Académique Documents
Professionnel Documents
Culture Documents
for information security training and awareness has not yet been assigned,
the probability is high that are this job is not being done, or at least it's not
being done adequately.
For example, workers at your organization may wonder whether this work
should be done by the Human Resources Department, the Training
Department, or the Information Security Department. Thus, it is not an
exaggeration to say that clear roles and responsibilities are an essential
prerequisite for all information security activities. To genuinely be effective in
the information security arena, every organization needs to consciously
specify and coordinate the activities of a team of people, each with different
information security roles and responsibilities.
modern laws include the requirement that information security roles and
responsibilities must be specified. For example, within the United States, the
Health Insurance Portability & Accountability Act (HIPAA) [2] requires that
firms in the health care industry document information security related roles
and responsibilities.
On a related note, with clear documentation defining information security
roles and responsibilities, an organization can show that it is operating in a
fashion which is consistent with the standard of due care. Being able to
demonstrate this consistency may be very important in terms of reducing or
eliminating management liability for losses and other problems. Such
documentation may help with a variety of liability concerns including
computer professional malpractice and breach of management's fiduciary
duty to protect information assets.
One example of an authoritative
statement of the standard of due care, which includes the requirement that
information security roles and responsibilities be clearly specified, is entitled
"Generally Accepted Information Security Principles" (GASSP) [3].
Demonstrating compliance with the standard of due care can help shield
management from negligence and related liability claims.
Conclusion
Information security is inherently inter-disciplinary and inter-departmental,
and at many organizations, it is fast becoming inter-organizational. For
References
[1] Information Security Roles and Responsibilities Made Easy, by Charles Cresson
Wood. Published by Information Shield, Inc. 2002-2004.
[http://www.informationshield.com]
[2] Health Insurance Portability and Accountability Act of 1996 (HIPAA): Final
Security Rule. Department of Health and Human Services; Published in the Federal
Registrar. [http://aspe.hhs.gov/admnsimp/index.shtml]