The information security project team should consist of people who are experienced in one or multiple facets of the required technical and nontechnical areas. Many of the same skills needed to manage and implement security are also needed to design it. Members of the team fill the following roles:
Champion—A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization
Team leader—A project manager who may also be a departmental line manager or staff unit manager, and who understands project management, personnel management, and information security technical requirements.
Security policy developers—People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.
Risk assessment specialists—People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
Security professionals—Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.
Systems administrators—People with the primary responsibility for administering systems that house the information used by the organization.
End users—Those whom the new system will most directly affect. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls that do not disrupt the essential business activities they seek to safeguard.
Data owners are members of senior management who are responsible for the security and use of a particular set of information. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.
Data custodians are people working directly with data owners, data custodians are responsible for the information and the systems that process, transmit, and store it. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.
Data trustees is appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use.
Data users is anyone in the organization that is responsible for the security of data, so data users are included here as individuals with an information security role.
Knowledge Check Activity 3
Which group in the organization is appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use?
B. Data custodian
C. Data trustee
D. Data user
The answer is C. Data trustee.
Only this selection is correct since data owners would not appoint themselves, data custodians are responsible for the infrastructure that supports information processing in general, and data users do not have the responsibilities listed.
Each organization develops and maintains its own unique culture and values. Within that corporate culture, there are communities of interest. These include:
- Information security management and professionals
- Information technology management and professionals
- Organizational management and professionals
With the level of complexity in todays information systems, the implementation of information security has often been described as a combination of art and science.
The concept of the security artisan is based on the way individuals perceived systems technologists since computers became common place.
Social science examines the behavior of individuals as they interact with systems, whether societal systems or, in our case, information systems. Security begins and ends with the people inside the organization and the people that interact with the system, planned or otherwise. End users that need the very information the security personnel are trying to protect may be the weakest link in the security chain. By understanding some of the behavioral aspects of organizational science and change management, security administrators can greatly reduce the levels of risk caused by end users and create more acceptable and supportable security profiles.
0 comments:
Post a Comment