Getting to know the information security roles and responsibilities

It is very important to ensure that security-related roles and responsibilities are clearly defined, documented, and communicated throughout the organization. Each employee of the organization should be aware of their respective roles and responsibilities. Clearly defined roles also facilitate effective access rights management, as access is provided based on the respective job functions and job profiles of employees – that is, on a need-to-know basis only.

One of the simplest ways of defining roles and responsibilities in a business or organization is to form a matrix known as a RACI chart. This stands for responsible, accountable, consulted, and informed.

This chart indicates who is responsible for a particular function, who is accountable with regard to the function, who should be consulted about the function, and who should be informed about the particular function. Clearly defined RACI charts make the information security program more effective.

Let's look at the definitions of RACI in more detail:

• Responsible: This is the person who is required to execute a particular job function.
• Accountable: This is the person who is required to supervise a job function.
• Consulted: This is the person who gives suggestions and recommendations for executing a job function.
• Informed: This is the person who should be kept updated about the progress of the job function.

In the next section, I will take you through the various roles that are integral to information security.

Board of directors

The role of board members in information security is of utmost importance. Board members need to be aware of security-related KRIs that can impact the business objectives. The intent and objectives of information security governance must be communicated from the board level down.

The current status of key security risks should be tabled and discussed at board meetings. This helps the board to determine the effectiveness of the current security governance.

Another essential reason for the board of directors to be involved in security governance is liability. Most of the organization obtains specific insurance to make good on the financial liability of the organization in the event of a security incident. This type of insurance requires those bound by it to exercise due care in the discharge of their duties. Any negligence from the board in addressing the information security risk may make the insurance void.

Senior management

The role of senior management is to ensure that the intent and requirements of the board are implemented in an effective and efficient manner. Senior management is required to provide ongoing support to information security projects in terms of budgets, resources, and other infrastructure. In some instances, there may be disagreement between IT and security. In such cases, senior management can take a balanced view after considering performance, cost, and security. The role of senior management is to map and align the security objectives with the overall business objectives.

Business process owners

The role of a business process owner is to own the security-related risks impacting their business processes. They need to ensure that information security activities are aligned and support their respective business objectives. They need to monitor the effectiveness of security measures on an ongoing basis.

Steering committee

A steering committee comprises the senior management of an organization. The role of a steering committee is as follows:

• To ensure that security programs support the business objectives
• To evaluate and prioritize the security programs
• To evaluate emerging risk, security practices, and compliance-related issues

The roles, responsibilities, and scope of a steering committee should be clearly defined.

Chief information security officer

The chief information security officer (CISO) is a senior-level officer who has been entrusted with making security-related decisions and is responsible for implementing security programs. The CISO should be an executive-level officer directly reporting to the chief executive officer (CEO). The role of the CISO is fundamentally a regulatory role, whereas the role of the CIO is to generally focus on IT performance.

Chief operating officer

The chief operating officer (COO) is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has a thorough knowledge of the business operations and objectives. The COO is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.

Data custodian

The data custodian is a staff member who is entrusted with the safe custody of data. The data custodian is different from the data owner, though in some cases, both data custodian and data owner may be the same individual. A data custodian is responsible for managing the data on behalf of the data owner in terms of data backup, ensuring data integrity, and providing access to data for different individuals through the approval of the data owner. From a security perspective, a data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy.

Communication channel

A well-defined communication channel is of utmost importance in the management of information security. A mature organization has dedicated systems to manage risk-related communication. This should be a two-way system, wherein management can reach all the employees and at the same time employees can reach a designated risk official to report identified risks. This will help in the timely reporting of events as well as to disseminate the security information. In the absence of an appropriate communication channel, the identification of events may be delayed.

Indicators of a security culture

The following list consists of some of the indicators of a successful security culture:

• The involvement of the information security department in business projects.
• The end users are aware of the identification and reporting of the incidents.
• There is an appropriate budget for information security programs.
• The employees are aware of their roles and responsibilities with regard to information security.

Understanding the roles and responsibilities as covered in this section will help the security manager to implement an effective security strategy.

Key aspects from the CISM exam perspective

The following are some of the key aspects from the CISM exam perspective:

Table 1.4 – Key aspects from the CISM exam perspective

Questions

1. The process of mapping job descriptions to relevant data access rights will help in adherence to which of the following security principles?

   A. The principle of accountability.

   B. The principle of proportionality.

   C. The principle of integration.

   D. The principle of the code of ethics.

   Answer: B. The principle of proportionality.

   Explanation: The principle of proportionality requires that the access should be proportionate to the criticality of the assets and access should be provided on a need-to-know basis. The principle of accountability is important for the mapping of job descriptions; however, people with access to data may not always be accountable. Options C and D are not directly relevant to mapping job descriptions.

2. The data custodian is primarily responsible for which of the following?

   A. Approving access to the data.

   B. The classification of assets.

   C. Enhancing the value of data.

   D. Ensuring all security measures are in accordance with organizational policy.

   Answer: D. Ensuring all security measures are in accordance with organizational policy.

   Explanation: The data custodian is responsible for ensuring that appropriate security measures are implemented and are consistent with organizational policy. The other options are not the responsibility of the data custodian.

3. In the case of a disagreement between the IT team and security team on a security aspect, the security manager should do which of the following?

   A. Refer the matter to an external third party for resolution.

   B. Request senior management to discontinue the relevant project immediately.

   C. Ask the IT team to accept the risk.

   D. Refer the matter to senior management along with any necessary recommendations.

   Answer: D. Refer the matter to senior management along with any necessary recommendations.

   Explanation: The best option for a security manager in this case is to highlight the issue to senior management. Senior management will be in the best position to take a decision after considering business as well security aspects.

4. Which of the following is an immediate benefit of having well-defined roles and responsibilities from an information security perspective?

   A. The adherence to security policies throughout the organization.

   B. Well-structured process flows.

   C. The implementation of segregation of duties (SoD).

   D. Better accountability.

   Answer: D. Better accountability.

   Explanation: Having clearly set out roles and responsibilities ensures better accountability, as individuals are aware of their key performance area and expected outcomes. The other options may be indirect benefits, but the only direct benefit is better accountability.

5. What is the prime role of an information security manager in a data classification process?

   A. To define and ratify the data classification process.

   B. To map all data to different classification levels.

   C. To provide data security, as per the classification.

   D. To confirm that data is properly classified.

   Answer: A. To define and ratify the data classification process.

   Explanation: The primary role of an information security manager is to define the structure of data classification. They need to ensure that the data classification policy is consistent with the organization's risk appetite. The mapping of data as per the classification is the responsibility of the data owner. Providing security is the responsibility of the data custodian. Confirming proper classification may be the role of the information security manager or the information security auditor.

6. Which of the following is the area of most concern for the information security manager?

   A. That there are vacant positions in the information security department.

   B. That the information security policy is approved by senior management.

   C. That the steering committee only meets on a quarterly basis.

   D. That security projects are reviewed and approved by the data center manager.

   Answer: D. That security projects are reviewed and approved by the data center manager.

   Explanation: Security projects should be approved by the steering committee consisting of senior management. The data center manager may not be in a position to ensure the alignment of security projects with the overall enterprise objectives. This will have an adverse impact on security governance. The approval of the security policy by senior management indicates good governance. Vacant positions are not a major concern. The steering committee meeting on a quarterly basis is also not an issue.

7. An information security manager should have a thorough understanding of business operations with a prime objective of which of the following?

   A. Supporting organizational objectives.

   B. Ensuring regulatory compliance.

   C. Concentrating on high-risk areas.

   D. Evaluating business threats.

   Answer: A. Supporting organizational objectives.

   Explanation: The main objective of the security manager having a thorough understanding of the business operations is to support the organization's objectives. The other options are specific actions to support the business objectives.

8. In a big multi-national organization, the best approach to identify security events is to do which of the following?

   A. Conduct frequent audits of the business processes.

   B. Deploy a firewall and intrusion detection system (IDS).

   C. Develop communication channels across the organization.

   D. Conduct vulnerability assessments of new systems.

   Answer: C. Develop communication channels across the organization.

   Explanation: The best approach is to develop communication channels that will help in the timely reporting of events as well as to disseminate security information. The other options are good practices; however, without an appropriate communication channel, the identification of events may be delayed.

9. Legal and regulatory liability is the responsibility of which of the following?

   A. The chief information security officer.

   B. The head of legal.

   C. The board of directors and senior management.

   D. The steering committee.

   Answer: C. The board of directors and senior management.

   Explanation: The ultimate responsibility for compliance with legal and regulatory requirements is with the board of directors and senior management. The CISO, head of legal, and steering committee implement the directive of the board and senior management, but they are not individually liable for the failure of security.

10. What is the best way to gain support from senior management for information security projects?

    A. Lower the information security budget.

    B. Conduct a risk assessment.

    C. Highlight industry best practices.

    D. Design an information security policy.

    Answer: B. Conduct a risk assessment.

    Explanation: The best way to gain the support of senior management is to conduct a risk assessment and present it to management in the form of an impact analysis. A risk assessment will help management to understand areas of concern. The other options may be considered secondary factors.

11. Prioritization of information security projects should be best conducted based on which of the following?

    A. The turnaround time of the project.

    B. The impact on the organization's objectives.

    C. The budget of the security project.

    D. The resource requirements for the project.

    Answer: B. The impact on the organization's objectives.

    Explanation: Security projects should be assessed and prioritized based on their impact on the organization. The other options are secondary factors.

12. Who is responsible for enforcing the access rights of employees?

    A. The process owner.

    B. The data owner.

    C. The steering committee.

    D. The security administrators.

    Answer: D. The security administrators.

    Explanation: The security administrators are custodians of the data and they need to ensure that data is in safe custody. They are responsible for enforcing and implementing security measures in accordance with the information security policy. The data owner and process owner are responsible for classifying the data and approving access rights. However, they do not enforce and implement the security controls. The steering committee is not responsible for enforcement.

13. Who is responsible for information classification?

    A. The data administrator.

    B. The information security manager.

    C. The information system auditor.

    D. The data owner.

    Answer: D. The data owner.

    Explanation: The data owner has responsibility for the classification of their data in accordance with the organization's data classification policy. The data administrator is required to implement security controls as per the security policy. The security manager and system auditor oversee the data classification and handling process to ensure conformance to the policy.

14. What is the data retention policy primarily based on?

    A. Industry practices.

    B. Business requirements.

    C. Regulatory requirements.

    D. Storage requirements.

    Answer: B. Business requirements.

    Explanation: The primary basis for defining the data retention period is the business requirements. Business requirements will consider any legal and regulatory aspects. If its data is not retained as per business needs, it may have a negative impact on the business objectives.

15. What is the most important security aspect for a multi-national organization?

    A. The local security programs should comply with the corporate data privacy policy.

    B. The local security program should comply with the data privacy policy of the location where the data is collected.

    C. The local security program should comply with the data privacy policy of the country where the headquarters are located.

    D. Local security program should comply with industry best practices.

    Answer: B. The local security program should comply with the data privacy policy of the location where the data is collected.

    Explanation: Data privacy laws are country-specific. It is very important to ensure adherence to local laws. The organization's privacy policy may not be able to address all the local laws and requirements. The organization's data privacy policy cannot supersede the local laws.

16. Ultimate accountability for the protection of sensitive data is with which of the following?

    A. The security administrators.

    B. The steering committee.

    C. The board of directors.

    D. The security manager.

    Answer: C. The board of directors.

    Explanation: The board of directors has the ultimate accountability for information security. The other options such as the security administrators, steering committee, and security managers are responsible for implementing, enforcing, and monitoring security controls as per the directive of the board.

17. The most likely authority to sponsor the implementation of new security infrastructure for business processes is which of the following?

    A. The CISO.

    B. The COO.

    C. The head of legal.

    D. The data protection officer.

    Answer: B. The COO.

    Explanation: The chief operating officer is the head of operational activities in the organization. Operational processes are reviewed and approved by the COO. The COO has the most thorough knowledge of the business operations and objectives. The COO is most likely the sponsor for the implementation of security projects as they have a strong influence across the organization. Sponsoring means supporting the project financially or through products or services. Although the CISO should provide security advice and recommendations, the sponsor should be the COO for effective ground-level implementation.

18. Who should determine the requirements for access to data?

    A. The security officer.

    B. The data protection officer.

    C. The compliance officer.

    D. The business owner.

    Answer: D. The business owner.

    Explanation: The business owner needs to ensure that their data is appropriately protected, and access is provided on a need-to-know basis only. The security officer, data protection officer, and compliance officer can advise on security aspects, but they do not have final responsibility.

19. The responsibility for establishing information security controls in an application resides with which of the following?

    A. The information security steering committee.

    B. The data owner.

    C. The system auditor.

    D. The system owner.

    Answer: B. The data owner.

    Explanation: The data owner is responsible for determining the level of security controls for the data, as well as for the application that stores the data. The system owner is generally responsible for platforms rather than applications or data. The system auditor is responsible for evaluating the security controls. The steering committee consists of senior-level officials and is responsible for aligning the security strategy with the business objectives.

20. The information security manager observes that not enough details are documented in the recovery plan and this may prevent meeting the recovery time objective. Which of the following compensates for the lack of details in the recovery plan and ensures that the recovery time objective is met?

    A. Establishing more than one operation center.

    B. Delegating authority for the recovery execution.

    C. Outsourcing the recovery process.

    D. Taking incremental backups of the database.

    Answer: B. Delegating authority for recovery execution.

    Explanation: During an incident, considerable time is taken up in escalation procedures, as decisions need to be made at each management level. The delegation of authority for the recovery execution makes the recovery process faster and more effective. However, the scope of the recovery delegation must be assessed beforehand and appropriately documented. Having multiple operation centers is too expensive to implement. Outsourcing is not a feasible option. Incremental backups do facilitate faster backups; however, they generally increase the time needed to restore the data.

21. The effectiveness of SoD is best ensured by which of the following?

    A. Implementing strong password rules.

    B. Making available a security awareness poster on the intranet.

    C. Frequent information security training.

    D. Reviewing access privileges when an operator's role changes.

    Answer: D. Reviewing access privileges when an operator's role changes.

    Explanation: In the absence of access privilege reviews, there is the risk that a single staff member can acquire excess operational capabilities. This will defeat the objective of SoD. In order to maintain the effectiveness of SoD, it is important to review access privileges more frequently and more specifically when an operator's role changes.

22. What is the prime responsibility of an information security manager?

    A. To manage the risk to information assets.

    B. To implement the security configuration for IT assets.

    C. To conduct disaster recovery testing.

    D. To close identified vulnerabilities.

    Answer: A. To manage the risk to information assets.

    Explanation: The prime responsibility of an information security manager is to evaluate and manage the information security risk by involving risk owners. Implementing the security configuration is the responsibility of the asset owner. Disaster recovery testing should be conducted by the process owner, and the closing of vulnerabilities is the responsibility of the asset owner.

23. To determine the extent of sound processes, the maturity model is used. Another approach is to use which of the following?

    A. The Monte Carlo method.

    B. Process performance and capabilities.

    C. Vulnerability assessments.

    D. Risk analysis.

    Answer: B. Process performance and capabilities.

    Explanation: Process performance and capabilities provide a detailed perspective of the maturity levels, just like the maturity model. The other options will not help to determine the level of maturity of the process. The Monte Carlo method is a risk assessment method that uses simulations.

24. Information system access should be primarily authorized by which of the following?

    A. The information owner.

    B. The system auditor.

    C. The CISO.

    D. The system administrator.

    Answer: A. The information owner.

    Explanation: The information owner is ultimately responsible for the protection of their data. The information owner is the best person to know the criticality of the data and who should have access to the data. Therefore, information system access should be primarily authorized by the information owner.

25. The information security manager observed that the incident log is stored on a production database server. Which of the following is a major concern?

    A. The unavailability of log details if the server crashes.

    B. The unauthorized modification of logs by the database administrator.

    C. Log capturing makes the transaction process slow.

    D. Critical information may not be captured in the log files.

    Answer: B. The unauthorized modification of logs by the database administrator.

    Explanation: The database administrator will have access to logs if they are stored in the database server. The database administrator can modify or delete the log entries. This is a major cause of concern. Backup of the logs will address the issue of server crashes. Log capturing may not always impact transaction processing. If critical information is not captured in logs, it is a design failure and has nothing to do with log entries stored in the production database. The database administrator should not have access to logs related to the database.

26. Appointing a CISO indicates which of the following?

    A. The organization wants to enhance the role of senior management.

    B. The organization is committed to its responsibility for information security.

    C. The board of directors wants to pass on their accountability.

    D. The organization wants to improve its technology architecture.

    Answer: B. The organization is committed to its responsibility for information security.

    Explanation: Appointing a CISO indicates that the organization wants to have a clear line of responsibility for information security. Information security is one of the focus areas for the organization. Having a CISO does not impact the role of senior management. Even if the CISO is appointed, accountability lies with the board of directors. The CISO is generally not accountable for technology projects.

27. The main objective of integrating security-related roles and responsibilities is which of the following?

    A. To address the security gaps that exist between assurance functions.

    B. To address the unavailability of manpower.

    C. To address the gap in business continuity and disaster recovery.

    D. To address the complications in system development processes.

    Answer: A. To address the security gaps that exist between assurance functions.

    Explanation: Whenever there are shared responsibilities for information security, gaps tend to exist. Integrating the roles and responsibilities is the best way to address these gaps and ensure consistent risk management. The other options are secondary factors.

28. Which of the following is the best compensating control when the same employee is responsible for updating servers, maintaining the access control, and reviewing the logs?

    A. To verify that only approved changes are made.

    B. To conduct penetration tests.

    C. To conduct risk assessments.

    D. To conduct reviews of log files by the manager.

    Answer: A. To verify that only approved changes are made.

    Explanation: In the absence of SoD, the best compensatory control is to ensure that only approved changes are made by the employee. This verification can either be done for all cases or on a sample basis depending on the risk involved. The review of logs by the manager may not be meaningful as an employee can manipulate the logs and hide activities from the supervisor. Penetration tests and risk assessments may not be able to detect the unauthorized activities.

29. What is the responsibility of the information owner when complying with the information classification scheme?

    A. To implement security measures to protect their data.

    B. To determine the level of classification for their data.

    C. To arrange backups of their data.

    D. To delegate the processes of information classification to the system administrator.

    Answer: B. To determine the level of classification for their data.

    Explanation: The information owner is required to determine the level of classification for their respective data. Based on its classification, the system administrator implements the required security measures and data backups. The information owner may delegate the process of classification to some other responsible employee but not to the system administrator.

30. The effectiveness of the organization's security measures is the final responsibility of which of the following?

    A. The security administrator.

    B. The CISO.

    C. Senior management.

    D. The information security auditor.

    Answer: C. Senior management.

    Explanation: Senior management has the final responsibility for the effectiveness of the organization's security measures. Although the authority to implement, monitor, and evaluate the security measures is delegated to the security administrator, CISO, and the information security auditor, the responsibility cannot be delegated. The final responsibility rests with senior management.

31. What is the best way to ensure that responsibilities are carried out?

    A. Signed non-disclosure agreements.

    B. Heavy penalties for non-compliance.

    C. Assigned accountability.

    D. Documented policies.

    Answer: C. Assigned accountability.

    Explanation: If accountability is properly assigned and made known to the individuals, individuals will be more proactive and concerned about their responsibilities, and this will ensure that duties are properly carried out.

32. Who is responsible for complying with the organization's security policies and standards?

    A. The CISO.

    B. Senior management.

    C. The compliance officer.

    D. All organizational units.

    Answer: D. All organizational units.

    Explanation: Every employee is required to comply with security policies and standards, as applicable to their performance areas. Though CISO and senior management monitor the level of compliance, all organizational units should adhere to policies and standards.

33. Continuous improvement of the risk management process is most likely ensured by which of the following?

    A. The regular review of implemented security controls.

    B. Implementing an information classification policy.

    C. The adoption of a maturity model.

    D. Regular audits of risk management processes.

    Answer: C. The adoption of a maturity model.

    Explanation: A maturity model like the CMM can be used to determine the maturity level of the risk management process from Level 0 (that is, initial) to Level 5 (that is, optimized). The organization can know where it falls and can gradually move towards higher levels and thus improve its risk management process. The other options are secondary factors.

34. Information security is the responsibility of which of the following?

    A. All personnel.

    B. IT personnel.

    C. Security personnel.

    D. Operational personnel.

    Answer: A. All personnel.

    Explanation: It is the responsibility of all personnel to adhere to the security requirements of the organization.

35. Who should security policies be finally approved by?

    A. Operation managers.

    B. The CISO.

    C. Senior management.

    D. The chief technical officer (CTO)

    Answer: C. Senior management.

    Explanation: Senior management is in the best position to understand the key business objectives and how they should be protected by way of policies and procedures. Other officials (for example, the operation manager, CISO, and CTO) may provide necessary inputs, but final approval should be provided by senior management.

36. Confidentiality of information can be best ensured by which of the following?

    A. Implementing an information classification policy.

    B. Implementing SoD.

    C. Implementing the principle of least privilege.

    D. Implementing information security audits.

    Answer: C. Implementing the principle of least privilege.

    Explanation: The most effective method to protect the confidentiality of information assets is to follow the principle of least privilege. The principle of least privilege ensures that access is provided only on a need-to-know basis and it should be restricted for all other users. The other options are good measures; however, in the absence of the principle of least privilege, they may not be effective.