Vertic's Information Security Roles Responsibilities and Authorities
- Jan Tenenberg
Introduction
Vertic Pty Ltd treats the security of its information assets and those of its customers very seriously and has established an Information Security Management System (ISMS) which conforms to the ISO/IEC 27001 international standard for information security. One of the key attributes of an effective ISMS is a clear allocation of roles, each with defined responsibilities and authorities. Each of these roles needs to be allocated to specific individuals or groups within the organization.
It is vital that everyone within the organization understands how they fit in to the ISMS and the part they must play in keeping the information we have responsibility for safe. This document should be read in conjunction with others that set out how the ISMS operates, including:
Information Security Context, Requirements and Scope
Information Security Management System Manual
By ensuring that roles, responsibilities and authorities are clearly defined we will be in a good position to prevent many information security incidents from happening and to react effectively and appropriately if they do.
We also need to be very clear about how the responsibilities for operating in a cloud service environment are split. This will avoid the situation where misunderstandings lead to areas such as backups, monitoring or vulnerability management, not being addressed by either party.
Information security roles
Within the ISMS the following major roles need to be defined and allocated:
Information Security Manager
Information Security Administrator
Information Security Risk Owner
Information Security Auditor
The specific responsibilities and authorities of each of these roles are set out in later sections of this document.
There are also particular information security responsibilities that must be carried out by existing internal roles within the organization, and these are also set out in summary within this document.
These roles are:
IT Consultants
IT Users
In general, responsibilities that apply to all employees, contractors and other interested parties are set out within the relevant organisational policies.
Organisation chart
A subset of the organization chart showing the relevant information security roles is shown below.
Figure 1: Organization chart
The responsibilities of overseeing our information security processes falls directly to the owners of Vertic Pty Ltd, Jan Tenenberg, Stephen Kent, and Matt Romeo. We have broken up these responsibilities using the following high-level structures:
Jan Tenenberg (Information Security Manager) to:
Oversee the overall quality assurance processes defined within the ISO 27001 standards and guidelines
Set up the systems and processes to support the information security processes required to service Vertic’s clients
Stephen Kent (Internal Information Security Auditor) to:
Clearly define the scope of an implementation and the responsibilities of Vertic’s clients
Clearly define all relevant implementation assumptions to impact the implementation of Vertic’s services
Matt Romeo (Information Security Admin) to:
Oversee the technical outsourcing team and the required controls to ensure information is managed securely
Implement the relevant technologies to effectively communicate with our technical outsourcing team
ISMS responsibility matrix
Overall responsibility for the management of the various sections of the ISO/IEC 27001 standard is shown in the following RACI table. This defines the type of responsibility of each role in each area according to whether the listed role is:
R: Responsible
A: Accountable
C: Consulted
I: Informed
ISO/IEC 27001 AREA | INFORMATION SECURITY STEERING GROUP | INFORMATION SECURITY MANAGER | INFORMATION SECURITY ADMIN | INFORMATION SECURITY AUDITOR |
Context | A | C | I | I |
Leadership | A | R | I | I |
Planning | A | R | C | I |
Support | A | R | C | I |
Operation | A | R | R | I |
Performance evaluation | C | R | C | R |
Improvement | A | R | R | R |
Annex A Controls | C | R | R | I |
Table 1: RACI chart
These responsibilities are expanded on further within the rest of this document.
Specific role responsibilities
This section details the specific information security responsibilities and authorities of each role within the Vertic Pty Ltd organization structure. It does not include any other types of responsibility, for example managerial, technical and should not be taken as a full job description. Competences necessary to fulfil each role are defined in the ISMS document Information Security Competence Development Procedure.
Information security steering group
The Information Security Steering Group oversees the operation of the ISMS as a representative of top management within [Organization Name] and has overall responsibility for its effectiveness.
Members
The group is made up of members of the top management team and will as a minimum include the following roles:
Matt Romeo, Chief Operating Officer (COO)
Stephen Kent, Chief Financial Officer (CFO)
Jan Tenenberg, Information Security Manager
Further members may be nominated by existing members on an as-needed basis.
Responsibilities
The Information Security Steering Group has the following responsibilities:
Establish and maintain the ISMS policy, objectives and plans
Communicate the importance of meeting the objectives and the need for continual improvement throughout the organization
Maintain an awareness of business needs and major changes
Ensure that information security requirements are determined and are met with the aim of minimising risk and maintaining effective controls for Vertic Pty Ltd and for our customers
Determine and provide resources to plan, implement, monitor, review and improve information security and management e.g. recruit appropriate staff, manage staff turnover
Oversee the management of risks to the organization and its services
Conduct management reviews of information security, at planned intervals, to ensure continuing suitability, adequacy and effectiveness
Select auditors and ensure that internal audits are conducted in an objective and impartial manner
Establish a continual improvement policy with respect to information security for Vertic Pty Ltd
Review major information security incidents
Ensure that arrangements that involve external organisations having access to information systems and services are based on a formal agreement that defines all necessary security requirements
Authorities
The Information Security Steering Group has the authority to:
Approve significant expenditure on information security-related matters
Recruit additional resources for the management of information security
Approve high-level policies for information security
Initiate high-level incident management actions
Information security manager
The Information Security Manager (Jan Tenenberg) is the primary role with a dedicated focus on information security and related issues.
Responsibilities
The Information Security Manager has the following responsibilities:
Reporting to the Information Security Steering Group on all security related matters on a regular and ad-hoc basis when required
Communicate the information security policy to all relevant interested parties where appropriate, including customers
Implement the requirements of the information security policy
Manage risks associated with access to the service or systems
Ensure that security controls are in place and documented
Quantify and monitor the types, volumes and impacts of security incidents and malfunctions
Define improvement plans and targets for the financial year
Monitor achievement against targets
Establish and maintain a continual improvement action list
Report on improvement activities
Identify and manage information security incidents according to a process
Attend management review meetings on a regular basis
Authorities
The Information Security Manager has the authority to:
Declare information security incidents
Approve limited expenditure on information security-related matters
Review the operation of controls within all business areas
Information security administrator
The Information Security Administrator is a technical role involved in the implementation and maintenance of many of the controls used to manage risk.
Responsibilities
The Information Security Administrator has the following responsibilities:
Ensure that security controls are in place and documented
Manage the day to day maintenance of controls, including:
Access control (user account lifecycle)
Testing and implementing security patches
Vulnerability scanning
Software operation e.g. IDS, IPS, firewalls, DLP
System and network hardening
Remote access
Cryptographic key management
Log management
Identify and manage information security incidents according to a process
Authorities
The Information Security Administrator has the authority to:
Take action to prevent an information security incident from occurring or escalating, where possible
Maintain information security records in accordance with defined policies and procedures
Information asset owner
The Information Asset Owner has primary operational responsibility for one or more information assets as defined in the [Organization Name] Information Asset Inventory.
Responsibilities
The Information Asset Owner has the following responsibilities:
Responsible for specific, named information assets
Maintain and review security controls for allocated asset(s)
Participate in risk assessments concerning their asset(s)
Ensure the relevant entry in the asset inventory is kept up to date
Authorities
The Information Asset Owner has the authority to:
Implement controls with regard to the information assets under their control
Information security risk owner
The Information Security Risk Owner has primary responsibility for managing one or more information security risks as defined in the [Organization Name] Risk Treatment Plan.
Responsibilities
The Information Security Risk Owner has the following responsibilities:
Responsible for the monitoring and management of specific risks to information security
Maintain and review security controls that treat the managed risk(s)
Participate in assessments concerning the risk(s) for which they are the owner
Liaise with the owner(s) of the information asset(s) affected by the risk(s) they own
Authorities
The Information Security Risk Owner has the authority to:
Escalate to management where one or more of their risks is not adequately addressed
Approve the level of residual risk after treatment actions have been identified in the Risk Treatment Plan
Information security auditor
The Information Security Auditor fulfils the internal audit requirements of the ISO/IEC 27001 standard and is generally responsible for checking that the ISMS is effectively implemented and maintained.
Responsibilities
The Information Security Auditor has the following responsibilities:
Plan, establish, implement and maintain an audit programme including the frequency, methods, responsibilities, planning requirements and reporting
Define the audit criteria and scope for each audit
Conduct internal audits at planned intervals
Ensure the audit process is objective and impartial
Report the results of audits to relevant management
Retain documented information as evidence of the audit programme and the audit results
Authorities
The Information Security Auditor has the authority to:
Investigate information security-related procedures and controls in order to assess their suitability and effectiveness
Report findings to relevant management
Data protection officer
The Data Protection Officer is a required appointment in line with applicable data protection legislation and has specific responsibilities for the protection of the Personally Identifiable Information (PII) of data subjects.
Responsibilities
The Data Protection Officer has the following responsibilities:
Inform and advise the data controller or the processor and the employees who carry out processing of their obligations under applicable data protection law
Monitor compliance with data protection law and with the policies of the data controller or processor in relation to the protection of PII
Assignment of responsibilities, awareness-raising and training of staff involved in the processing of PII, and the related audits
Provide advice where requested regarding privacy impact assessments and monitor their performance
Cooperate with all relevant supervisory authorities for data protection
Act as the contact point for supervisory authorities on issues relating to PII processing and to consult, where appropriate, with regard to any other matter
Authorities
The Data Protection Officer has the authority to:
Take decisions regarding data subject requests allowable under the relevant data protection legislation
Represent the organization to supervisory authorities with regard to data protection issues
Represent the organization to cloud service customers with regard to data protection issues
Customer information security administrator
The Customer Information Security Administrator is a role involved in the implementation and maintenance of many of the controls used to manage risk on behalf of the cloud service customer. This role may be split between one or more employees of the cloud service customer who makes use of facilities provided as part of our cloud service offering (such as access control, user registration and data restoration) to manage the information security aspects of the service received by the customer’s users.
Whilst we recognise this role’s validity, it is not applicable to Vertic’s implementation services.
Responsibilities
The Customer Information Security Administrator has the following responsibilities (limited to Vertic’s involvement and subject to any scope and exclusion statements) within the context of the cloud services provided to the customer by Vertic Pty Ltd:
Assess and manage risk with regard to the customer cloud environment
Ensure that available and appropriate security controls are in place and documented within the customer cloud environment
Advise on the day to day maintenance of provided controls that relate to the customer’s specific cloud environment (we explicitly exclude the below tasks from Vertic’s responsibilities), including:
Software as a Service (SaaS)
Access control to cloud services, functions and data
User registration and deregistration
Multi-factor authentication
Management of secret authentication information (e.g. passwords)
Log management
Information labelling
Capacity monitoring
Platform as a Service (PaaS)
Vulnerability scanning
Software operation e.g. IDS, IPS, malware protection, firewalls
System and network hardening
Remote access
Cryptographic key management
Backup and recovery, including testing
Clock synchronisation
Infrastructure as a Service (IaaS)
Installation and configuration of virtual servers
Testing and implementing security patches
Virtual network configuration
Authorities
The Customer Information Security Administrator has the authority to:
Perform technical activities as defined within the scope of the cloud service agreed
Take action to prevent an information security incident from occurring or escalating, where possible
Maintain information security records in accordance with defined policies and procedures
Other roles with information security responsibilities
There are other internal roles within the organization which, whilst not solely dedicated to information security, have relevant responsibilities and authorities.
Department managers
Department Managers may be heads or supervisors of operational units within the organization.
Responsibilities
A Department Manager has the following responsibilities:
Review and manage employee competencies and training needs to enable them to perform their role effectively within the information security area
Ensure that employees are aware of the relevance and importance of their activities and how they contribute to the achievement of information security objectives
Authorities
A Department Manager has the authority to:
Arrange training and awareness activities for the employees under their direction, within budget constraints
Take action to prevent an information security incident from occurring or escalating, where possible
IT technicians
Due to the often-technical nature of information security issues, IT technicians have an important part to play in the ISMS.
Responsibilities
IT Technicians generally have the following responsibilities:
Operation of processes such as incident and change management
Provision of technical expertise in matters of information security
Implementation of technical controls
System administration e.g. user creation, backups
Security monitoring e.g. network intrusions
Authorities
An IT Technician has the authority to:
Take action to prevent an information security incident from occurring or escalating, where possible
IT users
The responsibilities of IT users are defined in a variety of organization-wide policies, such as the Acceptable Use Policy and are only summarised in brief below.
Responsibilities
An IT user has the following main responsibilities:
Ensure they are aware of and comply with all information security policies of the organization relevant to their business role
Report any actual or potential security breaches
Contribute to risk assessment where required
Authorities
An IT user has the authority to:
Take action to prevent an information security incident from occurring or escalating, where possible