Beruflich Dokumente
Kultur Dokumente
ORGANIZATIONAL STRUCTURE
Code:
Version:
Date of version:
Created by:
Approved by:
Confidentiality level:
Change history
Date Version Created by Description of change
Purpose
A security governance organizational structure assigns and defines the roles and responsibilities of different
members in the organization regarding security. A clear definition of responsibilities ensures owners are
accountable.
This document is intended for use as guidance, and should be used in accordance with your enterprise’s
legal and compliance environment.
Executive Committee
Chaired by the Chief
Executive Officer
Local Security
Information Security Committees
Manager
One per location
Facilities
Security Guards
Management
The Board of Directors (“the Board”) is ultimately accountable for corporate governance as a
whole. The management and control of information security risks is an integral part of corporate
governance. In practice, however, the Board explicitly delegates executive responsibilities for most
governance matters to the Executive Directors (Security Governing Body), led by the Chief
Executive Officer (CEO).
The Executive Directors give overall strategic direction by approving and mandating the
information security principles and axioms, but delegate operational responsibilities for
information security to the Security Steering Committee (SSC) chaired by the Chief Security Officer
(CSO).
The Executive Directors depend heavily on the SSC to coordinate activities throughout
[organization], ensuring that suitable policies are in place to support [organization]’s security
principles and axioms. The Executive Directors also rely on feedback from the SSC, CSO, ISM,
auditors, Risk Management, Compliance, Legal, and other functions to ensure that the principles,
axioms, and policies are being complied with in practice.
The Executive Directors (Governing Body) demonstrate their commitment to information security
by:
Directing
Determine the organization’s risk appetite
Approve security charter and strategy
Allocate adequate investment and resources
Evaluation:
Business initiatives take into account information security considerations
Respond to and evaluate security monitoring results; prioritize and initiate actions
Monitoring
Assess the effectiveness of information security management activities
Ensure conformance with internal/external requirements
Consider the changing business, legal, and regulatory environment and their potential impact on
information risk
Communication
Recognize regulatory obligations, stakeholders expectations, and business requirements with
respect to information security
RACI Chart
CSO and Information Security Security Staff All
Security Asset Managers employees,
Steering Owners contractors,
Committee and suppliers
(SSC)
Eatablish an appropriate
SSC
Ensure that information
security adequately
supports and sustains the
business objectives
Submit new information
security projects with
significant impact to
governing body
Develop and implement
information security
strategy and charter
Align information security
objectives with business
objectives
Promote a positive
information security culture
Select appropriate
performance metrics from a
business perspective
Provide feedback on
information security
performance results to the
governing body, including
performance of action
previously identified by
governing body and their
impacts on the organisation
Alert the governing body of
new developments
affecting information risks
and information security
Advise the governing body
of any matters that require
Requirements/Expectations
PCI DSS
Regulatory
Contractual requirements for PCI with platforms (airports)
Requirements
Canadian (PIPEDA) and US privacy laws
MPLS (includes
DSL)
VPN (direct access)
Officer
Board/Chief Executive
VP, IT
Directors/VP)
(Business
Information Owners
Services
Director, IT Central
Development and EA
Director, Software
CISO
Compliance
Manager, Security &
Services
Director, Technical
Director, HR
Management
Director, Facility
Contractors
All Employees &
Establish security
A C - C C R R C - - -
organizational structure
Security Prevention
Supplier management I I I R C A R I I I I
Security Detection
Conduct eDiscovery
Measurement Program
Continuous improvement C C C C C A R C C C I
Legend:
A – Accountable
R – Responsible
C – Consulted
I – Informed