Professional Documents
Culture Documents
Chief Executive
Officer
Chief Chief
Information Information
Security Officer Officer
Security Information
Operations Asset Owners
Risk &
Resiliency Security Guards
Management
Facilities
Management
1
Info-Tech Research Group
Medium maturity security organization reporting structure:
CISO reporting to CIO
Chief Executive
Officer
Chief Information
Officer
Chief Information
Security Officer
Resiliency
Detection Security Guards
Management
Policy and
Compliance
2
Info-Tech Research Group
Low maturity security organization reporting structure:
Security Manager reporting to CIO
Chief Information
Officer
Information Security
Manager
Prevention
Detection
Response and
Recovery
VP, IT
Directors/VP)
Owners (Business
Information
Services
Director, IT Central
EA
Development and
Director, Software
CISO
& Compliance
Manager, Security
Services
Director, Technical
Director, HR
Management
Director, Facility
Contractors
All Employees &
3
Info-Tech Research Group
Establish security
organizational structure
A C - C C R R C - - -
Establish and implement
security charter (mandate)
I C I C C A R C - - -
Build and implement security
awareness program
A C - C C R R C - - -
Evaluation and Direction
Establish and implement
security policies
I I I R R A R C R I I
Establish and implement risk
management program
C C C C C A R C C C -
Build and implement
information security strategy
C C C C C A R C C C -
Provide resources to support
security initiatives
C C R R R A R R R R -
Compliance, Audit, and Review
Conduct security compliance
management
I C C C C A R I C - -
Commission and conduct
independent audit
I I R R R A R I R - -
Conduct internal security
audit
I I R R R A R I R - -
Conduct management review R R R R R A R R - -
Security Prevention
Conduct security operation
management
I C - C C A R C - - -
Design and implement identity
and access management
I I C R C A R I I I I
Design and implement
hardware asset management
I I C R C A R I I I I
Design and implement data
and privacy security
I I C R C A R I I I I
Design and implement
network security
I I I R C A R I I I I
Design and implement
endpoint security
I I I R C A R I I I I
Design and implement
malicious code management
- I - R C A R - - - -
Design and implement
application security
I I I R C A R I I I I
Design and implement
vulnerability management
- I - R C A R - - - -
Design and implement
cryptography management
- - - I R A R I I I I
Design and implement
physical security
I I I R C A R I I I I
Establish and implement HR
security
I I I R C A R I R I I
Design and implement
configuration and change - - - I R A C C - - I
management
Vendor management I I I R C A R I I I I
Design and implement cloud
security
I I C C C A R C I I I
Security Detection
Conduct security threat
monitoring and detection
- I - R - A R - - - -
Design and conduct log and
event management
- I - R - A R - - - -
Security Response & Recovery
4
Info-Tech Research Group
Conduct incident response I I I R I A R I I I I
Conduct security forensics I I I R I A R I I I I
Conduct eDiscovery I I I R I A R I I I I
Design and implement
backup and recovery
I I I R C A R I I I I
Design and implement
InfoSec in BCM
C C C C C A R C C C I
Measurement Program
Build and implement security
measurement program
C C C C C A R C C C I
Continuous improvement C C C C C A R C C C I
Legend:
A Accountable
R Responsible
C Consulted
I Informed
Here is a list of possible initiatives, tasks, or responsibilities to be included in your RACI chart:
Establish an appropriate senior security steering committee
Ensure that information security adequately supports and sustains business objectives
Submit new information security projects with significant impact to governing body
Develop and implement information security strategy and charter
Align information security objectives with business objectives
Promote a positive information security culture
Select appropriate performance metrics from a business perspective
Provide feedback on information security performance results to the governing body, including
performance of action previously identified by governing body and their impacts on the organization
Alert the governing body of new developments affecting information risks and information security
Advise the governing body of any matters that require its attention and, possibly, decision
Instruct relevant stakeholders on detailed actions to be taken in support of the governing bodys directives
and decisions
Support the audit, reviews, or certifications commissioned by governing body
Develop and implement security policies
Review security policies
Establish risk management methodology and conduct security risk assessment and treatment
Design and implement security controls from process, people, and technology perspectives based on the
result of risk assessment
Conduct security threats and events monitoring
Conduct security configuration and maintenance
Conduct security incident response
Conduct security compliance management
Provide security services such as access provisioning and de-provisioning
Support internal and external audit
Support project from security perspective
Information security co-ordination, contact with authorities and special interest groups
Support BCM from security perspective
Promote security awareness campaign
Establish security metrics program and conduct the metrics monitoring and reporting
Conduct management review of security overall status
Ensure security is being continuously improved
5
Info-Tech Research Group
Security Steering Committee
A security steering committee provides direction and guidance to the security program and its strategies. The
main benefit of a steering committee is that it solicits feedback from other parties or ensures there is a formalized
approval process so things may get done in a timely manner. A collaborative approach must be taken for the
committee to work properly and generate the required outputs.
Security steering committees can have varying levels of maturity defined by who is on it and who they report to.
For example:
Low maturity would be only IT and security staff reporting to senior management.
Medium maturity would be IT and security staff plus other internal services (such as legal, audit,
compliance, or finance) and reporting to senior management
High maturity would be IT and security staff, other internal services, business unit/business group
leaders, and senior management
6
Info-Tech Research Group
Evaluating and approving the security charter and strategy
Allocating adequate investment and resources
Providing high-level oversight of security initiatives
Ensuring information security considerations take into account business initiatives
Prioritizing security initiatives as recommended by the CISO and the security program
Notifying the Board and external stakeholders of the current security posture
Directing
Determine the organizations risk appetite
Approve security charter and strategy
Allocate adequate investment and resources
Evaluating:
Business initiatives take into account information security considerations
Respond to and evaluate security monitoring results; prioritize and initiate actions
Monitoring
Assess the effectiveness of information security management activities
Ensure conformance with internal/external requirements
Consider the changing business, legal, and regulatory environment and their potential impact on
information risk
Communication
7
Info-Tech Research Group
Recognize regulatory obligations, stakeholders expectations, and business requirements with respect to
information security
Notify management of the results of any external reviews of security
Report to external stakeholders that the organization practices a level of information security
commensurate with the nature of its business
Assurance
Commission independent and objective opinions of how it is complying with its accountability for the
desired level of information security
_____________________________________________________
For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.
8
Info-Tech Research Group