Professional Documents
Culture Documents
Incident Component Roles
Incident Component Roles
• The auditing function might be its own group (or outsourced to a third
party) and might report to the CEO or directly to the Board of Directors to
maintain its independence.
1. Board of Directors:
– Responsible for protecting the interests of the
shareholders of the corporation.
– This duty of care (fiduciary responsibility) requires that
it understand the risk to the business and its data.
– The Board of Directors is responsible for approving the
appropriate resources necessary to safeguard data.
– It also needs to be kept aware of how the security
program is performing.
2. Security Steering Committee
– The Committee has an important role in security governance; this group is
responsible for setting the tactical and strategic direction for the organization
as a whole.
– The group generally consists of the CEO, CFO, CIO/CISO, and the internal
auditing function (or oversight if it is outsourced to a third party).
– Other business functions might also be present, such as Human Resources
and business operational leaders, depending on the size and organizational
complexity of the business.
– This team reviews audit results, risk assessment, and current program
performance data.
– The committee also provides approval for any major policy or security
strategy changes.
3. CEO or Executive Management
– Senior management must answer to the Board of Directors and
shareholders of a company.
– Furthermore, if the company is publicly traded, the CEO and CFO must
personally attest to the accuracy and integrity of the financial reports the
company issues.
– Executive management sets the tone and direction for the rest of the
company and must be aware of the risks the company faces for the
confidentiality, integrity, and availability of sensitive data.
• CIO/CISO
builds the policies, analyses risk, and identifies new threats to the
business.
• Architects help to select the controls used to protect the company’s data
and they make sure that the controls are sufficient for addressing the risk
and complying with policy.
• This role is also responsible for testing security products and making
recommendations about what will best serve the needs of the company
• Security Engineer implements the controls selected by the security architect.
•
• Security engineers are responsible for the maintenance of firewalls, IPS, and
other tools.
• This includes upgrades, testing, patching, and overall maintenance of the security
systems.
• This role might also be responsible for testing the functionality of equipment to
make sure that it operates as expected.
• The auditor is tasked to identify risk and report on how the organization
performs to upper management.
• The auditor provides an impartial review of projects and technologies to
identify weaknesses that could result in loss to the company.
• End User have a critical role in security governance that is often
overlooked.
• They must be aware of the impact their actions can have on the security of
the company and be able to safeguard confidential information.
• They are responsible for complying with policies and procedures and
following safe computing practices, such as not opening attachments
without antimalware software running or loading unauthorized software.
• A solid user security awareness program can help promote safe computing
habits.
Security incident response team