Chapter
3:
Roles and
Responsibilities
One fundamental issue that
arises in discussions of computer security is: "Whose responsibility
is it?" Of course, on a basic level the answer is simple: computer
security is the responsibility of everyone who can affect the security
of a computer system. However, the specific duties and responsibilities
of various individuals and organizational entities vary considerably.
This chapter presents a
brief overview of roles and responsibilities of the various officials
and organizational offices typically involved with computer
security.14 They include the following
groups:15
- senior management,
- program/functional managers/application
owners,
- computer security management,
- technology providers,
- supporting organizations,
and
- users.
This chapter is intended
to give the reader a basic familiarity with the major organizational
elements that play a role in computer security. It does not describe
all responsibilities of each in detail, nor will this chapter apply
uniformly to all organizations. Organizations, like individuals,
have unique characteristics, and no single template can apply to all.
Smaller organizations, in particular, are not likely to have separate
individuals performing many of the functions described in this chapter.
Even at some larger organizations, some of the duties described in
this chapter may not be staffed with full-time personnel. What is
important is that these functions be handled in a manner appropriate
for the organization.
As with the rest of the
handbook, this chapter is not intended to be used as an audit guide.
3.1 Senior Management
Senior
management has ultimate responsibility for the security of
an organization's computer systems.
|
Ultimately, responsibility
for the success of an organization lies with its senior managers.
They establish the organization's computer security program and its
overall program goals, objectives, and priorities in order to support
the mission of the organization. Ultimately, the head of the organization
is responsible for ensuring that adequate resources are applied to
the program and that it is successful. Senior managers are also responsible
for setting a good example for their employees by following all applicable
security practices.
3.2 Computer Security
Management
The Computer Security
Program Manager (and support staff) directs the organization's
day-to-day management of its computer security program. This individual
is also responsible for coordinating all security-related interactions
among organizational elements involved in the computer security program
-- as well as those external to the organization.
3.3 Program and Functional
Managers/Application Owners
Program or Functional
Managers/Application Owners are responsible for a program or function
(e.g., procurement or payroll) including the supporting computer system.16
Their responsibilities include providing for appropriate security,
including management, operational, and technical controls. These officials
are usually assisted by a technical staff that oversees the actual
workings of the system. This kind of support is no different for other
staff members who work on other program implementation issues.
Also, the program or functional
manager/application owner is often aided by a Security Officer
(frequently dedicated to that system, particularly if it is large
or critical to the organization) in developing and implementing security
requirements.
3.4 Technology Providers
System Management/System
Administrators. These personnel are the managers and technicians
who design and operate computer systems. They are responsible for
implementing technical security on computer systems and for being
familiar with security technology that relates to their system. They
also need to ensure the continuity of their services to meet the needs
of functional managers as well as analyzing technical vulnerabilities
in their systems (and their security implications). They are often
a part of a larger Information Resources Management (IRM) organization.
What
is a Program/Functional Manager?
The term
program/functional manager or application owner may not
be familiar or immediately apparent to all readers. The examples
provided below should help the reader better understand this
important concept. In reviewing these examples, note that
computer systems often serve more than one group or function.
Example
1. A personnel system serves an entire organization. However,
the Personnel Manager would normally be the application owner.
This applies even if the application is distributed so that
supervisors and clerks throughout the organization use and
update the system.
Example
#2. A federal benefits system provides monthly benefit
checks to 500,000 citizens. The processing is done on a mainframe
data center. The Benefits Program Manager is the application
owner.
Example
3. A mainframe data processing organization supports several
large applications. The mainframe director is not the
Functional Manager for any of the applications.
Example
4. A 100-person division has a diverse collection of personal
computers, work stations, and minicomputers used for general
office support, Internet connectivity, and computer-oriented
research. The division director would normally be the Functional
Manager responsible for the system.
|
Communications / Telecommunications
Staff. This office is normally responsible for providing communications
services, including voice, data, video, and fax service. Their responsibilities
for communication systems are similar to those that systems management
officials have for their systems. The staff may not be separate from
other technology service providers or the IRM office.
System Security Manager/Officers.
Often assisting system management officials in this effort is a system
security manager/officer responsible for day-to-day security implementation
/ administration duties. Although not normally part of the computer
security program management office, this officer is responsible for
coordinating the security efforts of a particular system(s). This
person works closely with system management personnel, the computer
security program manager, and the program or functional manager's
security officer. In fact, depending upon the organization, this may
be the same individual as the program or functional manager's security
officer. This person may or may not be a part of the organization's
overall security office.
Help Desk. Whether
or not a Help Desk is tasked with incident handling, it needs to be
able to recognize security incidents and refer the caller to the appropriate
person or organization for a response.
3.5 Supporting Functions17
The security responsibilities
of managers, technology providers and security officers are supported
by functions normally assigned to others. Some of the more important
of these are described below.
Audit. Auditors
are responsible for examining systems to see whether the system is
meeting stated security requirements, including system and organization
policies, and whether security controls are appropriate. Informal
audits can be performed by those operating the system under review
or, if impartiality is important, by outside auditors.18
Physical Security.
The physical security office is usually responsible for developing
and enforcing appropriate physical security controls, in consultation
with computer security management, program and functional managers,
and others, as appropriate. Physical security should address not only
central computer installations, but also backup facilities and office
environments. In the government, this office is often responsible
for the processing of personnel background checks and security clearances.
Who
Should Be the Accrediting Official?
The Accrediting
Officials are agency officials who have authority to accept
an application's security safeguards and approve a system
for operation. The Accrediting Officials must also be authorized
to allocate resources to achieve acceptable security and to
remedy security deficiencies. Without this authority, they
cannot realistically take responsibility for the accreditation
decision. In general, Accreditors are senior officials, who
may be the Program or Function Manager/Application Owner.
For some very sensitive applications, the Senior Executive
Officer is appropriate as an Accrediting Official. In general,
the more sensitive the application, the higher the Accrediting
Officials are in the organization.
Where
privacy is a concern, federal managers can be held personally
liable for security inadequacies. The issuing of the accreditation
statement fixes security responsibility, thus making explicit
a responsibility that might otherwise be implicit. Accreditors
should consult the agency general counsel to determine their
personal security liabilities.
Note that
accreditation is a formality unique to the government.
Source:
NIST FIPS 102
|
Disaster Recovery/Contingency
Planning Staff. Some organizations have a separate disaster recovery/contingency
planning staff. In this case, they are normally responsible for contingency
planning for the organization as a whole, and normally work with program
and functional mangers/application owners, the computer security staff,
and others to obtain additional contingency planning support, as needed.
Quality Assurance.
Many organizations have established a quality assurance program to
improve the products and services they provide to their customers.
The quality officer should have a working knowledge of computer security
and how it can be used to improve the quality of the program, for
example, by improving the integrity of computer-based information,
the availability of services, and the confidentiality of customer
information, as appropriate.
Procurement. The
procurement office is responsible for ensuring that organizational
procurements have been reviewed by appropriate officials. The procurement
office cannot be responsible for ensuring that goods and services
meet computer security expectations, because it lacks the technical
expertise. Nevertheless, this office should be knowledgeable about
computer security standards and should bring them to the attention
of those requesting such technology.
Training Office.
An organization has to decide whether the primary responsibility for
training users, operators, and managers in computer security rests
with the training office or the computer security program office.
In either case, the two organizations should work together to develop
an effective training program.
Personnel. The personnel
office is normally the first point of contact in helping managers
determine if a security background investigation is necessary for
a particular position. The personnel and security offices normally
work closely on issues involving background investigations. The personnel
office may also be responsible for providing security-related exit
procedures when employees leave an organization.
Risk Management/Planning
Staff. Some organizations have a full-time staff devoted to studying
all types of risks to which the organization may be exposed. This
function should include computer security-related risks, although
this office normally focuses on "macro" issues. Specific
risk analyses for specific computer systems is normally not performed
by this office.
Physical Plant.
This office is responsible for ensuring the provision of such services
as electrical power and environmental controls, necessary for the
safe and secure operation of an organization's systems. Often they
are augmented by separate medical, fire, hazardous waste, or life
safety personnel.
3.6 Users
Users also have responsibilities
for computer security. Two kinds of users, and their associated responsibilities,
are described below.
Users of Information.
Individuals who use information provided by the computer can be considered
the "consumers" of the applications. Sometimes they directly
interact with the system (e.g., to generate a report on screen) --
in which case they are also users of the system (as discussed below).
Other times, they may only read computer-prepared reports or only
be briefed on such material. Some users of information may be very
far removed from the computer system. Users of information are responsible
for letting the functional mangers/application owners (or their representatives)
know what their needs are for the protection of information, especially
for its integrity and availability.
Users of Systems.
Individuals who directly use computer systems (typically via a keyboard)
are responsible for following security procedures, for reporting security
problems, and for attending required computer security and functional
training.
References
Wood, Charles Cresson.
"How to Achieve a Clear Definition of Responsibilities for Information
Security." DATAPRO Information Security Service, IS115-200-101,
7 pp. April 1993.
Footnotes:
14.
Note that this includes groups within the organization; outside
organizations (e.g., NIST and OMB) are not included in this chapter.
15.
These categories are generalizations used to help aid the reader; if
they are not applicable to the reader's particular environment, they
can be safely ignored. While all these categories may not exist in a
particular organization, the functionality implied by them will often
still be present. Also, some organizations may fall into more than one
category. For example, the personnel office both supports the computer
security program (e.g., by keeping track of employee departures) and
is also a user of computer services.
16.
The functional manager/application owner may or may not be the data
owner. Particularly within the government, the concept of the data
owner may not be the most appropriate, since citizens ultimately own
the data.
17.
Categorization of functions and organizations in this section as supporting
is in no way meant to imply any degree of lessened importance. Also,
note that this list is not all-inclusive. Additional supporting functions
that can be provided may include configuration management, independent
verification and validation, and independent penetration testing teams.
18.
The term outside auditors includes both auditors external to
the organization as a whole and the organization's internal audit
staff. For purposes of this discussion, both are outside the management
chain responsible for the operation of the system.
|