Scribd
Upload
129 views6 pages

Information Security Roles Responsibilities Template

ISMS

Uploaded by

Desmond Montgomery
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
129 views6 pages

Information Security Roles Responsibilities Template

ISMS

Uploaded by

Desmond Montgomery
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Information Technology

Logo Department
Policy Document

Information Security Roles &


Responsibilities Template

Version 1.0
< Date>

History Log
Version Date Author
Draft Version 1.0 May 2020 ControlCase

Acceptable Usage Procedures Page 1


Information Technology
Logo Department
Policy Document

Contents
1. Statement...........................................................................................................................................3
2. Objective.............................................................................................................................................3
3. Roles & Responsibilities.....................................................................................................................3

Acceptable Usage Procedures Page 2


Information Technology
Logo Department
Policy Document

1. Statement
The roles & responsibilities of each employee in the organization needs to be defined with the
specific role in maintaining the posture of Information Security in <Organization Name>.

2. Objective
To provide procedural guidance to employees on roles and responsibilities with specific focus
on maintaining the Information Security posture of <Organization Name>.

3. Roles & Responsibilities


Role Responsibility
Chief Security Officer Creating and distributing security policies and procedures
Monitoring and analyzing security alerts and distributing information to
appropriate information security and business unit management
personnel
Creating and distributing security incident response and escalation
procedures that include:
Roles, responsibilities, and communication
Coverage and responses for all critical system components
Strategy for business continuity post compromise
Reference or inclusion of incident response procedures from similar
associations
Analysis of legal requirements for reporting compromises (for example,
per California bill 1386)
Annual testing
Designation of personnel to monitor for intrusion detection, intrusion
prevention, and file integrity monitoring alerts on a 24/7 basis
Plans for periodic training
A process for evolving the incident response plan according to lessons
learned and in response to industry developments
Maintaining a formal security awareness program for all employees that
provides multiple methods of communicating awareness and educating
employees (for example, posters, letters, meetings)
Review security logs at least daily and follow-up on exceptions
Owner of the security policies.
Information Technology Office User account maintenance procedures
Log review procedures
System and Application Administrators Monitor and analyze security alerts and information and distribute to

Acceptable Usage Procedures Page 3


Information Technology
Logo Department
Policy Document

appropriate personnel
Administer user accounts and manage authentication
Monitor and control all access to data
Maintain a list of connected entities
Perform due diligence prior to connecting an entity, with supporting
documentation
Verify that the entity is compliant with relevant compliance standards,
with supporting documentation
Establish a documented procedure for connecting and disconnecting
entities
Retain audit logs for at least one year
Information Security Office Responsible for monitoring the implementation of information security
program in the organization and actions taken in the organization in
accordance to information security program in the organization.
Responsible for alerting and initiating actions on security events or
potential events or other security risks to the organization.
Responsible for executing or coordinating with relevant teams for
particular security processes or activities
Responsible to manage information security responsibilities of
employees, contractors and third-party users.
Ensuring responsibility is assigned to the individual for actions taken.
Overall responsibility of protecting assets from unauthorized access,
disclosure, modification, destruction or interference.
Human Resources Office Facilitating participation in training upon hire and at least annually
Ensuring that employees acknowledge in writing that they have read
and understand the company’s information security policy
Screen potential employees to minimize the risk of attacks from internal
sources
Internal Audit Shall be responsible for executing a risk assessment process that
identifies threats, vulnerabilities and results in a formal risk assessment.
The team will further be responsible to perform all the activities
mentioned in Section 9 – Internal Audit of Information Security Policy as
well as the Internal Audit Procedure Document.
Contracts manager Contracts require adherence to <Compliance Standard Name> by the
service provider
Contracts include acknowledgement or responsibility for the security of
PII by the service provider
Data Engineer
Become knowledgeable regarding relevant security requirements and
guidelines.
Protect the resources under their control, such as access passwords,
computers, and data they download.
Abiding by the Information Security Policy and supporting procedures.

Acceptable Usage Procedures Page 4


Information Technology
Logo Department
Policy Document

Reporting actual or suspected vulnerabilities in the confidentiality or


integrity of sensitive information (PHI, PII, PCI) to the Chief Privacy
Officer.

Reporting actual or suspected breaches in the security or privacy of


sensitive information (PHI, PII, PCI) to the Chief Privacy Officer.

Reporting suspicious requests for sensitive information (PHI, PII, PCI) to


the Chief Privacy Officer.
Data Protection Officer Reporting to Senior Management
Reporting actual or suspected vulnerabilities in the confidentiality or
integrity of sensitive information (PHI, PII, PCI) to the Chief Privacy
Officer.
Has expert knowledge of data protection law and practices and the
ability to fulfill required tasks

Security Contacts
Members from operational teams responsible for implementing and
enforcing organizational security policies and procedures are each
business and operational unit level.

The <Name of the Responsible Area> is the owner of this document and is responsible for
ensuring that this policy document is reviewed in line with the review requirements stated
above.

A current version of this document is available to all members of staff.

This policy was approved by the TITLE and is issued on a version controlled basis under his/her
signature

Acceptable Usage Procedures Page 5


Information Technology
Logo Department
Policy Document

Signature: Date:

Acceptable Usage Procedures Page 6

You might also like