate the efforts for securing corporate assets.

• The responsibilities include reporting on the progress of initiatives to

executive management and building the teams and resources to address the
various tasks necessary for information security.
• This role also acts as a liaison to other aspects of the business to articulate
security requirements throughout the company.
• The security director manages the teams in developing corporate data
security policies, standards, procedures, and guidelines.
• Security Analyst

builds the policies, analyses risk, and identifies new threats to the
business.

Business continuity and disaster recovery planning are important

functions performed by the analyst to prepare the company for the
unexpected.

The analyst is also responsible for creating reports about the

performance of the organization’s security systems.
 Security Architect
• defines the procedures, guidelines, and standards used by the company.

• Architects help to select the controls used to protect the company’s data
and they make sure that the controls are sufficient for addressing the risk
and complying with policy.

• This role is also responsible for testing security products and making
recommendations about what will best serve the needs of the company
• Security Engineer implements the controls selected by the security architect.
•
• Security engineers are responsible for the maintenance of firewalls, IPS, and
other tools.

• This includes upgrades, testing, patching, and overall maintenance of the security
systems.

• This role might also be responsible for testing the functionality of equipment to
make sure that it operates as expected.

• Systems Administrator is responsible for monitoring and maintaining the servers,

printers, and workstations a company uses.

• In addition, administrators add and/or remove user accounts as necessary, control

access to shared resources, and maintain company-wide antivirus software
• Database Administrator

(DBA) has an important job in most companies.

• The DBA is responsible for designing and maintaining corporate databases
and also securing access to the data to ensure its integrity.

• The ramifications of lax security in this role can be severe, especially

considering the reporting requirements mandated by SOX.

• IS Auditor An auditor’s role in security governance is to assess the

effectiveness in meeting the requirements set forth by policy and
management direction.

• The auditor is tasked to identify risk and report on how the organization
performs to upper management.
• The auditor provides an impartial review of projects and technologies to
identify weaknesses that could result in loss to the company.
• End User have a critical role in security governance that is often
overlooked.
• They must be aware of the impact their actions can have on the security of
the company and be able to safeguard confidential information.

• They are responsible for complying with policies and procedures and
following safe computing practices, such as not opening attachments
without antimalware software running or loading unauthorized software.

• A solid user security awareness program can help promote safe computing
habits.
 Security incident response team

• The security incident response team is a group of individuals who have

been trained in incident management, each having distinct response roles.
• The team works under the direction of the incident officer.
• The team is tasked with the following responsibilities:
– Processes IT security complaints or incidents.
– Assesses threats to IT resources.
– Alerts IT managers of imminent threats.
– Determines incident severity and escalates it, if necessary, with
notification to CTO and president’s senior staff.
– Coordinates security incidents (level 2 or 3) from discovery to closure.
– Reviews incidents, provides solutions/resolutions and closure.