Regulatory Requirements for Establishing Information Security Roles and Responsibilities

There are many security and privacy regulations that are very specific about the proper assignment of security responsibilities. Yet in many organizations, the information security effort is not managed with the same precision as other disciplines. There are a variety of reasons for this, not the least of which is that information security is a relatively new field compared to traditional corporate functions such as accounting or finance. And yet the current regulatory environment is forcing organizations to include security requirements in many corporate functions. The net effect will be that organizations who wish to comply with corporate governance requirements will need to establish a new level of sophistication in their security job functions, including the proper definition and documentation of security roles.

Many times information security personnel have a difficult time justifying any additional cost for security spending. To this end, it may help to write a “Project Justification Memo” to senior management which outlines the risks that come from improper definition of security roles and responsibilities. (A sample memo is included in Information Security Roles and Responsibilities Made Easy, by Charles Cresson Wood.) If your organization falls under any number of regulatory requirements, including Sarbanes-Oxley, and is still struggling with the importance of defining and documenting security roles and responsibilities, consider the following security and privacy related regulations and their requirements.

HIPAA Privacy and Security: The HIPAA Final Security Rule requires Assigned Security Responsibility in section 164.308(a)(2). In the Privacy Rule, Administrative requirements (section §164.530) requires personnel designations for such roles as Chief Privacy Officer, and for the proper assignment of persons responsible for documenting and implementing the safeguards to protect Private Health Information.

Gramm-Leach-Bliley (GLBA): In the auditors checklist within the Interagency Guidelines for Establishing Standards for Safeguarding Customer Information (Guidelines) for GLBA compliance asks: “Is the written information security program appropriate given the size and complexity of the organization and its operations? Does [the information security program] contain the objectives of the program, assign responsibility for implementation, and provide methods for compliance and enforcement?”

Sarbanes-Oxley: The COBIT outline devoted an entire section (4.0 Define the IT organization and relationships) to the proper definition and documentation of various organizational roles including: 4.1 IT Planning or Steering Committee, 4.2 Organisational Placement of the IT Function, 4.5 Responsibility for Quality Assurance, 4.6 Responsibility for Logical and Physical Security, 4.7 Data and System Ownership, Segregation of Duties, and many others.

ISO/IEC 17799: The international standard of ISO 17799 (now ISO 27002) includes the proper definition of the organization as one if the key elements. Section 6.0 Security Organization requires formal definition of: 6.1 Information security infrastructure, 6.2 Security of third party access, and 6.3 Outsourcing. Also in Personnel Security (Section 8.0), section 6.1 requires “security in job definition and resourcing.”

Solutions from Information Shield

Information Shield products are designed to help organizations reach this next level of policy governance. Information Security Policies Made Easy, by Charles Cresson Wood, has pre-written policies that define the critical information security responsibilities of any organization. In tandem, Information Security Roles and Responsibilities Made Easy provided pre-written job descriptions, mission statements, and organizational charts that clearly assign these functions to various roles within the organization.