Positioning the roles, interfaces and processes in the information security scene

Abstract

All information security professionals around the globe acknowledge that "everyone is responsible for information security" in a company. This trivial statement looks clever but hides core challenges, "Who is everyone? How does everyone contribute or challenge information security?" In our researched project we researched in-depth roles, processes and interaction in the corporate information security, by creating a framework for crystal clear defined roles and its associated security obligations and responsibilities. 20 corporate roles are analysed from management and security perspective; classical interactions between information security roles leveraging and turning down security are given in case studies. Furthermore we generated structured tasks descriptions of the roles and open the road to the fulfilment of an information security consultants dream by creating Job descriptions including its security responsibilities! We justified the necessity of defining roles and by introducing benefits of this approach: 1. Avoiding unnecessary conflicts and internal politics by establishing security organization with inclusion of all employee’s duties. 2. Increasing security-level, efficiency and productivity by assigning clearly responsibilities. 3. Achieving good information security governance by encouraging coordinated team effort and mutual control. Illustrative corporate examples demonstrate the need to supplement traditional corporate information security governance frameworks with roles and responsibilities for all positions. Templates for both security obligations and task description are provided for being used in corporations.