Layers of Responsibility Senior Manager: Ultimately responsible for security of the organization and the protection of its assets. Security professional: Functionally responsible for security and carries out sensitive manager's directives.
Data Owner: Is usually a member of senior management and is ultimately responsible for the protection and use of the data. Decides upon the classification of the data he is responsible for and alters these classifications if the business needs arise. Will delegate the responsibility of the day-to-day maintenance of the data, which is the responsibility of the data custodian.
Data Custodian: Is given the responsibility of the maintenance and protection of the data.
User: Any individual who routinely uses the data for work-related tasks. Must have the necessary level of access to the data to perform the duties within her position and is responsible for following operational security procedures to ensure the data's C/I/A to others.
Structure and practices: Separation of duties: Makes sure that one individual cannot complete a risky task by herself. Collusion: More than one person would need to work together to cause some type of destruction or fraud and this drastically reduces its probability. Nondisclosure agreements: To protect the company if and when this employee leaves for one reason or another. Job rotation: No one person should stay in one position for a long period of time because it can end up giving too much control of a segment of the business to this one individual.
Security Awareness Types of training: - Security-related job training for operators - Awareness training for specific departments or personnel groups with security sensitive positions - Technical security training for IT support personnel and system administrators - Advanced InfoSec training for security practitioners and information system auditors. - Security training for senior managers, functional managers and business unit managers.
