Roles and responsibilities for information security


Roles and responsibilities for information security

Agency heads, chief information security officers (CISOs), information technology security managers (ITSMs), system owners, and system users all play a part in ensuring that information security is robust. This section outlines and describes the responsibilities for people in these roles.

When you see the word ‘should’, it means the task or activity is best practice. When you see the word ‘must’, it means the task or activity is mandatory. Information security is stronger when you combine best practice and mandatory tasks and activities.

Overall responsibility lies with the agency head

If you’re an agency head, you’re accountable for information security within your agency. You are also the accreditation authority for your organisation.

The CISO leads and oversees information security

The CISO’s role is based on good practice in the security industry and in governance. The role ensures that information security is managed at the senior executive level.

ITSMs implement security measures and provide expertise

ITSMs are executives within an organisation. They’re conduits between the strategic directions provided by the CISO and the technical efforts of systems administrators.

System owners maintain and operate systems

All systems must have an owner. All system owners need to ensure IT governance processes are followed and that business requirements are met.

System users protect systems by following policies and procedures

Developing and maintaining a security culture helps system users comply with security policies and procedures. System users need to be aware of the risks to any system they use and understand the part they play in reducing those risks.