Roles & Responsibilities

It is essential that roles and responsibilities be assigned before the change management process is initiated.

This will help the change management process as each process requires accountability and ownership. Through these roles, the relevant management and staff will have a clear understanding of their responsibilities and functions within each phase of Change Management.

<Organization Agency Name> are required to define roles and responsibilities that support the change management process. The responsibilities defined would govern the objective of change brought about by the Information Security policy and procedures.

2. 1. Change Process Owner

Change process owner for changing Information Security policies and procedure must be assigned outside the Information Security Department as not to create a conflict of interest. Accordingly, the Top Executive must be assigned ownership of the change process.

The change process owner would be accountable for the complete process and would be responsible for ensuring that the Change Management process is being followed correctly. Other responsibilities include

•

Maintain the goals and objectives within the process,

•

Design and recommend metrics and reports for management.

•

Provide a fully functional Change Management process resulting in employee satisfaction

•

Ensure that resources have the required skill sets

•

Maintain continuous process improvement on a regular basis.

The key skills required for this role include having Influence over all organization, Communication skills, Organizational skills, Facilitation skills, Leadership skills, Knowledge of the

<Organization Agency Name>, Project management skills, Negotiating skills, General Technical knowledge, Strong

82

2. 2. Change Manager

Change Manager for changing Information Security policies and procedure must be assigned from within the Information Security Department as he would have better understanding of the Information Security environment.

According to industry standard practices, this can be an additional role of Information Security Manager/

Chief Information Security Officer depending on the

<Organization Agency Name> structure. As defined in the earlier sections, this person will also be the Program Manager of the Information Security Implementation Program.

Change Manager is responsible for approving or rejecting applications for change after Information Security Steering Committee review, other responsibilities include:

•

Assess likely impact of Change to the live environment

•

Assess the implementation resources required for the Change

•

Assess the ongoing costs of the Change as appropriate

•

Assesses the impact of not doing the Change

•

Approve acceptable changes endorsed by the Steering Committee or Top Executive for Significant and Major change

•

Validate prioritization of Change

•

Validate Change category

•

Validate completeness of Change

•

Conduct Post Implementation Reviews,

•

Review Management Reports – KPIs (See if targets have been met, issue corrective measure for non achievable targets).

•

Analyze Change records to determine any trends or apparent problems that occur including resistance to change

•

Identify and document changes that by-pass the Change Management process and provides information to the Change Process Owner to address compliance requirements

•

Assist the Change Process Owner in identifying and prioritizing process improvements

•

Ensure adherence to the process

•

Initiates and facilitates Top Executive meetings for Major change reviews and endorsement

•

Routes Significant and Major Changes to Steering Committee or Top Executive review

•

Communicates with all necessary parties to coordinate Change build, test and implementation

•

Update the Change log with all progress

•

Review outstanding change awaiting consideration or awaiting action

The key skills required for this role include , Communication skills, Organizational skills, Facilitation skills, Leadership skills, Knowledge of the <Organization Agency Name>, Influential, Project management skills, Presentational skills, Negotiating skills, domain expert in all Information Security areas, Strong staff management skills, some Financial skills.

2. 3. Change Initiator

Change Initiator for changing Information Security policies and procedure can be assigned within the Information Security Department as he would have better understanding of the Information Security environment.

According to industry standard practices this can be an additional role of the relevant Information Security Staff/

IT Staff depending on the <Organization Agency Name>

structure.

Change Initiators primary responsibility will be to receive Change notices from the Project Manager(s) and record them in a Change application, here the Change Initiator would be required to complete all mandatory information for the Change.

The key skills required are:

•

Communication skills

•

Knowledge of the <Organization Agency Name>

•

Information Security knowledge

2. 4. Change Analyst

Change Analyst for changing Information Security policies and procedure must be assigned from within the Information Security Department as he would have better understanding of the Information Security environment.

Change Analyst will receive the Change Application along with the Information Security policies & procedures to be implemented. His primary responsibility is to assess the current state of policies and procedures and check them against the newly generated policies and procedures thereby creating a GAP analysis between the two states. Change Analyst would also be required to conduct a SWOT (Strength, Weakness, Opportunity, Threats) analysis for newly generated policies and procedures i.e. what are the strengths of having this policy and procedure implemented, what are weaknesses that this policy and procedure implementation is covering, what opportunities will be available to the <Organization Agency Name> by implementing this policy and procedure and what are the threats it might encounter by implementing this policy. A sample of a GAP analysis and SWOT analysis can be found in the appendix.

Other responsibilities of a Change Analyst include:

•

Initial assessment of the Change Application and return incomplete Change Application to Change Initiator

•

Participate in the Post Implementation Review as necessary

•

Participates in the Steering Committee meetings as needed The key skills required for this role include:

•

Communication skills

•

Organizational skills

•

Knowledge of <Organization Agency Name>

•

Strong Analytical Skills

•

Data Collection Experience/Skills

•

Strong Information Security Technological Skills specific to environment, back-end systems

84

2. 5. CAB: Change Advisory Board (Information Security Committee acting as CAB)

The Steering Committee will act as a Change Advisory Board for newly generated policies and procedures. The primary function of Steering Committee is to review the changes proposed and make sure they are in line with the Information Security policies and procedures Framework. Steering Committee responsibilities include

•

Review Change Applications that are submitted to Steering Committee

•

Evaluate modified Significant and Major Changes for schedule impact

•

Participates in the scheduling of Significant and Major Changes

•

Validate the prioritization and Change Category

•

Reviews applications for Change and advise the Change Manager to approve/reject the application

•

Considers all Changes on the agenda and advise the Change Manager about which Change should be approved

•

Participates in Post Implementation review as needed

•

Review Post Implementation Reviews as needed

In document Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH (Page 81-85)