Roles & Responsibilities in Policy

Risk Assessments almost always produce one finding consistently.  The finding is lack of roles and responsibilities defined.  The ISO 17799/27001 documents provide some guidance, but in many cases organizations do not know how to define clear security roles and responsibilities.  Before writing this I went through about 20 different organization policy documents to see if any listed roles and responsibilities the same.  In most cases I noticed three solutions.

Solution 1:

This solution did not include clearly define roles and responsibilities.  These documents contained few responsibility statements that were scattered through all different areas of the main security policy or policies.

Solution 2:

Solution 2 was the most consistent across all documents reviewed.  This solution usually defined three specific roles and responsibilities.  These are information owner, information custodian, and information user.  Each of these three roles had several statements defining their responsibilities, while there were additional statements scattered through all different sections of the policy document.

Solution 3:

Solution 3 was more consistent on policy documents that are broken up into smaller documents or much shorter in overall length.  This solution usually had specific roles such as Firewall Administrator, CSO, System Administrators, Compliance Officer, Audit, etc.  In most cases each of these roles had several bulleted responsibilities listed.

What Works?

The best solution is the one that works within your organization and causes less confusion.  If risk assessments are performed regularly then make sure the roles and responsibilities are written address the risk assessment requirements.  Two methods usually work.    

The first is to combine solution 2 and 3 and write a separate roles and responsibilities document or section of the overall policy.  This way there are many roles and responsibilities defined, which are easy to find because they are listed all in one place.

The second is to use solution 2 near the beginning (or in a separate policy document) of the policy document then in each different section of the policy (or each smaller policy document) write a roles and responsibilities sub section with more detailed roles.