Information Security Roles and Responsibilities Made Easy:  Table of Contents

1: What This Product Can Do For You

2: Reasons To Establish Clear Roles & Responsibilities

3: Persuading Management To Document Roles and Responsibilities

Sample Memo To Management – Why Document Security Roles and Responsibilities

4: Before You Document Roles & Responsibilities

5: Updating Roles & Responsibilities

6: Who Should Write Roles & Responsibilities Documents

7: Review & Approval Of Roles &Responsibilities

8: Resources Required To Document Roles & Responsibilities

9: Time Estimates To Document Roles & Responsibilities

10: Key Information Security Documents

Information Security Department and Other Department Missions
Information Security Staff and Other Staff Job Descriptions
Information Security Department Reporting Relationships Diagram
Information Security Awareness Pamphlet
Information Security Awareness Reminder Memos
Information Security Policy Manual
Information Security Standards Document
Information Security Architecture Document
Information Security Action Plan
Information Security Forms
Systems Administration Procedures Manual
Risk Acceptance Memos
Information Systems Contingency Planning Manual
Organizational Code of Conduct
Standard Operating Procedures (SOP) Manual
Systems Development Process Manual
Application System Requirements Documents
User and Computer Operations Application Manuals
Records Management Policies and Procedures Manual
Worker Performance Reviews
Systems Usage Responsibility Agreements
Outsourcing and Consulting Agreements
Confidentiality and Non-Compete Agreements
Human Resources Manual
Physical Security Pamphlet

Sample Organizational Mission Statements (Ch. 11)

Information Security Department
Physical (Industrial) Security Department
Internal Audit Department
EDP Audit Unit
Ethics and Compliance Unit
External Auditing Firm
Records Management Department
Information Technology Department
Help Desk Unit
Network Operations Unit
Computer Operations Unit
Systems Administration Unit
Database Administration Unit
Data Administration Unit
Insurance and Risk Management Department
Contingency Planning Unit
Computer Emergency Response Team
Legal Department
Human Resources Department
Information Security Management Committee
Information Technology Steering Committee
Board of Directors – Audit Committee
Internal Control Committee
Facilities Management Outsourcing Firm

Sample Job Descriptions For Specific Roles

Information Security Department Manager
Access Control System Administrator
Internal Information Security Consultant
Information Security Engineer
Information Security Documentation Specialist
Information Systems Contingency Planner
Local Information Security Coordinator
Chief Information Officer
Information Systems Analyst/Business Analyst
Systems Programmer
Business Applications Programmer
Computer Operations Manager
Computer Operator
Information Systems Quality Assurance Analyst
Help Desk Associate
Archives Manager/Records Manager
Telecommunications Manager
Systems Administrator/Network Administrator
Web Site Administrator/Commerce Site Administrator
Database Administrator
Data Administration Manager
Physical Security Department Manager
Physical Asset Protection Specialist
Building and Facilities Guard
Office Maintenance Worker
Internal Audit Department Manager
EDP Auditor
Internal Intellectual Property Attorney
Human Resources Department Manager
Human Resources Consultant
Outsourcing Contract Administrator
In-House Trainer
Insurance and Risk Management Department Manager
Insurance and Risk Management Analyst
Business Contingency Planner
Public Relations Manager
Chief Financial Officer
Purchasing Agent
Chief Executive Officer

Chapter 13: Information Security Reporting Relationships

Option 1: Information Technology
Option 2: Security
Option 3: Administrative Services
Option 4: Insurance & Risk Management
Option 5: Strategy & Planning
Option 6: Legal
Option 7: Internal Audit
Option 8: Help Desk
Option 9: Accounting & Finance through I.T.
Option 10: Human Resources
Option 11: Facilities Management
Option 12: Operations

Chapter 14: Template Customization Factors

Local Laws and Regulations
Industry Category
Criticality to the Business
Line or Staff Organizational Culture
Scope of Information Security Function
Information Security Effort Sophistication
Size of Organization
Intended Audience
Separation of Duties
Cross-Training and Backup

Chapter 15: Owner, Custodian, And User Roles

Chapter 16: Roles & Responsibilities Of Product Vendors

Chapter 17: Roles & Responsibilities Of Outsourcing Firms

Chapter 18: Adjustments For Smaller Organizations

Chapter 19: A Centralized Organizational Structure

A Few Critical Distinctions
Information Security Activities That Should Be Centralized
Why Centralized Information Security Management Is Advisable
Drawbacks Of Centralized Information Security Management
Resolving A Variety Of Implementation Issues

Chapter 20: Workers In Information Security Related Positions Of Trust

Nature Of The Problem
Suggested Strategies

Chapter 21: Common Mistakes You Should Avoid

Appendix A: Information Security Staffing Levels Information Security Staffing: Calculating the Standard of Due Care

Appendix B: Personal Qualifications

Excellent Communication Skills
Ability to Resolve Conflicts Between Security and Business Objectives
Ability to See the Big Picture
Basic Familiarity with Information Security Technology
Commitment to Staying on Top of the Technology
Familiarity with Information Security Management
Tolerance for Ambiguity and Uncertainty
Ability to Manage Many Important Projects Simultaneously
Ability to Work Independently
A Certain Amount of Polish

Appendix C: Performance Criteria

Information Security Department Metrics
Individual Worker Metrics

Appendix D: Professional Certifications

Appendix E: Responsibility and Liability

Appendix F: Sample User Responsibility Agreement

Appendix G: Disclosing Roles and Responsibilities

Appendix H: Role Based Access Control

About the Author: Charles Cresson Wood