[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 1

INFORMATION SECURITY GOVERNANCE

ORGANIZATIONAL STRUCTURE

Code:

Version:

Date of version:

Created by:

Approved by:

Confidentiality level:

Change history
Date Version Created by Description of change

[Type text] [Type text] [Type text]

Table of Contents
Purpose........................................................................................................................................................... 3
Introduction: How to Use This Template................................................................................................... 3
Organization Security Reporting Structure............................................................................................... 4
Management Commitment to Information Security............................................................................... 5
RACI Chart....................................................................................................................................................... 6
Information Security Obligation, Scope, and Responsibility Template...................................8
Introduction: How to Use This Tool..................................................................................................... 8
Information Security Obligations......................................................................................................... 9
Information Security Program Scope.................................................................................................. 9
Information Security Responsibilities............................................................................................. 10

[Type text] [Type text] [Type text]

[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 3

Purpose
A security governance organizational structure assigns and defines the roles and responsibilities of different
members in the organization regarding security. A clear definition of responsibilities ensures owners are
accountable.

This document is intended for use as guidance, and should be used in accordance with your enterprise’s
legal and compliance environment.

[Type text] [Type text] [Type text]

Organization Security Reporting Structure
Replace the diagram below with your organization’s security reporting structure.

Executive Committee
Chaired by the Chief
Executive Officer

Audit Committee Security Committee

Chaired by Head of Chaired by Chief Risk Committee
Audit Security Officer CSO
Chaired by Risk
Manager

Local Security
Information Security Committees
Manager
One per location

Security Information Asset

Policy & Compliance
Administration Owners (IAOs)

Risk & Contingency Site Security

Security Operations
Management Managers

Facilities
Security Guards
Management

[Type text] [Type text] [Type text]

[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 5

Management Commitment to Information Security

The Board of Directors (“the Board”) is ultimately accountable for corporate governance as a
whole. The management and control of information security risks is an integral part of corporate
governance. In practice, however, the Board explicitly delegates executive responsibilities for most
governance matters to the Executive Directors (Security Governing Body), led by the Chief
Executive Officer (CEO).

The Executive Directors give overall strategic direction by approving and mandating the
information security principles and axioms, but delegate operational responsibilities for
information security to the Security Steering Committee (SSC) chaired by the Chief Security Officer
(CSO).

The Executive Directors depend heavily on the SSC to coordinate activities throughout
[organization], ensuring that suitable policies are in place to support [organization]’s security
principles and axioms. The Executive Directors also rely on feedback from the SSC, CSO, ISM,
auditors, Risk Management, Compliance, Legal, and other functions to ensure that the principles,
axioms, and policies are being complied with in practice.

The Executive Directors (Governing Body) demonstrate their commitment to information security
by:

Directing
 Determine the organization’s risk appetite
 Approve security charter and strategy
 Allocate adequate investment and resources
Evaluation:
 Business initiatives take into account information security considerations
 Respond to and evaluate security monitoring results; prioritize and initiate actions
Monitoring
 Assess the effectiveness of information security management activities
 Ensure conformance with internal/external requirements
 Consider the changing business, legal, and regulatory environment and their potential impact on
information risk
Communication
 Recognize regulatory obligations, stakeholders expectations, and business requirements with
respect to information security

[Type text] [Type text] [Type text]

  Notify management of the results of any external reviews of security
 Report to external stakeholders that the organization practices a level of information security
commensurate with the nature of its business
Assurance
 Commission independent and objective opinions of how it is complying with its accountability for
the desired level of information security

RACI Chart
CSO and Information Security Security Staff All
Security Asset Managers employees,
Steering Owners contractors,
Committee and suppliers
(SSC)
Eatablish an appropriate
SSC
Ensure that information
security adequately
supports and sustains the
business objectives
Submit new information
security projects with
significant impact to
governing body
Develop and implement
information security
strategy and charter
Align information security
objectives with business
objectives
Promote a positive
information security culture
Select appropriate
performance metrics from a
business perspective
Provide feedback on
information security
performance results to the
governing body, including
performance of action
previously identified by
governing body and their
impacts on the organisation
Alert the governing body of
new developments
affecting information risks
and information security
Advise the governing body
of any matters that require

[Type text] [Type text] [Type text]

[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 7

CSO and Information Security Security Staff All

Security Asset Managers employees,
Steering Owners contractors,
Committee and suppliers
(SSC)
its attention and, possibly,
decision
Instruct relevant
stakeholders on detailed
actions to be taken in
support of the governing
body’s directives and
decisions
Support the audit, reviews,
or certifications
commissioned by governing
body
Develop and implement
security policies
Review security policies
Establish risk
management
methodology and
conduct security risk
assessment and
treatment
Design and implement
security controls from
process, people and
technology perspectives
based on the result of
risk assessment
Conduct security threats
and events monitoring
Conduct security
configuration and
maintanance
Conduct security incident
response
Conduct security
compliance management
Provide security services
such as access
provisioning and de-
provisioning, etc.

[Type text] [Type text] [Type text]

 CSO and Information Security Security Staff All
Security Asset Managers employees,
Steering Owners contractors,
Committee and suppliers
(SSC)
Support internal and
external audit
Support project from
security perspective
Information Security Co-
ordination, Contact with
Authorities and Special
Interest Groups
Support BCM from
security perspective
Promote security
awareness campaign
Establish security metrics
program and conduct the
metrics monitoring and
reporting
Conduct management
review of security overall
status
Ensure security is being
continuously improved

[Type text] [Type text] [Type text]

[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 9

Information Security Obligation, Scope, and Responsibility Template

Introduction: How to Use This Tool

Clearly identifying your information security obligations and scope is the first thing your organization might
need to do in order to build and implement a holistic and effective information security management
program. At the same time, streamlining the high-level responsibilities with respect to information security
across the enterprise will ensure the security department gets buy-in and support from senior management
and business units at the very beginning.
Use this tool to help you:
 Document the business requirements, regulatory requirements, and contractual requirements your
security program needs to meet
 Document the scope of your security program
 Document high-level responsibilities
Some examples have been provided in grey to help you get started.

Information Security Obligations

Requirements/Expectations

Protecting corporate data

Business
Best practices related to data management
Requirements
Business-to-customer data protection

Business-to-business data protection

Requirements Related to Information Security

PCI DSS
Regulatory
Contractual requirements for PCI with platforms (airports)
Requirements
Canadian (PIPEDA) and US privacy laws

European privacy laws

[Type text] [Type text] [Type text]

 Requirements/Expectations

Encrypted or truncated data

Protecting customer data from hackers

Contractual
Requirements Ensuring customers understand what we have and how we manage their info – includes
card holder data, other confidential customer info (address, name, etc.)

End users: provisioning and securing access to corporate systems

Data accuracy (sell some data to third parties)

Information Security Program Scope

To keep your scope manageable and unambiguous.

Organization (Business Technology

Physical Location(s) Business Data
Units/Processes) (IT systems)

 Head office Toronto  Product database

 Category management  Satellite office New  Accounting Applications
 Replenishment York information
 New business  300 stores across  Sales data  ERP
development (includes Canada  Email  Replenishment
marketing, real estate)  150 stores across  HR  Budget planning
 Operations (store US and Caribbean  Financials  EDI
management)  Data center (tape  Shared server Backend
 Corporate planning backup, offsite)  Common drive
 Accounting (including  SharePoint  AD
loss prevention)  Exchange
 Treasury  SharePoint
 Human resources  MS Link
 IT  FTP
 Design and  EFT
construction
Network

 MPLS (includes
DSL)
 VPN (direct access)

[Type text] [Type text] [Type text]

[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 11

Information Security Responsibilities

Officer
Board/Chief Executive

VP, IT
Directors/VP)
(Business
Information Owners

Services
Director, IT Central

Development and EA
Director, Software

CISO

Compliance
Manager, Security &

Services
Director, Technical

Director, HR

Management
Director, Facility

Contractors
All Employees &
 

Context and Leadership

Establish security
A C - C C R R C - - -
organizational structure

Establish and implement

I C I C C A R C - - -
security charter (mandate)

Build and implement security

A C - C C R R C - - -
awareness program

Evaluation and Direction

Establish and implement

I I I R R A R C R I I
security policies

Establish and implement risk

C C C C C A R C C C -
management program

Build and implement

C C C C C A R C C C -
information security strategy

Provide resources to support

C C R R R A R R R R -
security initiatives

Compliance and Review

Conduct management review R R R R R A R   R - -

Commission and conduct

I I R R R A R I R - -
independent audit

Conduct security compliance

I C C C C A R I C - -
management

Security Prevention

Conduct security operation

I C   C C A R C - - -
management

Design and implement identity

I I C R C A R I I I I
security

Design and implement data

I I C R C A R I I I I
security

Design and implement I I I R C A R I I I I

[Type text] [Type text] [Type text]

network security

Design and implement

I I I R C A R I I I I
application security

Design and implement tech

- I - R C A R - - - -
vulnerability

Design and implement

- I - R C A R - - - -
malicious code management

Design and implement

I I I R C A R I I I I
endpoint security

Establish and implement HR

I I I R C A R I R I I
security

Design and implement physical

I I I R C A R I I I I
security

Supplier management I I I R C A R I I I I

Security Detection

Conduct security threats

- I - R - A R - - - -
monitoring

Conduct security log analysis - I - R - A R - - - -

Conduct security analytics

Security Response & Recovery

Conduct incident response I I I R I A R I I I I

Conduct security forensics

Conduct eDiscovery

Design and implement backup

I I I R C A R I I I I
and recovery

Design and implement InfoSec

C C C C C A R C C C I
in BCM

Measurement Program

Build and implement security

C C C C C A R C C C I
measurement program

Design and implement internal

C C C C C A R C C C I
audit

Continuous improvement C C C C C A R C C C I

Legend:

A – Accountable

R – Responsible

[Type text] [Type text] [Type text]

[INFORMATION SECURITY GOVERNANCE ORGANIZATIONAL STRUCTURE] 13

C – Consulted

I – Informed

[Type text] [Type text] [Type text]

[Type text] [Type text] [Type text]