• No results found

Guideline for Roles & Responsibilities in Information Asset Management

N/A
N/A
Protected

Academic year: 2021

Share "Guideline for Roles & Responsibilities in Information Asset Management"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

ISO 27001 Implementer’s Forum

Guideline for Roles & Responsibilities in

Information Asset Management

Document ID ISMS/GL/ 003 Classification Internal Use Only

Version Number Initial Owner

Issue Date 07-08-2009 Approved By

This work is copyright © 2009, Mohan Kamat and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).

(2)

Title Roles in Information Asset Management

Document ID ISMS/GL/003 Date 07-08-2009

Status Initial

Prepared By: Mohan Kamat 07-08-2009

Reviewed By: Reviewed By: Approved By: Approved By:

Distribution List

Apex Committee To approve and authorize

ISMS Forum To review and update

All Department / Function Heads To understand and comply

Amendment History

Version

(3)

Guideline for Roles & Responsibilities in Information Asset Management

ISO 27001 Implementer’s Forum © 2009 Internal Use Only Page 3

1. Overview

All information assets shall be managed at organization level. The ownership of the information assets shall reside with the organization and individuals shall be assigned and made responsible and accountable for the information assets. Specific Individuals shall be assigned with the ownership / custodianship / operational usage and support rights of the information assets.

2. Information Asset Management Roles

3. Information Asset Management Responsibilities

1. Legal Owner

The top management shall be legal owner of information asset. No individual can claim IP rights of an Information asset, unless and otherwise specifically agreed and approved by the management in contractual agreement.

2. Delegated Ownership

The CEO shall have authority to represent the organization for the protection and security of the information asset as ownership of Information assets is delegated to this organizational role. CEO shall approve the Information Management / Security Policy.

The CEO may delegate full / partial ownership along with the defined responsibilities to any officer / contractor / third party with operational rights and responsibility.

Organization Level

Legal Ownership

Delegated Ownership Chief Executive Officer

Management Director Information

Management Chief Information Officer

Custodianship Information Security

Officer

Information Asset Custodian

Data Operators / End Users

¾ Statutory Legislations ¾ Statutory Regulations ¾ Organizational Regulations ¾ Organizational Policies ¾ Contractual rights & obligations Information Security Governance ¾ Apex Committee ¾ MR ¾ Change Advisory Board ¾ Damage assessment Team ¾ ISM Forum ¾ Task Force ¾ Incident Response Team ¾ Audit Committee

(4)

ISO 27001 Implementer’s Forum © 2009 Internal Use Only Page 4 The responsibilities of the Asset owner are as follows:

9 Updating of information asset inventory register; 9 Identifying the classification level of information asset;

9 Defining and implementing appropriate safeguards to ensure the confidentiality, integrity, and availability of the information asset;

9 Assessing and monitoring safeguards to ensure their compliance and report situations of non-compliance;

9 Authorizing access to those who have a business need for the information, and 9 Ensuring access is removed from those who no longer have a business need for

the information.

3. Director Information Management

The Director, Information Management ensures that the information resources of organization are managed as a corporate asset and assists in establishing the strategic direction of information management for the organization. They provide support and leadership to officers and other directors responsible for managing information resources on a day-to-day basis.

The Director, Information Management shall

9 provide specialist advice relating to information management practices

9 contribute to the strategic direction of information management within the organization

9 co-ordinate the development and implementation of information management practices including policies, standards, guidelines and procedures

9 assist business units to define and understand their responsibilities in relation to information management

9 assist business units to identify their information needs and requirements

9 Work with the Chief Information Officer to plan and implement systems to effectively manage the agency’s information assets.

4. Chief Information Officer

The CIO ensures that strategic planning processes are undertaken so that information requirements and supporting systems and infrastructure are aligned to legislative requirements and strategic goals. The CIO ensures that information security policies and governance practices are established to ensure the quality and integrity of the agency’s information resources and supporting IT systems. They oversee the development of tools, systems and information technology infrastructure to maximise the access and use of an agency’s information resources.

The Chief Information Officer is responsible for:

9 interpreting the business and information needs and wants of the organization and translating them into ICT initiatives

9 setting the strategic direction for information and communications technology and information management

9 ensuring that ICT and information management investment is aligned to the strategic goals of the organization

9 ensuring that projects and initiatives are aligned and coordinated to deliver the best value

9 ensuring ICT planning is integrated into business planning

9 identifying opportunities for information sharing and cross collaboration on projects and initiatives.

5. Information Security Officer

The information security officer is responsible for developing and implementing information security policy designed to protect information and any supporting

(5)

Guideline for Roles & Responsibilities in Information Asset Management

ISO 27001 Implementer’s Forum © 2009 Internal Use Only Page 5

information systems from any unauthorised access, use, disclosure, corruption or destruction.

The information security officer shall:

9 Develop policies, procedures and standards to ensure the security, confidentiality and privacy of information that is consistent with organizational Information security policy

9 Monitor and report on any information intrusion incidents and activate strategies to prevent further incidents.

9 Work with information custodians to ensure that information assets have been assigned appropriate security classifications.

9 Maintenance and upkeep of the asset as defined by the asset owner 9 System Restart and recovery

9 Implementing any changes as per the change management procedure 9 Backup of the information

9 Updating of information asset inventory register; 9 Identifying the classification level of information asset;

9 Defining and implementing appropriate safeguards to ensure the confidentiality, integrity, and availability of the information asset;

9 Assessing and monitoring safeguards to ensure their compliance and report situations of non-compliance;

9 Authorizing access to those who have a business need for the information, and 9 Ensuring access is removed from those who no longer have a business need for

the information.

6. Data Operators / End Users

Employees, Third Parties, Contractors authorized by the Owner / custodian to access information and use the safeguards established by the Owner / custodian. Being granted access to information does not imply or confer authority to grant other users access to that information.

References

Related documents

3) Mike Miller presented information on matters pertaining to: a) access road repair to accommodate Tuscola County Road Commission vehicles; b) reissuance of DNR permit for

MGT of America performed an annual inspection for compliance with the ICE National Detention Standards (NOS) at the Central Texas Detention Facility (CTDF) located in San

35 Female labor participation may generate many intra-household effects: time allocation effects (e.g., both parents working have less time to allocate to child care or domestic

Westpac supports the early introduction of a robust emissions trading scheme with the option of scaling up New Zealand’s response over time in line with global policy developments

Related to the previous finding, the result of this study showed that using portfolio assessment improved students’ overall writing ability in terms of five important

A detailed illustration with real-world data from major retailers suggests that optimal solutions to the proposed models can result in significant savings for bundle

Nonetheless, in societies where the private sector forms a major source of group inequality in jobs, incomes and assets, horizontal inequality in this sector could be conducive